SUSE Image Update Advisory: suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2020:117-1 Image Tags : suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64:20201210 Image Release : Severity : important Type : security References : 1010996 1011548 1050244 1051510 1051510 1051510 1051858 1058115 1058115 1058115 1061840 1065600 1065600 1065729 1065729 1071152 1071390 1071995 1071995 1071995 1082318 1085030 1086301 1086313 1086314 1089895 1100137 1100369 1104902 1104967 1106843 1107238 1109160 1109911 1113719 1114279 1118338 1118367 1118368 1120386 1128220 1130864 1130873 1130873 1131277 1133297 1134973 1142733 1143959 1144333 1146991 1151910 1151927 1152107 1153917 1153943 1153946 1154243 1154366 1154803 1154803 1154824 1154871 1154935 1155027 1155305 1155911 1156159 1156205 1156286 1156913 1157051 1157155 1157157 1157315 1157692 1158013 1158021 1158026 1158265 1158336 1158755 1158819 1158830 1159028 1159198 1159271 1159285 1159394 1159483 1159484 1159569 1159588 1159819 1159841 1159908 1159909 1159910 1159911 1159955 1160007 1160195 1160210 1160211 1160218 1160433 1160442 1160476 1160560 1160755 1160756 1160784 1160787 1160802 1160803 1160804 1160917 1160947 1160966 1161087 1161168 1161239 1161335 1161360 1161514 1161518 1161522 1161523 1161549 1161552 1161555 1161573 1161674 1161931 1161933 1161934 1161935 1161936 1161937 1161951 1162002 1162067 1162109 1162139 1162698 1162928 1162929 1162931 1163524 1163971 1164051 1164069 1164078 1164260 1164538 1164543 1164543 1164705 1164712 1164727 1164728 1164729 1164730 1164731 1164732 1164733 1164734 1164735 1164871 1165111 1165424 1165476 1165476 1165502 1165573 1165573 1165629 1165631 1165741 1165873 1165881 1165984 1165985 1166409 1166513 1166602 1166610 1166610 1166965 1166969 1167122 1167122 1167152 1167421 1167423 1167471 1167629 1168075 1168140 1168142 1168143 1168276 1168295 1168424 1168669 1168670 1168829 1168854 1168990 1168990 1168994 1169390 1169392 1169444 1169488 1169514 1169625 1169746 1169947 1170011 1170056 1170154 1170232 1170345 1170347 1170415 1170475 1170476 1170554 1170617 1170618 1170621 1170667 1170713 1170778 1170801 1170901 1170964 1171078 1171098 1171145 1171189 1171191 1171195 1171202 1171205 1171217 1171218 1171219 1171220 1171224 1171313 1171388 1171417 1171546 1171652 1171673 1171689 1171732 1171740 1171762 1171806 1171863 1171864 1171866 1171868 1171878 1171883 1171978 1171982 1171983 1171988 1171995 1172055 1172072 1172073 1172085 1172113 1172135 1172195 1172205 1172221 1172225 1172257 1172295 1172317 1172348 1172356 1172366 1172377 1172428 1172453 1172458 1172461 1172506 1172695 1172698 1172704 1172745 1172775 1172781 1172782 1172783 1172798 1172807 1172807 1172824 1172846 1172861 1172925 1172929 1172952 1172958 1172999 1173027 1173032 1173106 1173115 1173227 1173229 1173233 1173238 1173240 1173256 1173265 1173273 1173274 1173280 1173307 1173311 1173338 1173357 1173376 1173377 1173378 1173380 1173422 1173422 1173433 1173514 1173529 1173539 1173567 1173573 1173659 1173798 1173812 1173972 1173983 1173999 1174000 1174011 1174091 1174115 1174154 1174205 1174232 1174240 1174421 1174443 1174444 1174462 1174463 1174543 1174543 1174551 1174561 1174564 1174570 1174593 1174618 1174673 1174697 1174736 1174753 1174757 1174782 1174817 1174847 1174918 1174918 1174918 1175036 1175060 1175109 1175112 1175122 1175128 1175168 1175204 1175213 1175250 1175251 1175306 1175342 1175443 1175515 1175518 1175568 1175592 1175691 1175721 1175749 1175811 1175830 1175831 1175847 1175882 1175894 1175992 1176011 1176062 1176069 1176086 1176092 1176123 1176142 1176155 1176173 1176173 1176179 1176181 1176192 1176192 1176235 1176262 1176278 1176343 1176344 1176345 1176346 1176347 1176348 1176349 1176350 1176381 1176410 1176423 1176435 1176435 1176482 1176485 1176513 1176549 1176625 1176671 1176674 1176698 1176712 1176712 1176721 1176722 1176723 1176725 1176732 1176740 1176740 1176759 1176800 1176877 1176902 1176902 1176907 1176922 1176990 1177027 1177086 1177121 1177143 1177165 1177206 1177226 1177238 1177238 1177409 1177409 1177410 1177411 1177412 1177412 1177413 1177413 1177414 1177414 1177458 1177460 1177460 1177470 1177479 1177490 1177510 1177511 1177513 1177526 1177526 1177603 1177724 1177725 1177766 1177790 1177858 1177864 1177913 1177914 1177915 1177939 1177950 1177957 1177983 1178003 1178029 1178078 1178123 1178278 1178330 1178346 1178346 1178350 1178353 1178376 1178387 1178393 1178466 1178512 1178591 1178591 1178622 1178727 1178765 1178782 1178838 1178882 1178882 1178963 1179150 1179151 1179193 1179398 1179399 1179431 1179491 1179593 906079 927831 935885 935885 941629 973042 975267 CVE-2017-3136 CVE-2018-1000199 CVE-2018-18751 CVE-2018-5741 CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-16746 CVE-2019-16994 CVE-2019-17006 CVE-2019-19036 CVE-2019-19045 CVE-2019-19054 CVE-2019-19318 CVE-2019-19319 CVE-2019-19447 CVE-2019-19462 CVE-2019-19768 CVE-2019-19770 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095 CVE-2019-20096 CVE-2019-20807 CVE-2019-20810 CVE-2019-20812 CVE-2019-20907 CVE-2019-20908 CVE-2019-20916 CVE-2019-3701 CVE-2019-6477 CVE-2019-9455 CVE-2019-9458 CVE-2020-0305 CVE-2020-0404 CVE-2020-0427 CVE-2020-0430 CVE-2020-0431 CVE-2020-0432 CVE-2020-0543 CVE-2020-0543 CVE-2020-10135 CVE-2020-10543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10713 CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-10766 CVE-2020-10767 CVE-2020-10768 CVE-2020-10769 CVE-2020-10773 CVE-2020-10878 CVE-2020-10942 CVE-2020-11494 CVE-2020-11608 CVE-2020-11609 CVE-2020-11669 CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-11743 CVE-2020-12114 CVE-2020-12351 CVE-2020-12352 CVE-2020-12399 CVE-2020-12402 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655 CVE-2020-12656 CVE-2020-12657 CVE-2020-12723 CVE-2020-12769 CVE-2020-12771 CVE-2020-12888 CVE-2020-13143 CVE-2020-13401 CVE-2020-13777 CVE-2020-13844 CVE-2020-13974 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-14314 CVE-2020-14331 CVE-2020-14351 CVE-2020-14356 CVE-2020-14381 CVE-2020-14386 CVE-2020-14390 CVE-2020-14416 CVE-2020-14422 CVE-2020-15393 CVE-2020-15563 CVE-2020-15565 CVE-2020-15566 CVE-2020-15567 CVE-2020-15705 CVE-2020-15706 CVE-2020-15707 CVE-2020-15719 CVE-2020-15780 CVE-2020-15999 CVE-2020-16120 CVE-2020-16166 CVE-2020-1749 CVE-2020-1971 CVE-2020-24394 CVE-2020-24659 CVE-2020-24977 CVE-2020-25212 CVE-2020-25219 CVE-2020-25284 CVE-2020-25285 CVE-2020-25595 CVE-2020-25596 CVE-2020-25597 CVE-2020-25599 CVE-2020-25600 CVE-2020-25601 CVE-2020-25603 CVE-2020-25604 CVE-2020-25641 CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25692 CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-26154 CVE-2020-2732 CVE-2020-27670 CVE-2020-27670 CVE-2020-27671 CVE-2020-27671 CVE-2020-27672 CVE-2020-27672 CVE-2020-27673 CVE-2020-27673 CVE-2020-27674 CVE-2020-27675 CVE-2020-28196 CVE-2020-28368 CVE-2020-28368 CVE-2020-7053 CVE-2020-8023 CVE-2020-8027 CVE-2020-8037 CVE-2020-8177 CVE-2020-8231 CVE-2020-8277 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8428 CVE-2020-8616 CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-8694 CVE-2020-8834 CVE-2020-8992 CVE-2020-9383 ----------------------------------------------------------------- The container suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1541-1 Released: Thu Jun 4 13:23:27 2020 Summary: Recommended update for pciutils Type: recommended Severity: moderate References: 1170554 This update for pciutils fixes the following issues: - Fix lspci outputs when few of the VPD data fields are displayed as unknown. (bsc#1170554, ltc#185587) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1172055 This update for timezone fixes the following issue: - zdump --version reported 'unknown' (bsc#1172055) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1551-1 Released: Mon Jun 8 09:31:41 2020 Summary: Security update for vim Type: security Severity: moderate References: 1172225,CVE-2019-20807 This update for vim fixes the following issues: - CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim was possible using interfaces (bsc#1172225). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1558-1 Released: Mon Jun 8 10:36:32 2020 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1172113 This update for chrony fixes the following issue: - Use iburst in the default pool statements to speed up initial synchronization. (bsc#1172113) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1559-1 Released: Mon Jun 8 10:38:24 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1171388,975267 This update for dracut fixes the following issues: - Detect the sysfs attribute 'is_boot_target' (bsc#975267, bsc#1171388) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1579-1 Released: Tue Jun 9 17:05:23 2020 Summary: Recommended update for audit Type: recommended Severity: important References: 1156159,1172295 This update for audit fixes the following issues: - Fix hang on startup. (bsc#1156159) - Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1584-1 Released: Tue Jun 9 18:39:15 2020 Summary: Security update for gnutls Type: security Severity: important References: 1172461,1172506,CVE-2020-13777 This update for gnutls fixes the following issues: - CVE-2020-13777: Fixed an insecure session ticket key construction which could have made the TLS server to not bind the session ticket encryption key with a value supplied by the application until the initial key rotation, allowing an attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2 (bsc#1172506). - Fixed an improper handling of certificate chain with cross-signed intermediate CA certificates (bsc#1172461). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1611-1 Released: Fri Jun 12 09:38:05 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.13 to fix: - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.4 to fix: - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - update translations - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) zypper was updated to version 1.14.36: - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1634-1 Released: Wed Jun 17 10:35:38 2020 Summary: Security update for xen Type: security Severity: important References: 1167152,1168140,1168142,1168143,1169392,1172205,CVE-2020-0543,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743 This update for xen fixes the following issues: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205). - CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392). - CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140). - CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142). - CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143). - Xenstored Crashed during VM install (bsc#1167152) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1640-1 Released: Wed Jun 17 15:46:04 2020 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1166409,1166513 This update for grub2 fixes the following issues: - Implement support searching for specific config files for netboot. (bsc#1166409) - Skip zfcpdump kernel from the grub boot menu (bsc#1166513) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1657-1 Released: Thu Jun 18 10:49:53 2020 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: moderate References: 1172377,CVE-2020-13401 This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues: Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13 - CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1663-1 Released: Thu Jun 18 11:17:18 2020 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1050244,1051510,1051858,1058115,1061840,1065600,1065729,1071995,1085030,1086301,1086313,1086314,1089895,1109911,1114279,1118338,1120386,1134973,1143959,1144333,1151910,1151927,1153917,1154243,1154824,1156286,1157155,1157157,1157692,1158013,1158021,1158026,1158265,1158819,1159028,1159198,1159271,1159285,1159394,1159483,1159484,1159569,1159588,1159841,1159908,1159909,1159910,1159911,1159955,1160195,1160210,1160211,1160218,1160433,1160442,1160476,1160560,1160755,1160756,1160784,1160787,1160802,1160803,1160804,1160917,1160966,1161087,1161514,1161518,1161522,1161523,1161549,1161552,1161555,1161674,1161931,1161933,1161934,1161935,1161936,1161937,1161951,1162067,1162109,1162139,1162928,1162929,1162931,1163971,1164051,1164069,1164078,1164705,1164712,1164727,1164728,1164729,1164730,1164731,1164732,1164733,1164734,1164735,1164871,1165111,1165741,1165873,1165881,1165984,1165985,1166969,1167421,1167423,1167629,1168075,1168276,1168295,1168424,1168670,1168829,1168854,1169390,1169514,1 169625,1170056,1170345,1170617,1170618,1170621,1170778,1170901,1171098,1171189,1171191,1171195,1171202,1171205,1171217,1171218,1171219,1171220,1171689,1171982,1171983,1172221,1172317,1172453,1172458,CVE-2018-1000199,CVE-2019-14615,CVE-2019-14896,CVE-2019-14897,CVE-2019-16994,CVE-2019-19036,CVE-2019-19045,CVE-2019-19054,CVE-2019-19318,CVE-2019-19319,CVE-2019-19447,CVE-2019-19462,CVE-2019-19768,CVE-2019-19770,CVE-2019-19965,CVE-2019-19966,CVE-2019-20054,CVE-2019-20095,CVE-2019-20096,CVE-2019-20810,CVE-2019-20812,CVE-2019-3701,CVE-2019-9455,CVE-2019-9458,CVE-2020-0543,CVE-2020-10690,CVE-2020-10711,CVE-2020-10720,CVE-2020-10732,CVE-2020-10751,CVE-2020-10757,CVE-2020-10942,CVE-2020-11494,CVE-2020-11608,CVE-2020-11609,CVE-2020-11669,CVE-2020-12114,CVE-2020-12464,CVE-2020-12652,CVE-2020-12653,CVE-2020-12654,CVE-2020-12655,CVE-2020-12656,CVE-2020-12657,CVE-2020-12769,CVE-2020-13143,CVE-2020-2732,CVE-2020-7053,CVE-2020-8428,CVE-2020-8647,CVE-2020-8648,CVE-2020-8649,CVE-2020-8834,CVE-2020-899 2,CVE-2020-9383 The SUSE Linux Enterprise 15 kernel was updated receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824). - CVE-2020-9383: Fixed an out-of-bounds read due to improper error condition check of FDC index (bsc#1165111). - CVE-2020-8992: Fixed an issue which could have allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069). - CVE-2020-8834: Fixed a stack corruption which could have lead to kernel panic (bsc#1168276). - CVE-2020-8649: Fixed a use-after-free in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931). - CVE-2020-8648: Fixed a use-after-free in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928). - CVE-2020-8647: Fixed a use-after-free in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929). - CVE-2020-8428: Fixed a use-after-free which could have allowed local users to cause a denial of service (bsc#1162109). - CVE-2020-7053: Fixed a use-after-free in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c (bsc#1160966). - CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971). - CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982). - CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983). - CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205). - CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219). - CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217). - CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202). - CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195). - CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218). - CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901). - CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098). - CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390). - CVE-2020-11609: Fixed a null pointer dereference due to improper handling of descriptors (bsc#1168854). - CVE-2020-11608: Fixed a null pointer dereferences via a crafted USB (bsc#1168829). - CVE-2020-11494: Fixed an issue which could have allowed attackers to read uninitialized can_frame data (bsc#1168424). - CVE-2020-10942: Fixed a kernel stack corruption via crafted system calls (bsc#1167629). - CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317). - CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189). - CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220). - CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778). - CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191). - CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056). - CVE-2019-9458: Fixed a use after free due to a race condition which could have led to privilege escalation of privilege (bsc#1168295). - CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345). - CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bsc#1120386). - CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453). - CVE-2019-20810: Fixed a memory leak in due to not calling of snd_card_free (bsc#1172458). - CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which could have caused denial of service (bsc#1159908). - CVE-2019-20095: Fixed an improper error-handling cases that did not free allocated hostcmd memory which was causing memory leak (bsc#1159909). - CVE-2019-20054: Fixed a null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bsc#1159910). - CVE-2019-19966: Fixed a use-after-free in cpia2_exit() which could have caused denial of service (bsc#1159841). - CVE-2019-19965: Fixed a null pointer dereference, due to mishandling of port disconnection during discovery (bsc#1159911). - CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198). - CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bsc#1159285). - CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265). - CVE-2019-19447: Fixed a user after free via a crafted ext4 filesystem image (bsc#1158819). - CVE-2019-19319: Fixed a user after free when a large old_size value is used in a memset call (bsc#1158021). - CVE-2019-19318: Fixed a use after free via a crafted btrfs image (bsc#1158026). - CVE-2019-19054: Fixed a memory leak in the cx23888_ir_probe() which could have allowed attackers to cause a denial of service (bsc#1161518). - CVE-2019-19045: Fixed a memory leak in which could have allowed attackers to cause a denial of service (bsc#1161522). - CVE-2019-19036: Fixed a null pointer dereference in btrfs_root_node (bsc#1157692). - CVE-2019-16994: Fixed a memory leak which might have caused denial of service (bsc#1161523). - CVE-2019-14897: Fixed a stack overflow in Marvell Wifi Driver (bsc#1157155). - CVE-2019-14896: Fixed a heap overflow in Marvell Wifi Driver (bsc#1157157). - CVE-2019-14615: Fixed an improper control flow in certain data structures which could have led to information disclosure (bsc#1160195). - CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895). The following non-security bugs were fixed: - 6pack,mkiss: fix possible deadlock (bsc#1051510). - ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510). - ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510). - ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510). - af_packet: set defaule value for tmo (bsc#1051510). - ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes). - ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes). - ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes). - ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes). - ALSA: hda/ca0132 - Avoid endless loop (git-fixes). - ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes). - ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes). - ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes). - ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes). - ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510). - ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510). - ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510). - ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes). - ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510). - ALSA: sh: Fix compile warning wrt const (git-fixes). - ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510). - ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510). - ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510). - arm64: Revert support for execute-only user mappings (bsc#1160218). - ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510). - ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510). - ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510). - ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510). - ASoC: wm8962: fix lambda value (git-fixes). - ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510). - ath9k: fix storage endpoint lookup (git-fixes). - a typo in %kernel_base_conflicts macro name - batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510). - bcma: remove set but not used variable 'sizel' (git-fixes). - blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285). - blktrace: fix dereference after null check (bsc#1159285). - blktrace: fix trace mutex deadlock (bsc#1159285). - bonding: fix active-backup transition after link failure (git-fixes). - bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510). - bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510). - brcmfmac: fix interface sanity check (git-fixes). - brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes). - brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes). - btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936). - btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483). - btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569). - btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067). - btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934). - btrfs: Ensure we trim ranges across block group boundary (bsc#1151910). - btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442). - btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243). - btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804). - btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433). - btrfs: fix missing data checksums after replaying a log tree (bsc#1161931). - btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802). - btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803). - btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692). - btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937). - btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973). - btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692). - btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931). - btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692). - btrfs: record all roots for rename exchange on a subvol (bsc#1161933). - btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588). - btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067). - btrfs: send, skip backreference walking for extents with many references (bsc#1162139). - btrfs: skip log replay on orphaned roots (bsc#1161935). - btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692). - btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692). - btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692). - btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692). - btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692). - btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692). - btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692). - btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692). - btrfs: tree-checker: Verify dev item (dependency for bsc#1157692). - btrfs: tree-checker: Verify inode item (dependency for bsc#1157692). - btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910). - can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510). - can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510). - can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510). - can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510). - cfg80211: check for set_wiphy_params (bsc#1051510). - cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510). - cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510). - cgroup: pids: use atomic64_t for pids->limit (bsc#1161514). - CIFS: add support for flock (bsc#1144333). - CIFS: Close cached root handle only if it had a lease (bsc#1144333). - CIFS: Close open handle after interrupted close (bsc#1144333). - CIFS: close the shared root handle on tree disconnect (bsc#1144333). - CIFS: Do not miss cancelled OPEN responses (bsc#1144333). - CIFS: Fix lookup of root ses in DFS referral cache (bsc#1144333). - CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333). - CIFS: Fix mount options set in automount (bsc#1144333). - CIFS: Fix NULL pointer dereference in mid callback (bsc#1144333). - CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333). - CIFS: Fix potential softlockups while refreshing DFS cache (bsc#1144333). - CIFS: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333). - CIFS: Fix use-after-free bug in cifs_reconnect() (bsc#1144333). - CIFS: Properly process SMB3 lease breaks (bsc#1144333). - CIFS: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333). - CIFS: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333). - clk: Do not try to enable critical clocks if prepare failed (bsc#1051510). - clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510). - clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510). - clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510). - clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510). - clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510). - clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510). - clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170621). - copy/pasted 'Recommends:' instead of 'Provides:', 'Obsoletes:' and 'Conflicts: - crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510). - crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510). - crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510). - crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510). - crypto: ccp - fix uninitialized list head (bsc#1051510). - crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510). - crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510). - crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510). - crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix). - debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198. - debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198. - dmaengine: coh901318: Fix a double-lock bug (bsc#1051510). - dmaengine: coh901318: Remove unused variable (bsc#1051510). - dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510). - dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510). - drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993). - drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510). - drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170617). - drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170617). - drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618). - drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170617). - drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510). - drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510). - drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510). - drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510). - drm: bridge: dw-hdmi: constify copied structure (bsc#1051510). - drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510). - drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510). - drm/i810: Prevent underflow in ioctl (bsc#1114279) - drm/i915: Add missing include file (bsc#1051510). - drm/i915: Fix pid leak with banned clients (bsc#1114279) - drm: limit to INT_MAX in create_blob ioctl (bsc#1051510). - drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510). - drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510). - drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510). - drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028) - drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279) - drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510). - drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510). - e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510). - exit: panic before exit_mm() on global init exit (bsc#1161549). - extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510). - firestream: fix memory leaks (bsc#1051510). - fix autofs regression caused by follow_managed() changes (bsc#1159271). - fix dget_parent() fastpath race (bsc#1159271). - Fix partial checked out tree build ... so that bisection does not break. - fjes: fix missed check in fjes_acpi_add (bsc#1051510). - fs: cifs: Fix atime update check vs mtime (bsc#1144333). - fs/namei.c: fix missing barriers when checking positivity (bsc#1159271). - fs/namei.c: pull positivity check into follow_managed() (bsc#1159271). - fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985). - ftrace: Avoid potential division by zero in function profiler (bsc#1160784). - futex: Prevent robust futex exit race (bsc#1161555). - gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510). - HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510). - HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510). - hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510). - HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510). - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510). - hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510). - hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510). - i2c: imx: do not print error message on probe defer (bsc#1051510). - IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198. - ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983). - ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611). - iio: adc: max9611: Fix too short conversion time delay (bsc#1051510). - iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510). - inet: protect against too small mtu values (networking-stable-19_12_16). - Input: add safety guards to input_set_keycode() (bsc#1168075). - Input: aiptek - fix endpoint sanity check (bsc#1051510). - Input: cyttsp4_core - fix use after free bug (bsc#1051510). - Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510). - Input: gtco - fix endpoint sanity check (bsc#1051510). - Input: keyspan-remote - fix control-message timeouts (bsc#1051510). - Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510). - Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510). - Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510). - Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510). - Input: sur40 - fix interface sanity checks (bsc#1051510). - Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510). - Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510). - Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510). - iommu: Remove device link to group on failure (bsc#1160755). - iommu/vt-d: Unlink device if failed to add to group (bsc#1160756). - iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes). - iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510). - iwlwifi: mvm: synchronize TID queue removal (bsc#1051510). - kABI: protect struct sctp_ep_common (kabi). - kABI: restore debugfs_remove_recursive() (bsc#1159198). - kABI workaround for can/skb.h inclusion (bsc#1051510). - kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787). - KEYS: reaching the keys quotas correctly (bsc#1171689). - KVM: fix spectrev1 gadgets (bsc#1164705). - KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476). - KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734). - KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728). - KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729). - KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712). - KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730). - KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733). - KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731). - KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732). - KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735). - KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705). - KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727). - leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674). - leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674). - lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510). - lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510). - livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995). - livepatch/selftest: Clean up shadow variable names and type (bsc#1071995). - mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510). - macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510). - macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510). - md/raid0: Fix buffer overflow at debug print (bsc#1164051). - media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510). - media: cec: report Vendor ID after initialization (bsc#1051510). - media: iguanair: fix endpoint sanity check (bsc#1051510). - media: ov519: add missing endpoint sanity checks (bsc#1168829). - media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510). - media: stkwebcam: Bugfix for wrong return values (bsc#1051510). - media: stv06xx: add missing descriptor sanity checks (bsc#1168854). - media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510). - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510). - media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510). - missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ('rpm/kernel-subpackage-spec: Unify dependency handling.') Fixes: 3fd22e219f77 ('rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)') - mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510). - mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510). - mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510). - mmc: sdhci-of-esdhc: Revert 'mmc: sdhci-of-esdhc: add erratum A-009204 support' (bsc#1051510). - mmc: tegra: fix SDR50 tuning override (bsc#1051510). - mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993). - mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394). - mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes). - net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16). - net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423). - net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16). - netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes). - net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25). - net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25). - net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858). - net: psample: fix skb_over_panic (networking-stable-19_12_03). - net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25). - net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25). - net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03). - net: usb: lan78xx: limit size of local TSO packets (bsc#1051510). - net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18). - new helper: lookup_positive_unlocked() (bsc#1159271). - NFC: pn533: fix bulk-message timeout (bsc#1051510). - NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes). - objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514). - openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03). - openvswitch: remove another BUG_ON() (networking-stable-19_12_03). - openvswitch: support asymmetric conntrack (networking-stable-19_12_16). - orinoco_usb: fix interface sanity check (git-fixes). - PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510). - PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510). - phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510). - pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510). - pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510). - platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510). - platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510). - platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510). - powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17). - powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729). - powerpc: Fix vDSO clock_getres() (bsc#1065729). - powerpc/irq: fix stack overflow verification (bsc#1065729). - powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729). - powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840). - powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729). - powerpc/powernv: Disable native PCIe port management (bsc#1065729). - powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729). - powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734). - powerpc/tools: Do not quote $objdump in scripts (bsc#1065729). - powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030). - powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030). - powerpc/xmon: do not access ASDR in VMs (bsc#1065729). - ppp: Adjust indentation into ppp_async_input (git-fixes). - prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286). - pstore/ram: Write new dumps to start of recycled zones (bsc#1051510). - qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ). - r8152: add missing endpoint sanity check (bsc#1051510). - random: always use batched entropy for get_random_u{32,64} (bsc#1164871). - RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244). - regulator: Fix return value of _set_load() stub (bsc#1051510). - regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510). - regulator: rn5t618: fix module aliases (bsc#1051510). - Revert 'Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers' (bsc#1051510). - Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221). - Revert 'mmc: sdhci: Fix incorrect switch to HS mode' (bsc#1051510). - rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510). - rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510). - rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510). - rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510). - rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510). - scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551). - scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551). - scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013). - scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013). - scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013). - scsi: qla2xxx: Consolidate fabric scan (bsc#1158013). - scsi: qla2xxx: Correct fcport flags handling (bsc#1158013). - scsi: qla2xxx: Fix fabric scan hang (bsc#1158013). - scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013). - scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013). - scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013). - scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013). - scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013). - scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013). - scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013). - scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013). - scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013). - scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013). - scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013). - sctp: cache netns in sctp_ep_common (networking-stable-19_12_03). - serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510). - serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510). - serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510). - serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510). - serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510). - sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25). - sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510). - sh_eth: fix dumping ARSTR (bsc#1051510). - sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510). - sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510). - sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510). - sh_eth: fix TXALCR1 offsets (bsc#1051510). - sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510). - smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333). - smb3: Fix persistent handles reconnect (bsc#1144333). - smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333). - smb3: remove confusing dmesg when mounting with encryption ('seal') (bsc#1144333). - soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510). - spi: tegra114: clear packed bit for unpacked mode (bsc#1051510). - spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510). - spi: tegra114: fix for unpacked mode transfers (bsc#1051510). - spi: tegra114: flush fifos (bsc#1051510). - spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510). - staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510). - Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510). - staging: rtl8188eu: fix interface sanity check (bsc#1051510). - staging: wlan-ng: ensure error return is actually returned (bsc#1051510). - tcp: clear tp->packets_out when purging write queue (bsc#1160560). - tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159). - tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16). - tracing: Have the histogram compare functions convert to u64 first (bsc#1160210). - tracing: xen: Ordered comparison of function pointers (git-fixes). - tty: n_hdlc: fix build on SPARC (bsc#1051510). - tty/serial: atmel: Add is_half_duplex helper (bsc#1051510). - tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510). - tty: vt: keyboard: reject invalid keycodes (bsc#1051510). - USB: Allow USB device to be warm reset in suspended state (bsc#1051510). - USB: atm: ueagle-atm: add missing endpoint check (bsc#1051510). - USB: chipidea: host: Disable port power only if previously enabled (bsc#1051510). - USB: core: hub: Improved device recognition on remote wakeup (bsc#1051510). - USB: core: urb: fix URB structure initialization function (bsc#1051510). - USB: documentation: flags on usb-storage versus UAS (bsc#1051510). - USB: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510). - USB: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510). - USB: dwc3: ep0: Clear started flag on completion (bsc#1051510). - USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510). - USB: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510). - USB: gadget: pch_udc: fix use after free (bsc#1051510). - USB: gadget: u_serial: add missing port entry locking (bsc#1051510). - USB: gadget: Zero ffs_io_data (bsc#1051510). - USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510). - usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510). - USB: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510). - USB: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510). - USB: musb: fix idling for suspend after disconnect interrupt (bsc#1051510). - USB: serial: ch341: handle unbound port at reset_resume (bsc#1051510). - USB: serial: io_edgeport: add missing active-port sanity check (bsc#1051510). - USB: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510). - USB: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510). - USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510). - USB: serial: ir-usb: fix IrLAP framing (bsc#1051510). - USB: serial: ir-usb: fix link-speed handling (bsc#1051510). - USB: serial: keyspan: handle unbound ports (bsc#1051510). - USB: serial: opticon: fix control-message timeouts (bsc#1051510). - USB: serial: option: Add support for Quectel RM500Q (bsc#1051510). - USB: serial: quatech2: handle unbound ports (bsc#1051510). - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510). - USB: serial: suppress driver bind attributes (bsc#1051510). - USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510). - USB: uas: heed CAPACITY_HEURISTICS (bsc#1051510). - USB: uas: honor flag to avoid CAPACITY16 (bsc#1051510). - USB: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510). - workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211). - x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115). - x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115). - x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115). - x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115). - x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621). - x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617). - x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617). - x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617). - x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617). - x86/Hyper-V: report value of misc_features (git-fixes). - x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617). - x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617). - x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279). - x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279). - x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279). - x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279). - x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279). - x86/mm: Split vmalloc_sync_all() (bsc#1165741). - x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279). - x86/resctrl: Fix potential memory leak (bsc#1114279). - x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115). - x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115). - x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115). - x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115). - x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115). - x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115). - x86/xen: fix booting 32-bit pv guest (bsc#1071995). - x86/xen: Make the boot CPU idle task reliable (bsc#1071995). - x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995). - xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600). - xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917). - xfrm: Fix transport mode skb control buffer usage (bsc#1161552). - xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873). - xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984). - xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917). - xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510). - xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510). - xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510). - xhci: make sure interrupts are restored to correct state (bsc#1051510). - zd1211rw: fix storage endpoint lookup (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1677-1 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: important References: 1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399 This update for mozilla-nspr, mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53 - CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978). - CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819). Release notes: mozilla-nspr to version 4.25 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1679-1 Released: Thu Jun 18 20:07:06 2020 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1170154,1171546,1171995 This update for cloud-init contains the following fixes: - rsyslog warning, '~' is deprecated: (bsc#1170154) + replace deprecated syntax '& ~' by '& stop' for more information please see https://www.rsyslog.com/rsyslog-error-2307/. + Explicitly test for netconfig version 1 as well as 2. + Handle netconfig v2 device configurations (bsc#1171546, bsc#1171995) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important References: 1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723 This update for perl fixes the following issues: - CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have allowed overwriting of allocated memory with attacker's data (bsc#1171863). - CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of instructions into the compiled form of Perl regular expression (bsc#1171864). - CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a compiled regular expression (bsc#1171866). - Fixed a bad warning in features.ph (bsc#1172348). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1760-1 Released: Thu Jun 25 18:46:13 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1157315,1162698,1164538,1169488,1171145,1172072 This update for systemd fixes the following issues: - Merge branch 'SUSE/v234' into SLE15 units: starting suspend.target should not fail when suspend is successful (bsc#1172072) core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488) mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too udev: rename the persistent link for ATA devices (bsc#1164538) shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315) tmpfiles: remove unnecessary assert (bsc#1171145) test-engine: manager_free() was called too early pid1: by default make user units inherit their umask from the user manager (bsc#1162698) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1773-1 Released: Fri Jun 26 08:05:59 2020 Summary: Security update for curl Type: security Severity: important References: 1173027,CVE-2020-8177 This update for curl fixes the following issues: - CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious server to overwrite a local file when using the -J option (bsc#1173027). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1820-1 Released: Thu Jul 2 08:38:44 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1161573 This update for dracut fixes the following issue: - Fix dracut timeout on missing root device (bsc#1161573) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1822-1 Released: Thu Jul 2 11:30:42 2020 Summary: Security update for python3 Type: security Severity: important References: 1173274,CVE-2020-14422 This update for python3 fixes the following issues: - CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface could have led to denial of service (bsc#1173274). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1396-1 Released: Fri Jul 3 12:33:05 2020 Summary: Security update for zstd Type: security Severity: moderate References: 1082318,1133297 This update for zstd fixes the following issues: - Fix for build error caused by wrong static libraries. (bsc#1133297) - Correction in spec file marking the license as documentation. (bsc#1082318) - Add new package for SLE-15. (jsc#ECO-1886) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1850-1 Released: Mon Jul 6 14:44:39 2020 Summary: Security update for mozilla-nss Type: security Severity: moderate References: 1168669,1173032,CVE-2020-12402 This update for mozilla-nss fixes the following issues: mozilla-nss was updated to version 3.53.1 - CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032) - Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1852-1 Released: Mon Jul 6 16:50:23 2020 Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts Type: recommended Severity: moderate References: 1169444 This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues: Changes in fontforge: - Support transforming bitmap glyphs from python. (bsc#1169444) - Allow python-Sphinx >= 3 Changes in ttf-converter: - Update from version 1.0 to version 1.0.6: * ftdump is now shipped additionally as new dependency for ttf-converter * Standardize output when converting vector and bitmap fonts * Add more subfamilies fixes (bsc#1169444) * Add --family and --subfamily arguments to force values on those fields * Add parameters to fix glyph unicode values --fix-glyph-unicode : Try to fix unicode points and glyph names based on glyph names containing hexadecimal codes (like '$0C00', 'char12345' or 'uni004F') --replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the unicode value b. Can be used more than once. --shift-unicode-values: When passed 3 comma separated numbers a,b,c this shifts the unicode values of glyphs between a and b (both included) by adding c. Can be used more than once. * Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444) When used, all glyphs are modified with the transformation function and values passed as parameters. The parameter has three values separated by commas: fliph|flipv|rotate90cw|rotate90ccw|rotate180|skew|transmove,xoff,yoff * Add support to convert bitmap fonts (bsc#1169444) * Rename MediumItalic subfamily to Medium Italic * Show some more information when removing duplicated glyphs * Add a --force-monospaced argument instead of hardcoding font names * Convert `BoldCond` subfamily to `Bold Condensed` * Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41) * Add a --version argument * Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41) Changes in xorg-x11-fonts: - Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage - Include the subfamily in the filename of converted fonts - Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41) - Replace some unicode values in cu-pua12.pcf.gz to fix them - Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs don't pretend to be latin characters when they're not. - Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444) Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular, MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular Changes in ghostscript-fonts: - Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41) Use the --force-monospaced argument of ttf-converter 1.0.3 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1856-1 Released: Mon Jul 6 17:05:51 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1172698,1172704,CVE-2020-8023 This update for openldap2 fixes the following issues: - CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698). - Changed DB_CONFIG to root:ldap permissions (bsc#1172704). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1858-1 Released: Mon Jul 6 17:08:06 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1171883 This update for permissions fixes the following issues: - Removed conflicting entries which might expose pcp to security issues (bsc#1171883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1869-1 Released: Tue Jul 7 15:08:12 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925 This update for libsolv, libzypp, zypper fixes the following issues: libsolv was updated to 0.7.14: - Enable zstd compression support - Support blacklisted packages in solver_findproblemrule() (bnc#1172135) - Support rules with multiple negative literals in choice rule generation - Fix solvable swapping messing up idarrays - fix ruleinfo of complex dependencies returning the wrong origin libzypp was updated to 17.23.7: - Enable zchunk metadata download if libsolv supports it. - Older kernel-devel packages are not properly purged (bsc#1171224) - doc: enhance service plugin example. - Get retracted patch status from updateinfo data (jsc#SLE-8770) libsolv injects the indicator provides into packages only. - remove 'using namespace std;' (bsc#1166610, fixes #218) - Online doc: add 'Hardware (modalias) dependencies' page (fixes #216) - Add HistoryLogReader actionFilter to parse only specific HistoryActionIDs. - RepoVariables: Add safe guard in case the caller does not own a zypp instance. - Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake. - Fix package status computation regarding unneeded, orphaned, recommended and suggested packages (broken in 17.23.0) (bsc#1165476) - Log patch status changes to history (jsc#SLE-5116) - Allow to disable all WebServer dependent tests when building. OBS wants to be able to get rid of the nginx/FastCGI-devel build requirement. Use 'rpmbuild --without mediabackend_tests' or 'cmake -DDISABLE_MEDIABACKEND_TESTS=1'. - boost: Fix deprecated auto_unit_test.hpp includes. - Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck. - Fix decision whether to download ZCHUNK files. libzypp and libsolv must both be able to read the format. - yum::Downloader: Prefer zchunk compressed metadata if libvsolv supports it. - Selectable: Fix highestAvailableVersionObj if only retracted packages are available. Avoid using retracted items as candidate (jsc#SLE-8770) - RpmDb: Become rpmdb backend independent (jsc#SLE-7272) - RpmDb: Close API offering a custom rpmdb path It's actually not needed and for this to work also libsolv needs to support it. You can sill use a librpmDb::db_const_iterator to access a database at a custom location (ro). - Remove legacy rpmV3database conversion code. - Fix core dump with corrupted history file (bsc#1170801) zypper was updated to 1.14.37: - Reformat manpages to workaround asciidoctor shortcomings (bsc#1154803, bsc#1167122, bsc#1168990) - Remove undocumented rug legacy stuff. - Remove 'using namespace std;' (bsc#1166610) - patch table: Add 'Since' column if history data are available (jsc#SLE-5116) - Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770) - Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770) - Relax 'Do not allow the abbreviation of cli arguments' in legacy distibutions (bsc#1164543) - Correctly detect ambigous switch abbreviations (bsc#1165573) - zypper-aptitude: don't supplement zypper. supplementing zypper means zypper-aptitude gets installed by default and pulls in perl. Neither is desired on small systems. - Do not allow the abbreviation of cli arguments (bsc#1164543) - accoring to according in all translation files. - Always show exception history if available. - Use default package cache location for temporary repos (bsc#1130873) - Print switch abbrev warning to stderr (bsc#1172925) - Fix typo in man page (bsc#1169947) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:1888-1 Released: Fri Jul 10 15:51:12 2020 Summary: Security update for xen Type: security Severity: important References: 1173376,1173377,1173378,1173380,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567 This update for xen fixes the following issues: - CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377). - CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378). - CVE-2020-15566: Fixed incorrect error handling in event channel port allocation (bsc#1173376). - CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1953-1 Released: Sat Jul 18 03:06:11 2020 Summary: Recommended update for parted Type: recommended Severity: important References: 1164260 This update for parted fixes the following issue: - fix support of NVDIMM (pmemXs) devices (bsc#1164260) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1986-1 Released: Tue Jul 21 16:06:29 2020 Summary: Recommended update for openvswitch Type: recommended Severity: moderate References: 1172861,1172929 This update for openvswitch fixes the following issues: - Preserve the old default OVS_USER_ID for users that removed the override at /etc/sysconfig/openvswitch. (bsc#1172861) - Fix possible changes of openvswitch configuration during upgrades. (bsc#1172929) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:1999-1 Released: Wed Jul 22 09:04:32 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1172807 This update for dracut fixes the following issues: - PXE boot process times out (bsc#1172807) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2073-1 Released: Wed Jul 29 18:59:25 2020 Summary: Security update for grub2 Type: security Severity: important References: 1168994,1173812,1174463,1174570,CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707 This update for grub2 fixes the following issues: - Fix for CVE-2020-10713 (bsc#1168994) - Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812) - Fix for CVE-2020-15706 (bsc#1174463) - Fix for CVE-2020-15707 (bsc#1174570) - Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data - Use grub_calloc for overflow check and return NULL when it would occur - Use gcc-9 compiler for overflow check builtins - Backport gcc-9 build fixes ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate References: 1156913 This update for diffutils fixes the following issue: - Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2099-1 Released: Fri Jul 31 08:06:40 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1173227,1173229,1173422 This update for systemd fixes the following issues: - migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229) The marker is used to make sure the script is run only once. Instead of storing it in /usr, use /var which is more appropriate for such file. Also make it owned by systemd package. - Fix inconsistent file modes for some ghost files (bsc#1173227) Ghost files are assumed by rpm to have mode 000 by default which is not consistent with file permissions set at runtime. Also /var/lib/systemd/random-seed was tracked wrongly as a directory. Also don't track (ghost) /etc/systemd/system/runlevel*.target aliases since we're not supposed to track units or aliases user might define/override. - Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2106-1 Released: Mon Aug 3 16:43:48 2020 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1051510,1065729,1071995,1104967,1152107,1158755,1162002,1170011,1171078,1171673,1171732,1171868,1172257,1172775,1172781,1172782,1172783,1172999,1173265,1173280,1173514,1173567,1173573,1173659,1173999,1174000,1174115,1174462,1174543,CVE-2019-16746,CVE-2019-20908,CVE-2020-0305,CVE-2020-10766,CVE-2020-10767,CVE-2020-10768,CVE-2020-10769,CVE-2020-10773,CVE-2020-12771,CVE-2020-12888,CVE-2020-13974,CVE-2020-14416,CVE-2020-15393,CVE-2020-15780 The SUSE Linux Enterprise 15 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462). - CVE-2019-20908: An issue was discovered in drivers/firmware/efi/efi.c where incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032 (bnc#1173567). - CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c where injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30 (bnc#1173573). - CVE-2020-15393: usbtest_disconnect in drivers/usb/misc/usbtest.c had a memory leak, aka CID-28ebeb8db770 (bnc#1173514). - CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails (bnc#1171732). - CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c which did not check the length of variable elements in a beacon head, leading to a buffer overflow (bnc#1152107 1173659). - CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868). - CVE-2020-10769: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allowed a local attacker with user privileges to cause a denial of service (bnc#1173265). - CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999). - CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002). - CVE-2020-10768: Indirect branch speculation could have been enabled after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command. (bnc#1172783). - CVE-2020-10766: Fixed Rogue cross-process SSBD shutdown, where a Linux scheduler logical bug allows an attacker to turn off the SSBD protection. (bnc#1172781). - CVE-2020-10767: Indirect Branch Prediction Barrier was force-disabled when STIBP is unavailable or enhanced IBRS is available. (bnc#1172782). - CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059 (bnc#1172775). The following non-security bugs were fixed: - Merge ibmvnic reset fixes (bsc#1158755 ltc#182094). - block, bfq: add requeue-request hook (bsc#1104967 bsc#1171673). - block, bfq: postpone rq preparation to insert or merge (bsc#1104967 bsc#1171673). - ibmvnic: Do not process device remove during device reset (bsc#1065729). - ibmvnic: Flush existing work items before device removal (bsc#1065729). - ibmvnic: Harden device login requests (bsc#1170011 ltc#183538). - ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239). - ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369). - intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115). - livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995). - livepatch: Disallow vmlinux.ko (bsc#1071995). - livepatch: Make klp_apply_object_relocs static (bsc#1071995). - livepatch: Prevent module-specific KLP rela sections from referencing vmlinux symbols (bsc#1071995). - livepatch: Remove .klp.arch (bsc#1071995). - vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1051510). - vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1174000). - vfio/pci: Mask buggy SR-IOV VF INTx support (bsc#1051510). - vfio/pci: Mask buggy SR-IOV VF INTx support (bsc#1173999). - x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1172257). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2159-1 Released: Thu Aug 6 20:05:30 2020 Summary: Security update for xen Type: security Severity: important References: 1172356,1174543 This update for xen fixes the following issues: - bsc#1174543 - secure boot related fixes - bsc#1172356 - Not able to hot-plug NIC via virt-manager, asks to attach on next reboot while it should be live attached ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2208-1 Released: Tue Aug 11 17:25:45 2020 Summary: Recommended update for rsyslog Type: recommended Severity: important References: 1173338 This update for rsyslog fixes the following issues: - Fix for logrotate to avoid unexpected exit with coredump after logrotate. (bsc#1173338) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2219-1 Released: Wed Aug 12 15:47:42 2020 Summary: Recommended update for supportutils-plugin-suse-public-cloud and python3-azuremetadata Type: recommended Severity: moderate References: 1170475,1170476,1173238,1173240,1173357,1174618,1174847 This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues: supportutils-plugin-suse-public-cloud: - Fixes an error when supportutils-plugin-suse-public-cloud and supportutils-plugin-salt are installed at the same time (bsc#1174618) - Sensitive information like credentials (such as access keys) will be removed when the metadata is being collected (bsc#1170475, bsc#1170476) python3-azuremetadata: - Added latest support for `--listapis` and `--api` (bsc#1173238, bsc#1173240) - Detects when the VM is running in ASM (Azure Classic) and does now handle the condition to generate the data without requiring access to the full IMDS available, only in ARM instances (bsc#1173357, bsc#1174847) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2221-1 Released: Thu Aug 13 09:06:20 2020 Summary: Recommended update for SUSEConnect Type: recommended Severity: moderate References: 1130864,1155911,1160007 This update for SUSEConnect fixes the following issues: Update from version 0.3.22 to version 0.3.25 - Don't fail de-activation when '-release' package already got removed. - Fix cloud_provider detection on AWS large instances. (bsc#1160007) - Forbid de-registration for on-demand Public Cloud instances. (bsc#1155911) - Setup customer_center on read-only boot system. (bsc#1130864) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2223-1 Released: Thu Aug 13 09:12:03 2020 Summary: Recommended update for zypper-migration-plugin Type: recommended Severity: moderate References: 1100137,1107238,1171652 This update for zypper-migration-plugin fixes the following issues: - Fix for an issue when not all release packages are installed after migration. (bsc#1171652) - Fix for snapper configuration to avoid migration failures. (jira#SLE-7752) - Fix for the issue when zypper migration tool does not provide a proper exit code if it is not mirrored on registration server. (bsc#1107238) - Fix for failing salt migration by check for closed standard input. (bsc#1100137) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2224-1 Released: Thu Aug 13 09:15:47 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1171878,1172085 This update for glibc fixes the following issues: - Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178) - Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2243-1 Released: Fri Aug 14 15:27:12 2020 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1174782,1175036,1175060 This update for grub2 fixes the following issues: - A potential regression has been fixed that would cause systems with an updated 'grub2' to boot no longer due to a missing 'grub-calloc' linker symbol. (bsc#1174782) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2256-1 Released: Mon Aug 17 15:08:46 2020 Summary: Recommended update for sysfsutils Type: recommended Severity: moderate References: 1155305 This update for sysfsutils fixes the following issue: - Fix cdev name comparison. (bsc#1155305) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2277-1 Released: Wed Aug 19 13:24:03 2020 Summary: Security update for python3 Type: security Severity: moderate References: 1174091,CVE-2019-20907 This update for python3 fixes the following issues: - bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2279-1 Released: Wed Aug 19 21:26:55 2020 Summary: Recommended update for libzypp Type: recommended Severity: moderate References: 1173106,1174011 This update for libzypp fixes the following issues: - Proactively send credentials if the URL specifes '?auth=basic' and a username. (bsc#1174011) - ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011) - Completey rework the purge-kernels algorithm. The new code is closer to the original perl script, grouping the packages by name before applying the keep spec. (bsc#1173106) - Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2284-1 Released: Thu Aug 20 16:04:17 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important References: 1010996,1071152,1071390,1154871,1174673,973042 This update for ca-certificates-mozilla fixes the following issues: update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673) Removed CAs: * AddTrust External CA Root * AddTrust Class 1 CA Root * LuxTrust Global Root 2 * Staat der Nederlanden Root CA - G2 * Symantec Class 1 Public Primary Certification Authority - G4 * Symantec Class 2 Public Primary Certification Authority - G4 * VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: * certSIGN Root CA G2 * e-Szigno Root CA 2017 * Microsoft ECC Root Certificate Authority 2017 * Microsoft RSA Root Certificate Authority 2017 - reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2296-1 Released: Mon Aug 24 10:34:37 2020 Summary: Security update for gettext-runtime Type: security Severity: moderate References: 1106843,1113719,941629,CVE-2018-18751 This update for gettext-runtime fixes the following issues: - Fix boo941629-unnessary-rpath-on-standard-path.patch (bsc#941629) - Added msgfmt-double-free.patch to fix a double free error (CVE-2018-18751 bsc#1113719) - Add patch msgfmt-reset-msg-length-after-remove.patch which does reset the length of message string after a line has been removed (bsc#1106843) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2303-1 Released: Tue Aug 25 14:46:36 2020 Summary: Security update for grub2 Type: security Severity: important References: 1172745,1174421,CVE-2020-15705 This update for grub2 fixes the following issues: - CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421). - Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2337-1 Released: Wed Aug 26 13:00:47 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1172807 This update for dracut fixes the following issue: - Fix typo in did setup conditional. (bsc#1172807) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2380-1 Released: Fri Aug 28 14:54:08 2020 Summary: Recommended update for supportutils-plugin-suse-public-cloud Type: recommended Severity: moderate References: 1175250,1175251 This update for supportutils-plugin-suse-public-cloud contains the following fix: - Update to version 1.0.5: (bsc#1175250, bsc#1175251) + Query for new GCE initialization code packages ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2384-1 Released: Sat Aug 29 00:57:13 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: low References: 1170964 This update for e2fsprogs fixes the following issues: - Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2411-1 Released: Tue Sep 1 13:28:47 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1142733,1146991,1158336,1172195,1172824,1173539 This update for systemd fixes the following issues: - Improve logging when PID1 fails at setting a namespace up when spawning a command specified by 'Exec*='. (bsc#1172824, bsc#1142733) pid1: improve message when setting up namespace fails. execute: let's close glibc syslog channels too. execute: normalize logging in *execute.c*. execute: fix typo in error message. execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary. execute: make use of the new logging mode in *execute.c* log: add a mode where we open the log fds for every single log message. log: let's make use of the fact that our functions return the negative error code for *log_oom()* too. execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result. execute: rework logging in *setup_keyring()* to include unit info. execute: improve and augment execution log messages. - vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539) - fix infinite timeout. (bsc#1158336) - bpf: mount bpffs by default on boot. (bsc#1146991) - man: explain precedence for options which take a list. - man: unify titling, fix description of precedence in sysusers.d(5) - udev-event: fix timeout log messages. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2420-1 Released: Tue Sep 1 13:48:35 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1174551,1174736 This update for zlib provides the following fixes: - Permit a deflateParams() parameter change as soon as possible. (bsc#1174736) - Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2446-1 Released: Wed Sep 2 09:33:22 2020 Summary: Security update for curl Type: security Severity: moderate References: 1175109,CVE-2020-8231 This update for curl fixes the following issues: - An application that performs multiple requests with libcurl's multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in rare circumstances experience that when subsequently using the setup connect-only transfer, libcurl will pick and use the wrong connection and instead pick another one the application has created since then. [bsc#1175109, CVE-2020-8231] ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2458-1 Released: Wed Sep 2 15:44:30 2020 Summary: Recommended update for iputils Type: recommended Severity: moderate References: 927831 This update for iputils fixes the following issue: - ping: Remove workaround for bug in IP_RECVERR on raw sockets. (bsc#927831) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2581-1 Released: Wed Sep 9 13:07:07 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1174154,CVE-2020-15719 This update for openldap2 fixes the following issues: - bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509 SAN's falling back to CN validation in violation of rfc6125. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2610-1 Released: Fri Sep 11 11:11:50 2020 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1058115,1071995,1154366,1165629,1165631,1171988,1172428,1173798,1174205,1174757,1175112,1175122,1175128,1175204,1175213,1175515,1175518,1175691,1175992,1176069,CVE-2020-10135,CVE-2020-14314,CVE-2020-14331,CVE-2020-14356,CVE-2020-14386,CVE-2020-16166,CVE-2020-1749,CVE-2020-24394 The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165629). - CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798). - CVE-2020-14356: Fixed a null pointer dereference in cgroupv2 subsystem which could have led to privilege escalation (bsc#1175213). - CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205). - CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757). - CVE-2020-24394: Fixed an issue which could set incorrect permissions on new filesystem objects when the filesystem lacks ACL support (bsc#1175518). - CVE-2020-10135: Legacy pairing and secure-connections pairing authentication Bluetooth might have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access (bsc#1171988). - CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069). The following non-security bugs were fixed: - cifs: add support for fallocate mode 0 for non-sparse files (bsc#1175122). - cifs: allow unlock flock and OFD lock across fork (bsc#1175122). - cifs_atomic_open(): fix double-put on late allocation failure (bsc#1175122). - cifs: Avoid doing network I/O while holding cache lock (bsc#1175122). - cifs: call wake_up(&server->response_q) inside of cifs_reconnect() (bsc#1175122). - cifs: Clean up DFS referral cache (bsc#1175122). - cifs: document and cleanup dfs mount (bsc#1172428 bsc#1175122). - cifs: do not ignore the SYNC flags in getattr (bsc#1175122). - cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1175122). - cifs: do not share tcons with DFS (bsc#1175122). - cifs: ensure correct super block for DFS reconnect (bsc#1175122). - cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1175122). - cifs: fiemap: do not return EINVAL if get nothing (bsc#1175122). - cifs: Fix an error pointer dereference in cifs_mount() (bsc#1172428 bsc#1175122). - cifs: fix double free error on share and prefix (bsc#1172428 bsc#1175122). - cifs: fix leaked reference on requeued write (bsc#1175122). - cifs: fix NULL dereference in match_prepath (bsc#1175122). - cifs: Fix null pointer check in cifs_read (bsc#1175122). - cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1175122). - cifs: fix potential mismatch of UNC paths (bsc#1175122). - cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1175122). - cifs: Fix return value in __update_cache_entry (bsc#1175122). - cifs: fix soft mounts hanging in the reconnect code (bsc#1175122). - cifs: Fix task struct use-after-free on reconnect (bsc#1175122). - cifs: fix uninitialised lease_key in open_shroot() (bsc#1175122). - cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1175122). - cifs: Get rid of kstrdup_const()'d paths (bsc#1175122). - cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1175122). - cifs: handle empty list of targets in cifs_reconnect() (bsc#1172428 bsc#1175122). - cifs: handle hostnames that resolve to same ip in failover (bsc#1175122). - cifs: handle prefix paths in reconnect (bsc#1175122). - cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect (bsc#1172428 bsc#1175122). - cifs: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1175122). - cifs: Introduce helpers for finding TCP connection (bsc#1175122). - cifs: make sure we do not overflow the max EA buffer size (bsc#1175122). - cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1175122). - cifs: merge __{cifs,smb2}_reconnect[_tcon]() into cifs_tree_connect() (bsc#1172428 bsc#1175122). - cifs: Merge is_path_valid() into get_normalized_path() (bsc#1175122). - cifs: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1175122). - cifs: only update prefix path of DFS links in cifs_tree_connect() (bsc#1172428 bsc#1175122). - cifs: Optimize readdir on reparse points (bsc#1175122). - cifs: potential unintitliazed error code in cifs_getattr() (bsc#1175122). - cifs: protect updating server->dstaddr with a spinlock (bsc#1175122). - cifs: reduce number of referral requests in DFS link lookups (bsc#1172428 bsc#1175122). - cifs: rename reconn_inval_dfs_target() (bsc#1172428 bsc#1175122). - cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1175122). - cifs: set up next DFS target before generic_ip_connect() (bsc#1175122). - cifs: use mod_delayed_work() for &server->reconnect if already queued (bsc#1175122). - cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1175122). - Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175128). - ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459). - ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL (bsc#1175515). - ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL (bsc#1175515). - kabi: hide new parameter of ip6_dst_lookup_flow() (bsc#1165629). - kabi: mask changes to struct ipv6_stub (bsc#1165629). - mm: Avoid calling build_all_zonelists_init under hotplug context (bsc#1154366). - mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691). - scripts/git_sort/git_sort.py: add bluetooth/bluetooth-next.git repository - selftests/livepatch: fix mem leaks in test-klp-shadow-vars (bsc#1071995). - selftests/livepatch: more verification in test-klp-shadow-vars (bsc#1071995). - selftests/livepatch: rework test-klp-shadow-vars (bsc#1071995). - selftests/livepatch: simplify test-klp-callbacks busy target tests (bsc#1071995). - smb3: fix performance regression with setting mtime (bsc#1175122). - smb3: query attributes on file close (bsc#1175122). - smb3: remove unused flag passed into close functions (bsc#1175122). - Update patch reference for a tipc fix patch (bsc#1175515) - x86/unwind/orc: Fix ORC for newly forked tasks (bsc#1058115). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2612-1 Released: Fri Sep 11 11:18:01 2020 Summary: Security update for libxml2 Type: security Severity: moderate References: 1176179,CVE-2020-24977 This update for libxml2 fixes the following issues: - CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2617-1 Released: Mon Sep 14 10:40:04 2020 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1174443,1174444 This update for cloud-init contains the following fixes: - Update to version 20.2 (bsc#1174443, bsc#1174444) + Remove patches included upstream: - 0001-Make-tests-work-with-Python-3.8-139.patch - cloud-init-ostack-metadat-dencode.patch - cloud-init-use-different-random-src.diff - cloud-init-long-pass.patch - cloud-init-mix-static-dhcp.patch + Remove patches build switched to Python 3 for all distributions - cloud-init-python2-sigpipe.patch - cloud-init-template-py2.patch + Add - cloud-init-after-kvp.diff - cloud-init-recognize-hpc.patch + doc/format: reference make-mime.py instead of an inline script (#334) + Add docs about creating parent folders (#330) [Adrian Wilkins] + DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470) + schema: ignore spurious pylint error (#332) + schema: add json schema for write_files module (#152) + BSD: find_devs_with_ refactoring (#298) [Goneri Le Bouder] + nocloud: drop work around for Linux 2.6 (#324) [Goneri Le Bouder] + cloudinit: drop dependencies on unittest2 and contextlib2 (#322) + distros: handle a potential mirror filtering error case (#328) + log: remove unnecessary import fallback logic (#327) + .travis.yml: don't run integration test on ubuntu/* branches (#321) + More unit test documentation (#314) + conftest: introduce disable_subp_usage autouse fixture (#304) + YAML align indent sizes for docs readability (#323) [Tak Nishigori] + network_state: add missing space to log message (#325) + tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910) + test_mounts: expand happy path test for both happy paths (#319) + cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836) + swap file 'size' being used before checked if str (#315) [Eduardo Otubo] + HACKING.rst: add pytest version gotchas section (#311) + docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers] + readme: OpenBSD is now supported (#309) [Goneri Le Bouder] + net: ignore 'renderer' key in netplan config (#306) (LP: #1870421) + Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370) + openbsd: set_passwd should not unlock user (#289) [Goneri Le Bouder] + tools/.github-cla-signers: add beezly as CLA signer (#301) + util: remove unnecessary lru_cache import fallback (#299) + HACKING.rst: reorganise/update CLA signature info (#297) + distros: drop leading/trailing hyphens from mirror URL labels (#296) + HACKING.rst: add note about variable annotations (#295) + CiTestCase: stop using and remove sys_exit helper (#283) + distros: replace invalid characters in mirror URLs with hyphens (#291) (LP: #1868232) + rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy] + Fix cloud-init ignoring some misdeclared mimetypes in user-data. [Kurt Garloff] + net: ubuntu focal prioritize netplan over eni even if both present (#267) (LP: #1867029) + cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292) + net/cmdline: replace type comments with annotations (#294) + HACKING.rst: add Type Annotations design section (#293) + net: introduce is_ip_address function (#288) + CiTestCase: remove now-unneeded parse_and_read helper method (#286) + .travis.yml: allow 30 minutes of inactivity in cloud tests (#287) + sources/tests/test_init: drop use of deprecated inspect.getargspec (#285) + setup.py: drop NIH check_output implementation (#282) + Identify SAP Converged Cloud as OpenStack [Silvio Knizek] + add Openbsd support (#147) [Goneri Le Bouder] + HACKING.rst: add examples of the two test class types (#278) + VMWware: support to update guest info gc status if enabled (#261) [xiaofengw-vmware] + Add lp-to-git mapping for kgarloff (#279) + set_passwords: avoid chpasswd on BSD (#268) [Goneri Le Bouder] + HACKING.rst: add Unit Testing design section (#277) + util: read_cc_from_cmdline handle urlencoded yaml content (#275) + distros/tests/test_init: add tests for _get_package_mirror_info (#272) + HACKING.rst: add links to new Code Review Process doc (#276) + freebsd: ensure package update works (#273) [Goneri Le Bouder] + doc: introduce Code Review Process documentation (#160) + tools: use python3 (#274) + cc_disk_setup: fix RuntimeError (#270) (LP: #1868327) + cc_apt_configure/util: combine search_for_mirror implementations (#271) + bsd: boottime does not depend on the libc soname (#269) [Goneri Le Bouder] + test_oracle,DataSourceOracle: sort imports (#266) + DataSourceOracle: update .network_config docstring (#257) + cloudinit/tests: remove unneeded with_logs configuration (#263) + .travis.yml: drop stale comment (#255) + .gitignore: add more common directories (#258) + ec2: render network on all NICs and add secondary IPs as static (#114) (LP: #1866930) + ec2 json validation: fix the reference to the 'merged_cfg' key (#256) [Paride Legovini] + releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini] + cloudinit: remove six from packaging/tooling (#253) + util/netbsd: drop six usage (#252) + workflows: introduce stale pull request workflow (#125) + cc_resolv_conf: introduce tests and stabilise output across Python versions (#251) + fix minor issue with resolv_conf template (#144) [andreaf74] + doc: CloudInit also support NetBSD (#250) [Goneri Le Bouder] + Add Netbsd support (#62) [Goneri Le Bouder] + tox.ini: avoid substition syntax that causes a traceback on xenial (#245) + Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby] + Introduce and use of a list of GitHub usernames that have signed CLA (#244) + workflows/cla.yml: use correct username for CLA check (#243) + tox.ini: use xenial version of jsonpatch in CI (#242) + workflows: CLA validation altered to fail status on pull_request (#164) + tox.ini: bump pyflakes version to 2.1.1 (#239) + cloudinit: move to pytest for running tests (#211) + instance-data: add cloud-init merged_cfg and sys_info keys to json (#214) (LP: #1865969) + ec2: Do not fallback to IMDSv1 on EC2 (#216) + instance-data: write redacted cfg to instance-data.json (#233) (LP: #1865947) + net: support network-config:disabled on the kernel commandline (#232) (LP: #1862702) + ec2: only redact token request headers in logs, avoid altering request (#230) (LP: #1865882) + docs: typo fixed: dta → data [Alexey Vazhnov] + Fixes typo on Amazon Web Services (#217) [Nick Wales] + Fix docs for OpenStack DMI Asset Tag (#228) [Mark T. Voelker] (LP: #1669875) + Add physical network type: cascading to openstack helpers (#200) [sab-systems] + tests: add focal integration tests for ubuntu (#225) - From 20.1 (first vesrion after 19.4) + ec2: Do not log IMDSv2 token values, instead use REDACTED (#219) (LP: #1863943) + utils: use SystemRandom when generating random password. (#204) [Dimitri John Ledkov] + docs: mount_default_files is a list of 6 items, not 7 (#212) + azurecloud: fix issues with instances not starting (#205) (LP: #1861921) + unittest: fix stderr leak in cc_set_password random unittest output. (#208) + cc_disk_setup: add swap filesystem force flag (#207) + import sysvinit patches from freebsd-ports tree (#161) [Igor Galić] + docs: fix typo (#195) [Edwin Kofler] + sysconfig: distro-specific config rendering for BOOTPROTO option (#162) [Robert Schweikert] (LP: #1800854) + cloudinit: replace 'from six import X' imports (except in util.py) (#183) + run-container: use 'test -n' instead of 'test ! -z' (#202) [Paride Legovini] + net/cmdline: correctly handle static ip= config (#201) [Dimitri John Ledkov] (LP: #1861412) + Replace mock library with unittest.mock (#186) + HACKING.rst: update CLA link (#199) + Scaleway: Fix DatasourceScaleway to avoid backtrace (#128) [Louis Bouchard] + cloudinit/cmd/devel/net_convert.py: add missing space (#191) + tools/run-container: drop support for python2 (#192) [Paride Legovini] + Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789) + Make the RPM build use Python 3 (#190) [Paride Legovini] + cc_set_password: increase random pwlength from 9 to 20 (#189) (LP: #1860795) + .travis.yml: use correct Python version for xenial tests (#185) + cloudinit: remove ImportError handling for mock imports (#182) + Do not use fallocate in swap file creation on xfs. (#70) [Eduardo Otubo] (LP: #1781781) + .readthedocs.yaml: install cloud-init when building docs (#181) (LP: #1860450) + Introduce an RTD config file, and pin the Sphinx version to the RTD default (#180) + Drop most of the remaining use of six (#179) + Start removing dependency on six (#178) + Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy] + docs: add proposed SRU testing procedure (#167) + util: rename get_architecture to get_dpkg_architecture (#173) + Ensure util.get_architecture() runs only once (#172) + Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann] + freebsd: remove superflu exception mapping (#166) [Goneri Le Bouder] + ssh_auth_key_fingerprints_disable test: fix capitalization (#165) [Paride Legovini] + util: move uptime's else branch into its own boottime function (#53) [Igor Galić] (LP: #1853160) + workflows: add contributor license agreement checker (#155) + net: fix rendering of 'static6' in network config (#77) (LP: #1850988) + Make tests work with Python 3.8 (#139) [Conrad Hoffmann] + fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74] + freebsd: fix create_group() cmd (#146) [Goneri Le Bouder] + doc: make apt_update example consistent (#154) + doc: add modules page toc with links (#153) (LP: #1852456) + Add support for the amazon variant in cloud.cfg.tmpl (#119) [Frederick Lefebvre] + ci: remove Python 2.7 from CI runs (#137) + modules: drop cc_snap_config config module (#134) + migrate-lp-user-to-github: ensure Launchpad repo exists (#136) + docs: add initial troubleshooting to FAQ (#104) [Joshua Powers] + doc: update cc_set_hostname frequency and descrip (#109) [Joshua Powers] (LP: #1827021) + freebsd: introduce the freebsd renderer (#61) [Goneri Le Bouder] + cc_snappy: remove deprecated module (#127) + HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130) + freebsd: cloudinit service requires devd (#132) [Goneri Le Bouder] + cloud-init: fix capitalisation of SSH (#126) + doc: update cc_ssh clarify host and auth keys [Joshua Powers] (LP: #1827021) + ci: emit names of tests run in Travis (#120) - Disable testing to aid elimination of unittest2 in Factory ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2651-1 Released: Wed Sep 16 14:42:55 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1175811,1175830,1175831 This update for zlib fixes the following issues: - Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831) - Enable hardware compression on s390/s390x (jsc#SLE-13776) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2712-1 Released: Tue Sep 22 17:08:03 2020 Summary: Security update for openldap2 Type: security Severity: moderate References: 1175568,CVE-2020-8027 This update for openldap2 fixes the following issues: - CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2780-1 Released: Tue Sep 29 11:27:51 2020 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1173433 This update for rsyslog fixes the following issues: - Fix the URL for bug reporting. (bsc#1173433) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2789-1 Released: Tue Sep 29 14:13:14 2020 Summary: Security update for xen Type: security Severity: important References: 1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604 This update for xen fixes the following issues: - CVE-2020-25604: Fixed a race condition when migrating timers between x86 HVM vCPU-s (bsc#1176343,XSA-336) - CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337) - CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338) - CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339) - CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340) - CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342) - CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343) - CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2814-1 Released: Thu Oct 1 09:55:30 2020 Summary: Security update for permissions Type: security Severity: moderate References: 1161335,1176625 This update for permissions fixes the following issues: - whitelist WMP (bsc#1161335, bsc#1176625) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2817-1 Released: Thu Oct 1 10:38:37 2020 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592 This update for libzypp, zypper provides the following fixes: Changes in libzypp: - VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918) - Support buildnr with commit hash in purge-kernels. This adds special behaviour for when a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342) - Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529) - Make sure reading from lsof does not block forever. (bsc#1174240) - Just collect details for the signatures found. Changes in zypper: - man: Enhance description of the global package cache. (bsc#1175592) - man: Point out that plain rpm packages are not downloaded to the global package cache. (bsc#1173273) - Directly list subcommands in 'zypper help'. (bsc#1165424) - Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux. - Point out that plaindir repos do not follow symlinks. (bsc#1174561) - Fix help command for list-patches. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2825-1 Released: Fri Oct 2 08:44:28 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate References: 1170347,1176759 This update for suse-build-key fixes the following issues: - The SUSE Notary Container key is different from the build signing key, include this key instead as suse-container-key. (PM-1845 bsc#1170347) - The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2869-1 Released: Tue Oct 6 16:13:20 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1011548,1153943,1153946,1161239,1171762 This update for aaa_base fixes the following issues: - DIR_COLORS (bug#1006973): - add screen.xterm-256color - add TERM rxvt-unicode-256color - sort and merge TERM entries in etc/DIR_COLORS - check for Packages.db and use this instead of Packages. (bsc#1171762) - Rename path() to _path() to avoid using a general name. - refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548) - etc/profile add some missing ;; in case esac statements - profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946) - backup-rpmdb: exit if zypper is running (bsc#1161239) - Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2901-1 Released: Tue Oct 13 14:22:43 2020 Summary: Security update for libproxy Type: security Severity: important References: 1176410,1177143,CVE-2020-25219,CVE-2020-26154 This update for libproxy fixes the following issues: - CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410). - CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2914-1 Released: Tue Oct 13 17:25:20 2020 Summary: Security update for bind Type: security Severity: moderate References: 1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624 This update for bind fixes the following issues: BIND was upgraded to version 9.16.6: Note: - bind is now more strict in regards to DNSSEC. If queries are not working, check for DNSSEC issues. For instance, if bind is used in a namserver forwarder chain, the forwarding DNS servers must support DNSSEC. Fixing security issues: - CVE-2020-8616: Further limit the number of queries that can be triggered from a request. Root and TLD servers are no longer exempt from max-recursion-queries. Fetches for missing name server. (bsc#1171740) Address records are limited to 4 for any domain. - CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an assertion failure. (bsc#1171740) - CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass the tcp-clients limit (bsc#1157051). - CVE-2018-5741: Fixed the documentation (bsc#1109160). - CVE-2020-8618: It was possible to trigger an INSIST when determining whether a record would fit into a TCP message buffer (bsc#1172958). - CVE-2020-8619: It was possible to trigger an INSIST in lib/dns/rbtdb.c:new_reference() with a particular zone content and query patterns (bsc#1172958). - CVE-2020-8624: 'update-policy' rules of type 'subdomain' were incorrectly treated as 'zonesub' rules, which allowed keys used in 'subdomain' rules to update names outside of the specified subdomains. The problem was fixed by making sure 'subdomain' rules are again processed as described in the ARM (bsc#1175443). - CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it was possible to trigger an assertion failure in code determining the number of bits in the PKCS#11 RSA public key with a specially crafted packet (bsc#1175443). - CVE-2020-8621: named could crash in certain query resolution scenarios where QNAME minimization and forwarding were both enabled (bsc#1175443). - CVE-2020-8620: It was possible to trigger an assertion failure by sending a specially crafted large TCP DNS message (bsc#1175443). - CVE-2020-8622: It was possible to trigger an assertion failure when verifying the response to a TSIG-signed request (bsc#1175443). Other issues fixed: - Add engine support to OpenSSL EdDSA implementation. - Add engine support to OpenSSL ECDSA implementation. - Update PKCS#11 EdDSA implementation to PKCS#11 v3.0. - Warn about AXFR streams with inconsistent message IDs. - Make ISC rwlock implementation the default again. - Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168) - Installed the default files in /var/lib/named and created chroot environment on systems using transactional-updates (bsc#1100369, fate#325524) - Fixed an issue where bind was not working in FIPS mode (bsc#906079). - Fixed dependency issues (bsc#1118367 and bsc#1118368). - GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205). - Fixed an issue with FIPS (bsc#1128220). - The liblwres library is discontinued upstream and is no longer included. - Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713). - Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE. - The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours. - Zone timers are now exported via statistics channel. - The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored. - 'rndc dnstap -roll ' did not limit the number of saved files to . - Add 'rndc dnssec -status' command. - Addressed a couple of situations where named could crash. - Changed /var/lib/named to owner root:named and perms rwxrwxr-t so that named, being a/the only member of the 'named' group has full r/w access yet cannot change directories owned by root in the case of a compromized named. [bsc#1173307, bind-chrootenv.conf] - Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983). - Removed '-r /dev/urandom' from all invocations of rndc-confgen (init/named system/lwresd.init system/named.init in vendor-files) as this option is deprecated and causes rndc-confgen to fail. (bsc#1173311, bsc#1176674, bsc#1170713) - /usr/bin/genDDNSkey: Removing the use of the -r option in the call of /usr/sbin/dnssec-keygen as BIND now uses the random number functions provided by the crypto library (i.e., OpenSSL or a PKCS#11 provider) as a source of randomness rather than /dev/random. Therefore the -r command line option no longer has any effect on dnssec-keygen. Leaving the option in genDDNSkey as to not break compatibility. Patch provided by Stefan Eisenwiener. [bsc#1171313] - Put libns into a separate subpackage to avoid file conflicts in the libisc subpackage due to different sonums (bsc#1176092). - Require /sbin/start_daemon: both init scripts, the one used in systemd context as well as legacy sysv, make use of start_daemon. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2947-1 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Type: security Severity: moderate References: 1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844 This update for gcc10, nvptx-tools fixes the following issues: This update provides the GCC10 compiler suite and runtime libraries. The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants. The new compiler variants are available with '-10' suffix, you can specify them via: CC=gcc-10 CXX=g++-10 or similar commands. For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html Changes in nvptx-tools: - Enable build on aarch64 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2953-1 Released: Mon Oct 19 06:25:15 2020 Summary: Recommended update for gettext-runtime Type: recommended Severity: moderate References: 1176142 This update for gettext-runtime fixes the following issues: - Fix for an issue when 'xgettext' crashes during creating a 'POT' file. (bsc#1176142) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1158830 This update for procps fixes the following issues: - Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2978-1 Released: Wed Oct 21 11:36:05 2020 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1175847,1177479 This update for openssl-1_1 fixes the following issues: FIPS: * Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1175847, bsc#1177479). * Add shared secret KAT to FIPS DH selftest (bsc#1175847). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2979-1 Released: Wed Oct 21 11:37:14 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1176173 This update for mozilla-nss fixes the following issue: - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2983-1 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Type: recommended Severity: moderate References: 1176123 This update for file fixes the following issues: - Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2988-1 Released: Wed Oct 21 17:35:34 2020 Summary: Security update for gnutls Type: security Severity: moderate References: 1176086,1176181,1176671,CVE-2020-24659 This update for gnutls fixes the following issues: - Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181) - FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086) - FIPS: Use 2048 bit prime in DH selftest (bsc#1176086) - FIPS: Add TLS KDF selftest (bsc#1176671) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2989-1 Released: Thu Oct 22 08:53:10 2020 Summary: Recommended update for chrony Type: recommended Severity: moderate References: 1171806 This update for chrony fixes the following issues: - Integrate three upstream patches to fix an infinite loop in chronyc. (bsc#1171806) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:2995-1 Released: Thu Oct 22 10:03:09 2020 Summary: Security update for freetype2 Type: security Severity: important References: 1177914,CVE-2020-15999 This update for freetype2 fixes the following issues: - CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3048-1 Released: Tue Oct 27 16:05:17 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues: libzypp was updated to 17.25.1: - When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902) - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - Link against libzstd to close libsolvs open references (as we link statically) yaml-cpp: - The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS channels, and the INSTALLER channels, as a new libzypp dependency. No source changes were done to yaml-cpp. zypper was updated to 1.14.40: - info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.15 to fix: - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers- new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3052-1 Released: Tue Oct 27 16:09:00 2020 Summary: Security update for xen Type: security Severity: important References: 1177409,1177412,1177413,1177414,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673 This update for xen fixes the following issues: - bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286) - bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345) - bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346) - bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3058-1 Released: Wed Oct 28 06:11:14 2020 Summary: Recommended update for catatonit Type: recommended Severity: moderate References: 1176155 This update for catatonit fixes the following issues: - Fixes an issue when catatonit hangs when process dies in very specific way. (bsc#1176155) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: - timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3119-1 Released: Mon Nov 2 15:15:16 2020 Summary: Recommended update for cloud-init Type: recommended Severity: moderate References: 1177526 This update for cloud-init fixes the following issues: - Update cloud-init-write-routes.patch (bsc#1177526) + Avoid exception if no gateway information is present and warning is triggered for existing routing. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1178346,1178350,1178353 This update for timezone fixes the following issues: - Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353) - Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460) - Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1104902,1154935,1165502,1167471,1173422,1176513,1176800 This update for systemd fixes the following issues: - seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422) - test-seccomp: log function names - test-seccomp: add log messages when skipping tests - basic/virt: Detect PowerVM hypervisor (bsc#1176800) - fs-util: suppress world-writable warnings if we read /dev/null - udevadm: rename option '--log-priority' into '--log-level' - udev: rename kernel option 'log_priority' into 'log_level' - fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513) - Fix memory protection default (bsc#1167471) - cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935) - Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3195-1 Released: Fri Nov 6 09:42:32 2020 Summary: Recommended update for SUSEConnect Type: recommended Severity: moderate References: 1155027 This update for SUSEConnect fixes the following issues: - Recognize more formats when parsing the '.curlrc' for proxy credentials. (bsc#1155027) - Add 'rpmlintrc' to filter false-positive warning about patch not applied - Extend the YaST API in order to access to the package search functionality. (jsc#SLE-9109) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3234-1 Released: Fri Nov 6 16:01:36 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate References: 1177864 This update for ca-certificates-mozilla fixes the following issues: The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864) - Removed CAs: - EE Certification Centre Root CA - Taiwan GRCA - Added CAs: - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3253-1 Released: Mon Nov 9 07:45:04 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate References: 1174697,1176173 This update for mozilla-nss fixes the following issues: - Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697) - FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1176173). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3270-1 Released: Tue Nov 10 17:53:08 2020 Summary: Recommended update for bind Type: recommended Severity: moderate References: 1175894,1177603,1177790,1177913,1177915,1178078 This update for bind fixes the following issues: - Add '/usr/lib64/named' to the files and directories in bind config to include external plugins for chroot. (bsc#1178078) - Replaced named's dependency on time-sync with a dependency on time-set in 'named.service' to avoid a dependency-loop. (bsc#1177790) - Removed 'dnssec-enable' from named.conf as it has been obsoleted and may break. (bsc#1177915) - Added a comment for reference which should be removed in the future. (bsc#1177603) - Added a comment to the 'dnssec-validation' in named.conf with a reference to forwarders which do not return signed responses. (bsc#1175894) - Replaced an INSIST macro which calls abort with a test and a diagnostic output. (bsc#1177913) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate References: 1174232 This update for findutils fixes the following issues: - Do not unconditionally use leaf optimization for NFS. (bsc#1174232) NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3298-1 Released: Wed Nov 11 15:30:46 2020 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1177939 This update for openssh fixes the following issues: - Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important References: 1178387,CVE-2020-25692 This update for openldap2 fixes the following issues: - CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3341-1 Released: Mon Nov 16 13:59:51 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate References: 1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885 This update for libsolv, libzypp, zypper fixes the following issues: libzypp was updated to 17.25.1: - Fix bsc#1176902: When kernel-rt has been installed, the purge-kernels service fails during boot. - Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192) kernel-default-base has new packaging, where the kernel uname -r does not reflect the full package version anymore. This patch adds additional logic to use the most generic/shortest edition each package provides with %{packagename}= to group the kernel packages instead of the rpm versions. This also changes how the keep-spec for specific versions is applied, instead of matching the package versions, each of the package name provides will be matched. - RepoInfo: Return the type of the local metadata cache as fallback (bsc#1176435) - VendorAttr: Fix broken 'suse,opensuse' equivalence handling. Enhance API and testcases. (bsc#1174918) - Update docs regarding 'opensuse' namepace matching. - New solver testcase format. - Link against libzsd to close libsolvs open references (as we link statically) zypper was updated to 1.14.40: - info: Assume descriptions starting with '

' are richtext (bsc#935885) - help: prevent 'whatis' from writing to stderr (bsc#1176712) - wp: point out that command is aliased to a search command and searches case-insensitive (jsc#SLE-16271) libsolv was updated to 0.7.16: - do not ask the namespace callback for splitprovides when writing a testcase - fix add_complex_recommends() selecting conflicted packages in rare cases leading to crashes - improve choicerule generation so that package updates are prefered in more cases - make testcase_mangle_repo_names deal correctly with freed repos [bsc#1177238] - fix deduceq2addedmap clearing bits outside of the map - conda: feature depriorization first - conda: fix startswith implementation - move find_update_seeds() call in cleandeps calculation - set SOLVABLE_BUILDHOST in rpm and rpmmd parsers- new testcase_mangle_repo_names() function - new solv_fmemopen() function ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3358-1 Released: Tue Nov 17 13:17:10 2020 Summary: Security update for tcpdump Type: security Severity: moderate References: 1178466,CVE-2020-8037 This update for tcpdump fixes the following issues: - CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3375-1 Released: Thu Nov 19 09:28:25 2020 Summary: Security update for krb5 Type: security Severity: moderate References: 1178512,CVE-2020-28196 This update for krb5 fixes the following security issue: - CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1177458,1177490,1177510 This update for systemd fixes the following issues: - build-sys: optionally disable support of journal over the network (bsc#1177458) - ask-password: prevent buffer overflow when reading from keyring (bsc#1177510) - mount: don't propagate errors from mount_setup_unit() further up - Rely on the new build option --disable-remote for journal_remote This allows to drop the workaround that consisted in cleaning journal-upload files and {sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled. - Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package - Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458) These files were incorrectly packaged in the main package when systemd-journal_remote was disabled. - Make use of %{_unitdir} and %{_sysusersdir} - Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3416-1 Released: Thu Nov 19 12:46:15 2020 Summary: Security update for xen Type: security Severity: important References: 1177950,1178591,CVE-2020-28368 This update for xen fixes the following issues: Security issue fixed: - CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591). Non-security issue fixed: - Adjusted help for --max_iters, default is 5 (bsc#1177950). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3461-1 Released: Fri Nov 20 13:09:07 2020 Summary: Recommended update for bind Type: recommended Severity: low References: 1177983 This update for bind fixes the following issue: - Build the 'Administrator Reference Manual' which is built using python3-Sphinx (bsc#1177983) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate References: 1174593,1177858,1178727 This update for pam and sudo fixes the following issue: pam: - pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858) - Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727) - Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593) sudo: - Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3469-1 Released: Fri Nov 20 17:42:13 2020 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: 1172952,1176062,1177957,1178278 This update for grub2 fixes the following issues: - Fixed an issue, where the https boot was interrupted by an unrecognized network address error message (bsc#1172952) - Improve the error handling when grub2-install fails with short mbr gap (bsc#1176062) - Fixed an error in grub2-install where it exited with 'failed to get canonical path of `/boot/grub2/i386-pc'.' (bsc#1177957) - Fixed a boot failure issue on blocklist installations (bsc#1178278) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3478-1 Released: Mon Nov 23 09:33:17 2020 Summary: Security update for c-ares Type: security Severity: moderate References: 1178882,CVE-2020-8277 This update for c-ares fixes the following issues: - Version update to 1.17.0 * CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882) * For further details see https://c-ares.org/changelog.html ----------------------------------------------------------------- Advisory ID: SUSE-OU-2020:3481-1 Released: Mon Nov 23 11:17:09 2020 Summary: Optional update for vim Type: optional Severity: low References: 1166602,1173256,1174564,1176549 This update for vim doesn't fix any user visible issues and it is optional to install. - Introduce vim-small package with reduced requirements for small installations (bsc#1166602). - Stop owning /etc/vimrc so the old, distro provided config actually gets removed. - Own some dirs in vim-data-common so installation of vim-small doesn't leave not owned directories. (bsc#1173256) - Add vi as slave to update-alternatives so that every package has a matching 'vi' symlink. (bsc#1174564, bsc#1176549) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3532-1 Released: Thu Nov 26 12:49:05 2020 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1051510,1058115,1065600,1131277,1160947,1161360,1163524,1166965,1170232,1170415,1171417,1172073,1172366,1173115,1173233,1175306,1175721,1175749,1175882,1176011,1176235,1176278,1176381,1176423,1176482,1176485,1176698,1176721,1176722,1176723,1176725,1176732,1176877,1176907,1176922,1176990,1177027,1177086,1177121,1177165,1177206,1177226,1177410,1177411,1177470,1177511,1177513,1177724,1177725,1177766,1178003,1178123,1178330,1178393,1178622,1178765,1178782,1178838,CVE-2020-0404,CVE-2020-0427,CVE-2020-0430,CVE-2020-0431,CVE-2020-0432,CVE-2020-12351,CVE-2020-12352,CVE-2020-14351,CVE-2020-14381,CVE-2020-14390,CVE-2020-16120,CVE-2020-25212,CVE-2020-25284,CVE-2020-25285,CVE-2020-25641,CVE-2020-25643,CVE-2020-25645,CVE-2020-25656,CVE-2020-25668,CVE-2020-25704,CVE-2020-25705,CVE-2020-26088,CVE-2020-27673,CVE-2020-27675,CVE-2020-8694 The SUSE Linux Enterprise 15 LTSS kernel was updated to receive various security and bug fixes. The following security bugs were fixed: - CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782). - CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393). - CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123). - CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766). - CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485). - CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723). - CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086). - CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470). - CVE-2020-8694: Restricted energy meter to root access (bsc#1170415). - CVE-2020-12351: Fixed a type confusion while processing AMP packets aka 'BleedingTooth' aka 'BadKarma' (bsc#1177724). - CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725). - CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381). - CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511). - CVE-2020-2521: Fixed getxattr kernel panic and memory overflow (bsc#1176381). - CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011). - CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206). - CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121). - CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990). - CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235). - CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721). - CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725). - CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722). - CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423). - CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482). - CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411) - CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410). The following non-security bugs were fixed: - btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1131277). - btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922). - btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922). - btrfs: remove root usage from can_overcommit (bsc#1131277). - hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306). - hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306). - livepatch: Add -fdump-ipa-clones to build (). Add support for -fdump-ipa-clones GCC option. Update config files accordingly. - livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability. - powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968). - scsi: qla2xxx: Do not consume srb greedily (bsc#1173233). - scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1173233). - video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306). - video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306). - video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306). - x86/hyperv: Create and use Hyper-V page definitions (bsc#1176877). - x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306). - x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907). - xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen: do not reschedule in preemption off sections (bsc#1175749). - xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411). - xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411). - xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410). - xen/events: block rogue events for some time (XSA-332 bsc#1177411). - xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411). - xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600). - xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411). - xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411). - xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411). - xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411). - xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3546-1 Released: Fri Nov 27 11:21:09 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate References: 1172695 This update for gnutls fixes the following issue: - Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3579-1 Released: Tue Dec 1 14:24:31 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate References: 1178346 This update for glib2 fixes the following issues: - Add support for slim format of timezone. (bsc#1178346) - Fix DST incorrect end day when using slim format. (bsc#1178346) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1178376 This update for libusb-1_0 fixes the following issues: - Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3593-1 Released: Wed Dec 2 10:33:49 2020 Summary: Security update for python3 Type: security Severity: important References: 1176262,1179193,CVE-2019-20916 This update for python3 fixes the following issues: Update to 3.6.12 (bsc#1179193), including: - Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3609-1 Released: Wed Dec 2 18:16:45 2020 Summary: Recommended update for cloud-init Type: recommended Severity: important References: 1177526,1178029,1179150,1179151 This update for cloud-init includes the following fixes: - Add wget as a requirement (bsc#1178029) + wget is used in the CloudStack data source - Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151) + Properly set the password for the default user in all circumstances - Patch the full package version into the cloud-init version file - Update cloud-init default route patch. (bsc#1177526) + Fix missing default route when dual stack network setup is used. Once a default route was configured for Ipv6 or IPv4 the default route configuration for the othre protocol was skipped. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3616-1 Released: Thu Dec 3 10:56:12 2020 Summary: Recommended update for c-ares Type: recommended Severity: moderate References: 1178882 - Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issues: - Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=` ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3627-1 Released: Fri Dec 4 16:59:53 2020 Summary: Security update for xen Type: security Severity: important References: 1177409,1177412,1177413,1177414,1178591,1178963,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368 This update for xen fixes the following issues: - bsc#1178963 - VUL-0: xen: stack corruption from XSA-346 change (XSA-355) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1179431 This update for aaa_base fixes the following issue: - Avoid semicolon within (t)csh login script on S/390. (bsc#1179431) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3722-1 Released: Wed Dec 9 13:37:08 2020 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1179491,CVE-2020-1971 This update for openssl-1_1 fixes the following issues: - CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2020:3733-1 Released: Wed Dec 9 18:18:35 2020 Summary: Security update for curl Type: security Severity: moderate References: 1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286 This update for curl fixes the following issues: - CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593). - CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399). - CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).

SUSE: 2020:117-1 suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64 Security Update

December 14, 2020

The container suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64 was updated

Summary

Advisory ID: SUSE-RU-2020:1541-1 Released: Thu Jun 4 13:23:27 2020 Summary: Recommended update for pciutils Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:1542-1 Released: Thu Jun 4 13:24:37 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:1551-1 Released: Mon Jun 8 09:31:41 2020 Summary: Security update for vim Type: security Severity: moderate Advisory ID: SUSE-RU-2020:1558-1 Released: Mon Jun 8 10:36:32 2020 Summary: Recommended update for chrony Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:1559-1 Released: Mon Jun 8 10:38:24 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:1579-1 Released: Tue Jun 9 17:05:23 2020 Summary: Recommended update for audit Type: recommended Severity: important Advisory ID: SUSE-SU-2020:1584-1 Released: Tue Jun 9 18:39:15 2020 Summary: Security update for gnutls Type: security Severity: important Advisory ID: SUSE-RU-2020:1611-1 Released: Fri Jun 12 09:38:05 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:1634-1 Released: Wed Jun 17 10:35:38 2020 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-RU-2020:1640-1 Released: Wed Jun 17 15:46:04 2020 Summary: Recommended update for grub2 Type: recommended Severity: important Advisory ID: SUSE-SU-2020:1657-1 Released: Thu Jun 18 10:49:53 2020 Summary: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork Type: security Severity: moderate Advisory ID: SUSE-SU-2020:1663-1 Released: Thu Jun 18 11:17:18 2020 Summary: Security update for the Linux Kernel Type: security Severity: important Advisory ID: SUSE-SU-2020:1677-1 Released: Thu Jun 18 18:16:39 2020 Summary: Security update for mozilla-nspr, mozilla-nss Type: security Severity: important Advisory ID: SUSE-RU-2020:1679-1 Released: Thu Jun 18 20:07:06 2020 Summary: Recommended update for cloud-init Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:1682-1 Released: Fri Jun 19 09:44:54 2020 Summary: Security update for perl Type: security Severity: important Advisory ID: SUSE-RU-2020:1760-1 Released: Thu Jun 25 18:46:13 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:1773-1 Released: Fri Jun 26 08:05:59 2020 Summary: Security update for curl Type: security Severity: important Advisory ID: SUSE-RU-2020:1820-1 Released: Thu Jul 2 08:38:44 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:1822-1 Released: Thu Jul 2 11:30:42 2020 Summary: Security update for python3 Type: security Severity: important Advisory ID: SUSE-SU-2020:1396-1 Released: Fri Jul 3 12:33:05 2020 Summary: Security update for zstd Type: security Severity: moderate Advisory ID: SUSE-SU-2020:1850-1 Released: Mon Jul 6 14:44:39 2020 Summary: Security update for mozilla-nss Type: security Severity: moderate Advisory ID: SUSE-RU-2020:1852-1 Released: Mon Jul 6 16:50:23 2020 Summary: Recommended update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:1856-1 Released: Mon Jul 6 17:05:51 2020 Summary: Security update for openldap2 Type: security Severity: important Advisory ID: SUSE-SU-2020:1858-1 Released: Mon Jul 6 17:08:06 2020 Summary: Security update for permissions Type: security Severity: moderate Advisory ID: SUSE-RU-2020:1869-1 Released: Tue Jul 7 15:08:12 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:1888-1 Released: Fri Jul 10 15:51:12 2020 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-RU-2020:1953-1 Released: Sat Jul 18 03:06:11 2020 Summary: Recommended update for parted Type: recommended Severity: important Advisory ID: SUSE-RU-2020:1986-1 Released: Tue Jul 21 16:06:29 2020 Summary: Recommended update for openvswitch Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:1999-1 Released: Wed Jul 22 09:04:32 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2073-1 Released: Wed Jul 29 18:59:25 2020 Summary: Security update for grub2 Type: security Severity: important Advisory ID: SUSE-RU-2020:2083-1 Released: Thu Jul 30 10:27:59 2020 Summary: Recommended update for diffutils Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2099-1 Released: Fri Jul 31 08:06:40 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2106-1 Released: Mon Aug 3 16:43:48 2020 Summary: Security update for the Linux Kernel Type: security Severity: important Advisory ID: SUSE-SU-2020:2159-1 Released: Thu Aug 6 20:05:30 2020 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-RU-2020:2208-1 Released: Tue Aug 11 17:25:45 2020 Summary: Recommended update for rsyslog Type: recommended Severity: important Advisory ID: SUSE-RU-2020:2219-1 Released: Wed Aug 12 15:47:42 2020 Summary: Recommended update for supportutils-plugin-suse-public-cloud and python3-azuremetadata Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2221-1 Released: Thu Aug 13 09:06:20 2020 Summary: Recommended update for SUSEConnect Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2223-1 Released: Thu Aug 13 09:12:03 2020 Summary: Recommended update for zypper-migration-plugin Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2224-1 Released: Thu Aug 13 09:15:47 2020 Summary: Recommended update for glibc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2243-1 Released: Fri Aug 14 15:27:12 2020 Summary: Recommended update for grub2 Type: recommended Severity: important Advisory ID: SUSE-RU-2020:2256-1 Released: Mon Aug 17 15:08:46 2020 Summary: Recommended update for sysfsutils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2277-1 Released: Wed Aug 19 13:24:03 2020 Summary: Security update for python3 Type: security Severity: moderate Advisory ID: SUSE-RU-2020:2279-1 Released: Wed Aug 19 21:26:55 2020 Summary: Recommended update for libzypp Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2284-1 Released: Thu Aug 20 16:04:17 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: important Advisory ID: SUSE-SU-2020:2296-1 Released: Mon Aug 24 10:34:37 2020 Summary: Security update for gettext-runtime Type: security Severity: moderate Advisory ID: SUSE-SU-2020:2303-1 Released: Tue Aug 25 14:46:36 2020 Summary: Security update for grub2 Type: security Severity: important Advisory ID: SUSE-RU-2020:2337-1 Released: Wed Aug 26 13:00:47 2020 Summary: Recommended update for dracut Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2380-1 Released: Fri Aug 28 14:54:08 2020 Summary: Recommended update for supportutils-plugin-suse-public-cloud Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2384-1 Released: Sat Aug 29 00:57:13 2020 Summary: Recommended update for e2fsprogs Type: recommended Severity: low Advisory ID: SUSE-RU-2020:2411-1 Released: Tue Sep 1 13:28:47 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2420-1 Released: Tue Sep 1 13:48:35 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2446-1 Released: Wed Sep 2 09:33:22 2020 Summary: Security update for curl Type: security Severity: moderate Advisory ID: SUSE-RU-2020:2458-1 Released: Wed Sep 2 15:44:30 2020 Summary: Recommended update for iputils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2581-1 Released: Wed Sep 9 13:07:07 2020 Summary: Security update for openldap2 Type: security Severity: moderate Advisory ID: SUSE-SU-2020:2610-1 Released: Fri Sep 11 11:11:50 2020 Summary: Security update for the Linux Kernel Type: security Severity: important Advisory ID: SUSE-SU-2020:2612-1 Released: Fri Sep 11 11:18:01 2020 Summary: Security update for libxml2 Type: security Severity: moderate Advisory ID: SUSE-RU-2020:2617-1 Released: Mon Sep 14 10:40:04 2020 Summary: Recommended update for cloud-init Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2651-1 Released: Wed Sep 16 14:42:55 2020 Summary: Recommended update for zlib Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2712-1 Released: Tue Sep 22 17:08:03 2020 Summary: Security update for openldap2 Type: security Severity: moderate Advisory ID: SUSE-RU-2020:2780-1 Released: Tue Sep 29 11:27:51 2020 Summary: Recommended update for rsyslog Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2789-1 Released: Tue Sep 29 14:13:14 2020 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-SU-2020:2814-1 Released: Thu Oct 1 09:55:30 2020 Summary: Security update for permissions Type: security Severity: moderate Advisory ID: SUSE-RU-2020:2817-1 Released: Thu Oct 1 10:38:37 2020 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2825-1 Released: Fri Oct 2 08:44:28 2020 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2869-1 Released: Tue Oct 6 16:13:20 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2901-1 Released: Tue Oct 13 14:22:43 2020 Summary: Security update for libproxy Type: security Severity: important Advisory ID: SUSE-SU-2020:2914-1 Released: Tue Oct 13 17:25:20 2020 Summary: Security update for bind Type: security Severity: moderate Advisory ID: SUSE-SU-2020:2947-1 Released: Fri Oct 16 15:23:07 2020 Summary: Security update for gcc10, nvptx-tools Type: security Severity: moderate Advisory ID: SUSE-RU-2020:2953-1 Released: Mon Oct 19 06:25:15 2020 Summary: Recommended update for gettext-runtime Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2958-1 Released: Tue Oct 20 12:24:55 2020 Summary: Recommended update for procps Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2978-1 Released: Wed Oct 21 11:36:05 2020 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2979-1 Released: Wed Oct 21 11:37:14 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:2983-1 Released: Wed Oct 21 15:03:03 2020 Summary: Recommended update for file Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2988-1 Released: Wed Oct 21 17:35:34 2020 Summary: Security update for gnutls Type: security Severity: moderate Advisory ID: SUSE-RU-2020:2989-1 Released: Thu Oct 22 08:53:10 2020 Summary: Recommended update for chrony Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:2995-1 Released: Thu Oct 22 10:03:09 2020 Summary: Security update for freetype2 Type: security Severity: important Advisory ID: SUSE-RU-2020:3048-1 Released: Tue Oct 27 16:05:17 2020 Summary: Recommended update for libsolv, libzypp, yaml-cpp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3052-1 Released: Tue Oct 27 16:09:00 2020 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-RU-2020:3058-1 Released: Wed Oct 28 06:11:14 2020 Summary: Recommended update for catatonit Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3099-1 Released: Thu Oct 29 19:33:41 2020 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3119-1 Released: Mon Nov 2 15:15:16 2020 Summary: Recommended update for cloud-init Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3123-1 Released: Tue Nov 3 09:48:13 2020 Summary: Recommended update for timezone Type: recommended Severity: important Advisory ID: SUSE-RU-2020:3138-1 Released: Tue Nov 3 12:14:03 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3195-1 Released: Fri Nov 6 09:42:32 2020 Summary: Recommended update for SUSEConnect Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3234-1 Released: Fri Nov 6 16:01:36 2020 Summary: Recommended update for ca-certificates-mozilla Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3253-1 Released: Mon Nov 9 07:45:04 2020 Summary: Recommended update for mozilla-nss Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3270-1 Released: Tue Nov 10 17:53:08 2020 Summary: Recommended update for bind Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3290-1 Released: Wed Nov 11 12:25:32 2020 Summary: Recommended update for findutils Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3298-1 Released: Wed Nov 11 15:30:46 2020 Summary: Recommended update for openssh Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3313-1 Released: Thu Nov 12 16:07:37 2020 Summary: Security update for openldap2 Type: security Severity: important Advisory ID: SUSE-RU-2020:3341-1 Released: Mon Nov 16 13:59:51 2020 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3358-1 Released: Tue Nov 17 13:17:10 2020 Summary: Security update for tcpdump Type: security Severity: moderate Advisory ID: SUSE-SU-2020:3375-1 Released: Thu Nov 19 09:28:25 2020 Summary: Security update for krb5 Type: security Severity: moderate Advisory ID: SUSE-RU-2020:3381-1 Released: Thu Nov 19 10:53:38 2020 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3416-1 Released: Thu Nov 19 12:46:15 2020 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-RU-2020:3461-1 Released: Fri Nov 20 13:09:07 2020 Summary: Recommended update for bind Type: recommended Severity: low Advisory ID: SUSE-RU-2020:3462-1 Released: Fri Nov 20 13:14:35 2020 Summary: Recommended update for pam and sudo Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3469-1 Released: Fri Nov 20 17:42:13 2020 Summary: Recommended update for grub2 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3478-1 Released: Mon Nov 23 09:33:17 2020 Summary: Security update for c-ares Type: security Severity: moderate Advisory ID: SUSE-OU-2020:3481-1 Released: Mon Nov 23 11:17:09 2020 Summary: Optional update for vim Type: optional Severity: low Advisory ID: SUSE-SU-2020:3532-1 Released: Thu Nov 26 12:49:05 2020 Summary: Security update for the Linux Kernel Type: security Severity: important Advisory ID: SUSE-RU-2020:3546-1 Released: Fri Nov 27 11:21:09 2020 Summary: Recommended update for gnutls Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3579-1 Released: Tue Dec 1 14:24:31 2020 Summary: Recommended update for glib2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3581-1 Released: Tue Dec 1 14:40:22 2020 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3593-1 Released: Wed Dec 2 10:33:49 2020 Summary: Security update for python3 Type: security Severity: important Advisory ID: SUSE-RU-2020:3609-1 Released: Wed Dec 2 18:16:45 2020 Summary: Recommended update for cloud-init Type: recommended Severity: important Advisory ID: SUSE-RU-2020:3616-1 Released: Thu Dec 3 10:56:12 2020 Summary: Recommended update for c-ares Type: recommended Severity: moderate Advisory ID: SUSE-RU-2020:3620-1 Released: Thu Dec 3 17:03:55 2020 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3627-1 Released: Fri Dec 4 16:59:53 2020 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-RU-2020:3703-1 Released: Mon Dec 7 20:17:32 2020 Summary: Recommended update for aaa_base Type: recommended Severity: moderate Advisory ID: SUSE-SU-2020:3722-1 Released: Wed Dec 9 13:37:08 2020 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-SU-2020:3733-1 Released: Wed Dec 9 18:18:35 2020 Summary: Security update for curl Type: security Severity: moderate

References

References : 1010996 1011548 1050244 1051510 1051510 1051510 1051858 1058115

1058115 1058115 1061840 1065600 1065600 1065729 1065729 1071152

1071390 1071995 1071995 1071995 1082318 1085030 1086301 1086313

1086314 1089895 1100137 1100369 1104902 1104967 1106843 1107238

1109160 1109911 1113719 1114279 1118338 1118367 1118368 1120386

1128220 1130864 1130873 1130873 1131277 1133297 1134973 1142733

1143959 1144333 1146991 1151910 1151927 1152107 1153917 1153943

1153946 1154243 1154366 1154803 1154803 1154824 1154871 1154935

1155027 1155305 1155911 1156159 1156205 1156286 1156913 1157051

1157155 1157157 1157315 1157692 1158013 1158021 1158026 1158265

1158336 1158755 1158819 1158830 1159028 1159198 1159271 1159285

1159394 1159483 1159484 1159569 1159588 1159819 1159841 1159908

1159909 1159910 1159911 1159955 1160007 1160195 1160210 1160211

1160218 1160433 1160442 1160476 1160560 1160755 1160756 1160784

1160787 1160802 1160803 1160804 1160917 1160947 1160966 1161087

1161168 1161239 1161335 1161360 1161514 1161518 1161522 1161523

1161549 1161552 1161555 1161573 1161674 1161931 1161933 1161934

1161935 1161936 1161937 1161951 1162002 1162067 1162109 1162139

1162698 1162928 1162929 1162931 1163524 1163971 1164051 1164069

1164078 1164260 1164538 1164543 1164543 1164705 1164712 1164727

1164728 1164729 1164730 1164731 1164732 1164733 1164734 1164735

1164871 1165111 1165424 1165476 1165476 1165502 1165573 1165573

1165629 1165631 1165741 1165873 1165881 1165984 1165985 1166409

1166513 1166602 1166610 1166610 1166965 1166969 1167122 1167122

1167152 1167421 1167423 1167471 1167629 1168075 1168140 1168142

1168143 1168276 1168295 1168424 1168669 1168670 1168829 1168854

1168990 1168990 1168994 1169390 1169392 1169444 1169488 1169514

1169625 1169746 1169947 1170011 1170056 1170154 1170232 1170345

1170347 1170415 1170475 1170476 1170554 1170617 1170618 1170621

1170667 1170713 1170778 1170801 1170901 1170964 1171078 1171098

1171145 1171189 1171191 1171195 1171202 1171205 1171217 1171218

1171219 1171220 1171224 1171313 1171388 1171417 1171546 1171652

1171673 1171689 1171732 1171740 1171762 1171806 1171863 1171864

1171866 1171868 1171878 1171883 1171978 1171982 1171983 1171988

1171995 1172055 1172072 1172073 1172085 1172113 1172135 1172195

1172205 1172221 1172225 1172257 1172295 1172317 1172348 1172356

1172366 1172377 1172428 1172453 1172458 1172461 1172506 1172695

1172698 1172704 1172745 1172775 1172781 1172782 1172783 1172798

1172807 1172807 1172824 1172846 1172861 1172925 1172929 1172952

1172958 1172999 1173027 1173032 1173106 1173115 1173227 1173229

1173233 1173238 1173240 1173256 1173265 1173273 1173274 1173280

1173307 1173311 1173338 1173357 1173376 1173377 1173378 1173380

1173422 1173422 1173433 1173514 1173529 1173539 1173567 1173573

1173659 1173798 1173812 1173972 1173983 1173999 1174000 1174011

1174091 1174115 1174154 1174205 1174232 1174240 1174421 1174443

1174444 1174462 1174463 1174543 1174543 1174551 1174561 1174564

1174570 1174593 1174618 1174673 1174697 1174736 1174753 1174757

1174782 1174817 1174847 1174918 1174918 1174918 1175036 1175060

1175109 1175112 1175122 1175128 1175168 1175204 1175213 1175250

1175251 1175306 1175342 1175443 1175515 1175518 1175568 1175592

1175691 1175721 1175749 1175811 1175830 1175831 1175847 1175882

1175894 1175992 1176011 1176062 1176069 1176086 1176092 1176123

1176142 1176155 1176173 1176173 1176179 1176181 1176192 1176192

1176235 1176262 1176278 1176343 1176344 1176345 1176346 1176347

1176348 1176349 1176350 1176381 1176410 1176423 1176435 1176435

1176482 1176485 1176513 1176549 1176625 1176671 1176674 1176698

1176712 1176712 1176721 1176722 1176723 1176725 1176732 1176740

1176740 1176759 1176800 1176877 1176902 1176902 1176907 1176922

1176990 1177027 1177086 1177121 1177143 1177165 1177206 1177226

1177238 1177238 1177409 1177409 1177410 1177411 1177412 1177412

1177413 1177413 1177414 1177414 1177458 1177460 1177460 1177470

1177479 1177490 1177510 1177511 1177513 1177526 1177526 1177603

1177724 1177725 1177766 1177790 1177858 1177864 1177913 1177914

1177915 1177939 1177950 1177957 1177983 1178003 1178029 1178078

1178123 1178278 1178330 1178346 1178346 1178350 1178353 1178376

1178387 1178393 1178466 1178512 1178591 1178591 1178622 1178727

1178765 1178782 1178838 1178882 1178882 1178963 1179150 1179151

1179193 1179398 1179399 1179431 1179491 1179593 906079 927831

935885 935885 941629 973042 975267 CVE-2017-3136 CVE-2018-1000199

CVE-2018-18751 CVE-2018-5741 CVE-2019-14615 CVE-2019-14896 CVE-2019-14897

CVE-2019-16746 CVE-2019-16994 CVE-2019-17006 CVE-2019-19036 CVE-2019-19045

CVE-2019-19054 CVE-2019-19318 CVE-2019-19319 CVE-2019-19447 CVE-2019-19462

CVE-2019-19768 CVE-2019-19770 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054

CVE-2019-20095 CVE-2019-20096 CVE-2019-20807 CVE-2019-20810 CVE-2019-20812

CVE-2019-20907 CVE-2019-20908 CVE-2019-20916 CVE-2019-3701 CVE-2019-6477

CVE-2019-9455 CVE-2019-9458 CVE-2020-0305 CVE-2020-0404 CVE-2020-0427

CVE-2020-0430 CVE-2020-0431 CVE-2020-0432 CVE-2020-0543 CVE-2020-0543

CVE-2020-10135 CVE-2020-10543 CVE-2020-10690 CVE-2020-10711 CVE-2020-10713

CVE-2020-10720 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-10766

CVE-2020-10767 CVE-2020-10768 CVE-2020-10769 CVE-2020-10773 CVE-2020-10878

CVE-2020-10942 CVE-2020-11494 CVE-2020-11608 CVE-2020-11609 CVE-2020-11669

CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-11743

CVE-2020-12114 CVE-2020-12351 CVE-2020-12352 CVE-2020-12399 CVE-2020-12402

CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12655

CVE-2020-12656 CVE-2020-12657 CVE-2020-12723 CVE-2020-12769 CVE-2020-12771

CVE-2020-12888 CVE-2020-13143 CVE-2020-13401 CVE-2020-13777 CVE-2020-13844

CVE-2020-13974 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311

CVE-2020-14314 CVE-2020-14331 CVE-2020-14351 CVE-2020-14356 CVE-2020-14381

CVE-2020-14386 CVE-2020-14390 CVE-2020-14416 CVE-2020-14422 CVE-2020-15393

CVE-2020-15563 CVE-2020-15565 CVE-2020-15566 CVE-2020-15567 CVE-2020-15705

CVE-2020-15706 CVE-2020-15707 CVE-2020-15719 CVE-2020-15780 CVE-2020-15999

CVE-2020-16120 CVE-2020-16166 CVE-2020-1749 CVE-2020-1971 CVE-2020-24394

CVE-2020-24659 CVE-2020-24977 CVE-2020-25212 CVE-2020-25219 CVE-2020-25284

CVE-2020-25285 CVE-2020-25595 CVE-2020-25596 CVE-2020-25597 CVE-2020-25599

CVE-2020-25600 CVE-2020-25601 CVE-2020-25603 CVE-2020-25604 CVE-2020-25641

CVE-2020-25643 CVE-2020-25645 CVE-2020-25656 CVE-2020-25668 CVE-2020-25692

CVE-2020-25704 CVE-2020-25705 CVE-2020-26088 CVE-2020-26154 CVE-2020-2732

CVE-2020-27670 CVE-2020-27670 CVE-2020-27671 CVE-2020-27671 CVE-2020-27672

CVE-2020-27672 CVE-2020-27673 CVE-2020-27673 CVE-2020-27674 CVE-2020-27675

CVE-2020-28196 CVE-2020-28368 CVE-2020-28368 CVE-2020-7053 CVE-2020-8023

CVE-2020-8027 CVE-2020-8037 CVE-2020-8177 CVE-2020-8231 CVE-2020-8277

CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8428 CVE-2020-8616

CVE-2020-8617 CVE-2020-8618 CVE-2020-8619 CVE-2020-8620 CVE-2020-8621

CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 CVE-2020-8647 CVE-2020-8648

CVE-2020-8649 CVE-2020-8694 CVE-2020-8834 CVE-2020-8992 CVE-2020-9383

1170554

This update for pciutils fixes the following issues:

- Fix lspci outputs when few of the VPD data fields are displayed as unknown. (bsc#1170554, ltc#185587)

1172055

This update for timezone fixes the following issue:

- zdump --version reported 'unknown' (bsc#1172055)

1172225,CVE-2019-20807

This update for vim fixes the following issues:

- CVE-2019-20807: Fixed an issue where escaping from the restrictive mode of vim

was possible using interfaces (bsc#1172225).

1172113

This update for chrony fixes the following issue:

- Use iburst in the default pool statements to speed up initial synchronization. (bsc#1172113)

1171388,975267

This update for dracut fixes the following issues:

- Detect the sysfs attribute 'is_boot_target' (bsc#975267, bsc#1171388)

1156159,1172295

This update for audit fixes the following issues:

- Fix hang on startup. (bsc#1156159)

- Fix specfile to require libauparse0 and libaudit1 after splitting audit-libs. (bsc#1172295)

1172461,1172506,CVE-2020-13777

This update for gnutls fixes the following issues:

- CVE-2020-13777: Fixed an insecure session ticket key construction which could

have made the TLS server to not bind the session ticket encryption key with a

value supplied by the application until the initial key rotation, allowing

an attacker to bypass authentication in TLS 1.3 and recover previous

conversations in TLS 1.2 (bsc#1172506).

- Fixed an improper handling of certificate chain with cross-signed intermediate

CA certificates (bsc#1172461).

1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990

This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to 0.7.13 to fix:

- Fix solvable swapping messing up idarrays

- fix ruleinfo of complex dependencies returning the wrong origin

libzypp was updated to 17.23.4 to fix:

- Get retracted patch status from updateinfo data (jsc#SLE-8770)

libsolv injects the indicator provides into packages only.

- remove 'using namespace std;' (bsc#1166610, fixes #218)

- Online doc: add 'Hardware (modalias) dependencies' page

(fixes #216)

- Add HistoryLogReader actionFilter to parse only specific

HistoryActionIDs.

- RepoVariables: Add safe guard in case the caller does not own a

zypp instance.

- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.

- Fix package status computation regarding unneeded, orphaned, recommended

and suggested packages (broken in 17.23.0) (bsc#1165476)

- Log patch status changes to history (jsc#SLE-5116)

- Allow to disable all WebServer dependent tests when building. OBS

wants to be able to get rid of the nginx/FastCGI-devel build

requirement. Use 'rpmbuild --without mediabackend_tests' or

'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.

- update translations

- boost: Fix deprecated auto_unit_test.hpp includes.

- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.

- Fix decision whether to download ZCHUNK files.

libzypp and libsolv must both be able to read the format.

- yum::Downloader: Prefer zchunk compressed metadata if libvsolv

supports it.

- Selectable: Fix highestAvailableVersionObj if only retracted

packages are available. Avoid using retracted items as candidate

(jsc#SLE-8770)

- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)

- RpmDb: Close API offering a custom rpmdb path

It's actually not needed and for this to work also libsolv needs

to support it. You can sill use a librpmDb::db_const_iterator to

access a database at a custom location (ro).

- Remove legacy rpmV3database conversion code.

- Reformat manpages to workaround asciidoctor shortcomings

(bsc#1154803, bsc#1167122, bsc#1168990)

- Remove undocumented rug legacy stuff.

- Remove 'using namespace std;' (bsc#1166610)

- patch table: Add 'Since' column if history data are available

(jsc#SLE-5116)

zypper was updated to version 1.14.36:

- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)

- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)

- Relax 'Do not allow the abbreviation of cli arguments' in

legacy distibutions (bsc#1164543)

- Correctly detect ambigous switch abbreviations (bsc#1165573)

- zypper-aptitude: don't supplement zypper.

supplementing zypper means zypper-aptitude gets installed by

default and pulls in perl. Neither is desired on small systems.

- Do not allow the abbreviation of cli arguments (bsc#1164543)

- accoring to according in all translation files.

- Always show exception history if available.

- Use default package cache location for temporary repos (bsc#1130873)

1167152,1168140,1168142,1168143,1169392,1172205,CVE-2020-0543,CVE-2020-11739,CVE-2020-11740,CVE-2020-11741,CVE-2020-11742,CVE-2020-11743

This update for xen fixes the following issues:

- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.

This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).

- CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).

- CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).

- CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).

- CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143).

- Xenstored Crashed during VM install (bsc#1167152)

1166409,1166513

This update for grub2 fixes the following issues:

- Implement support searching for specific config files for netboot. (bsc#1166409)

- Skip zfcpdump kernel from the grub boot menu (bsc#1166513)

1172377,CVE-2020-13401

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:

Docker was updated to 19.03.11-ce

runc was updated to version 1.0.0-rc10

containerd was updated to version 1.2.13

- CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router

advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial

of service (bsc#1172377).

1050244,1051510,1051858,1058115,1061840,1065600,1065729,1071995,1085030,1086301,1086313,1086314,1089895,1109911,1114279,1118338,1120386,1134973,1143959,1144333,1151910,1151927,1153917,1154243,1154824,1156286,1157155,1157157,1157692,1158013,1158021,1158026,1158265,1158819,1159028,1159198,1159271,1159285,1159394,1159483,1159484,1159569,1159588,1159841,1159908,1159909,1159910,1159911,1159955,1160195,1160210,1160211,1160218,1160433,1160442,1160476,1160560,1160755,1160756,1160784,1160787,1160802,1160803,1160804,1160917,1160966,1161087,1161514,1161518,1161522,1161523,1161549,1161552,1161555,1161674,1161931,1161933,1161934,1161935,1161936,1161937,1161951,1162067,1162109,1162139,1162928,1162929,1162931,1163971,1164051,1164069,1164078,1164705,1164712,1164727,1164728,1164729,1164730,1164731,1164732,1164733,1164734,1164735,1164871,1165111,1165741,1165873,1165881,1165984,1165985,1166969,1167421,1167423,1167629,1168075,1168276,1168295,1168424,1168670,1168829,1168854,1169390,1169514,1

169625,1170056,1170345,1170617,1170618,1170621,1170778,1170901,1171098,1171189,1171191,1171195,1171202,1171205,1171217,1171218,1171219,1171220,1171689,1171982,1171983,1172221,1172317,1172453,1172458,CVE-2018-1000199,CVE-2019-14615,CVE-2019-14896,CVE-2019-14897,CVE-2019-16994,CVE-2019-19036,CVE-2019-19045,CVE-2019-19054,CVE-2019-19318,CVE-2019-19319,CVE-2019-19447,CVE-2019-19462,CVE-2019-19768,CVE-2019-19770,CVE-2019-19965,CVE-2019-19966,CVE-2019-20054,CVE-2019-20095,CVE-2019-20096,CVE-2019-20810,CVE-2019-20812,CVE-2019-3701,CVE-2019-9455,CVE-2019-9458,CVE-2020-0543,CVE-2020-10690,CVE-2020-10711,CVE-2020-10720,CVE-2020-10732,CVE-2020-10751,CVE-2020-10757,CVE-2020-10942,CVE-2020-11494,CVE-2020-11608,CVE-2020-11609,CVE-2020-11669,CVE-2020-12114,CVE-2020-12464,CVE-2020-12652,CVE-2020-12653,CVE-2020-12654,CVE-2020-12655,CVE-2020-12656,CVE-2020-12657,CVE-2020-12769,CVE-2020-13143,CVE-2020-2732,CVE-2020-7053,CVE-2020-8428,CVE-2020-8647,CVE-2020-8648,CVE-2020-8649,CVE-2020-8834,CVE-2020-899

2,CVE-2020-9383

The SUSE Linux Enterprise 15 kernel was updated receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it.

This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1154824).

- CVE-2020-9383: Fixed an out-of-bounds read due to improper error condition check of FDC index (bsc#1165111).

- CVE-2020-8992: Fixed an issue which could have allowed attackers to cause a soft lockup via a crafted journal size (bsc#1164069).

- CVE-2020-8834: Fixed a stack corruption which could have lead to kernel panic (bsc#1168276).

- CVE-2020-8649: Fixed a use-after-free in the vgacon_invert_region function in drivers/video/console/vgacon.c (bsc#1162931).

- CVE-2020-8648: Fixed a use-after-free in the n_tty_receive_buf_common function in drivers/tty/n_tty.c (bsc#1162928).

- CVE-2020-8647: Fixed a use-after-free in the vc_do_resize function in drivers/tty/vt/vt.c (bsc#1162929).

- CVE-2020-8428: Fixed a use-after-free which could have allowed local users to cause a denial of service (bsc#1162109).

- CVE-2020-7053: Fixed a use-after-free in the i915_ppgtt_close function in drivers/gpu/drm/i915/i915_gem_gtt.c (bsc#1160966).

- CVE-2020-2732: Fixed an issue affecting Intel CPUs where an L2 guest may trick the L0 hypervisor into accessing sensitive L1 resources (bsc#1163971).

- CVE-2020-13143: Fixed an out-of-bounds read in gadget_dev_desc_UDC_store in drivers/usb/gadget/configfs.c (bsc#1171982).

- CVE-2020-12769: Fixed an issue which could have allowed attackers to cause a panic via concurrent calls to dw_spi_irq and dw_spi_transfer_one (bsc#1171983).

- CVE-2020-12657: An a use-after-free in block/bfq-iosched.c (bsc#1171205).

- CVE-2020-12656: Fixed an improper handling of certain domain_release calls leadingch could have led to a memory leak (bsc#1171219).

- CVE-2020-12655: Fixed an issue which could have allowed attackers to trigger a sync of excessive duration via an XFS v5 image with crafted metadata (bsc#1171217).

- CVE-2020-12654: Fixed an issue in he wifi driver which could have allowed a remote AP to trigger a heap-based buffer overflow (bsc#1171202).

- CVE-2020-12653: Fixed an issue in the wifi driver which could have allowed local users to gain privileges or cause a denial of service (bsc#1171195).

- CVE-2020-12652: Fixed an issue which could have allowed local users to hold an incorrect lock during the ioctl operation and trigger a race condition (bsc#1171218).

- CVE-2020-12464: Fixed a use-after-free due to a transfer without a reference (bsc#1170901).

- CVE-2020-12114: Fixed a pivot_root race condition which could have allowed local users to cause a denial of service (panic) by corrupting a mountpoint reference counter (bsc#1171098).

- CVE-2020-11669: Fixed an issue where arch/powerpc/kernel/idle_book3s.S did not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR (bnc#1169390).

- CVE-2020-11609: Fixed a null pointer dereference due to improper handling of descriptors (bsc#1168854).

- CVE-2020-11608: Fixed a null pointer dereferences via a crafted USB (bsc#1168829).

- CVE-2020-11494: Fixed an issue which could have allowed attackers to read uninitialized can_frame data (bsc#1168424).

- CVE-2020-10942: Fixed a kernel stack corruption via crafted system calls (bsc#1167629).

- CVE-2020-10757: Fixed an issue where remaping hugepage DAX to anon mmap could have caused user PTE access (bsc#1172317).

- CVE-2020-10751: Fixed an improper implementation in SELinux LSM hook where it was assumed that an skb would only contain a single netlink message (bsc#1171189).

- CVE-2020-10732: Fixed kernel data leak in userspace coredumps due to uninitialized data (bsc#1171220).

- CVE-2020-10720: Fixed a use-after-free read in napi_gro_frags() (bsc#1170778).

- CVE-2020-10711: Fixed a null pointer dereference in SELinux subsystem which could have allowed a remote network user to crash the kernel resulting in a denial of service (bsc#1171191).

- CVE-2020-10690: Fixed the race between the release of ptp_clock and cdev (bsc#1170056).

- CVE-2019-9458: Fixed a use after free due to a race condition which could have led to privilege escalation of privilege (bsc#1168295).

- CVE-2019-9455: Fixed a pointer leak due to a WARN_ON statement in a video driver. This could lead to local information disclosure with System execution privileges needed (bsc#1170345).

- CVE-2019-3701: Fixed an issue in can_can_gw_rcv, which could cause a system crash (bsc#1120386).

- CVE-2019-20812: Fixed an issue in prb_calc_retire_blk_tmo() which could have resulted in a denial of service (bsc#1172453).

- CVE-2019-20810: Fixed a memory leak in due to not calling of snd_card_free (bsc#1172458).

- CVE-2019-20096: Fixed a memory leak in __feat_register_sp() in net/dccp/feat.c, which could have caused denial of service (bsc#1159908).

- CVE-2019-20095: Fixed an improper error-handling cases that did not free allocated hostcmd memory which was causing memory leak (bsc#1159909).

- CVE-2019-20054: Fixed a null pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links (bsc#1159910).

- CVE-2019-19966: Fixed a use-after-free in cpia2_exit() which could have caused denial of service (bsc#1159841).

- CVE-2019-19965: Fixed a null pointer dereference, due to mishandling of port disconnection during discovery (bsc#1159911).

- CVE-2019-19770: Fixed a use-after-free in the debugfs_remove function (bsc#1159198).

- CVE-2019-19768: Fixed a use-after-free in the __blk_add_trace function in kernel/trace/blktrace.c (bsc#1159285).

- CVE-2019-19462: Fixed an issue which could have allowed local user to cause denial of service (bsc#1158265).

- CVE-2019-19447: Fixed a user after free via a crafted ext4 filesystem image (bsc#1158819).

- CVE-2019-19319: Fixed a user after free when a large old_size value is used in a memset call (bsc#1158021).

- CVE-2019-19318: Fixed a use after free via a crafted btrfs image (bsc#1158026).

- CVE-2019-19054: Fixed a memory leak in the cx23888_ir_probe() which could have allowed attackers to cause a denial of service (bsc#1161518).

- CVE-2019-19045: Fixed a memory leak in which could have allowed attackers to cause a denial of service (bsc#1161522).

- CVE-2019-19036: Fixed a null pointer dereference in btrfs_root_node (bsc#1157692).

- CVE-2019-16994: Fixed a memory leak which might have caused denial of service (bsc#1161523).

- CVE-2019-14897: Fixed a stack overflow in Marvell Wifi Driver (bsc#1157155).

- CVE-2019-14896: Fixed a heap overflow in Marvell Wifi Driver (bsc#1157157).

- CVE-2019-14615: Fixed an improper control flow in certain data structures which could have led to information disclosure (bsc#1160195).

- CVE-2018-1000199: Fixed a potential local code execution via ptrace (bsc#1089895).

The following non-security bugs were fixed:

- 6pack,mkiss: fix possible deadlock (bsc#1051510).

- ACPI / APEI: Switch estatus pool to use vmalloc memory (bsc#1051510).

- ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() (bsc#1051510).

- ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() (bsc#1051510).

- af_packet: set defaule value for tmo (bsc#1051510).

- ALSA: control: remove useless assignment in .info callback of PCM chmap element (git-fixes).

- ALSA: hda: Add Clevo W65_67SB the power_save blacklist (git-fixes).

- ALSA: hda - Add docking station support for Lenovo Thinkpad T420s (git-fixes).

- ALSA: hda/analog - Minor optimization for SPDIF mux connections (git-fixes).

- ALSA: hda/ca0132 - Avoid endless loop (git-fixes).

- ALSA: hda/ca0132 - Fix work handling in delayed HP detection (git-fixes).

- ALSA: hda/ca0132 - Keep power on during processing DSP response (git-fixes).

- ALSA: hda - Downgrade error message for single-cmd fallback (git-fixes).

- ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() (git-fixes).

- ALSA: hda/hdmi - fix atpx_present when CLASS is not VGA (bsc#1051510).

- ALSA: hda/realtek - Add headset Mic no shutup for ALC283 (bsc#1051510).

- ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code (bsc#1051510).

- ALSA: pcm: Avoid possible info leaks from PCM stream buffers (git-fixes).

- ALSA: seq: Fix racy access for queue timer in proc read (bsc#1051510).

- ALSA: sh: Fix compile warning wrt const (git-fixes).

- ALSA: usb-audio: fix set_format altsetting sanity check (bsc#1051510).

- ALSA: usb-audio: fix sync-ep altsetting sanity check (bsc#1051510).

- ar5523: check NULL before memcpy() in ar5523_cmd() (bsc#1051510).

- arm64: Revert support for execute-only user mappings (bsc#1160218).

- ASoC: au8540: use 64-bit arithmetic instead of 32-bit (bsc#1051510).

- ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' (bsc#1051510).

- ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report (bsc#1051510).

- ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 (bsc#1051510).

- ASoC: wm8962: fix lambda value (git-fixes).

- ath10k: fix fw crash by moving chip reset after napi disabled (bsc#1051510).

- ath9k: fix storage endpoint lookup (git-fixes).

- a typo in %kernel_base_conflicts macro name

- batman-adv: Fix DAT candidate selection on little endian systems (bsc#1051510).

- bcma: remove set but not used variable 'sizel' (git-fixes).

- blk: Fix kabi due to blk_trace_mutex addition (bsc#1159285).

- blktrace: fix dereference after null check (bsc#1159285).

- blktrace: fix trace mutex deadlock (bsc#1159285).

- bonding: fix active-backup transition after link failure (git-fixes).

- bonding: fix potential NULL deref in bond_update_slave_arr (bsc#1051510).

- bonding: fix unexpected IFF_BONDING bit unset (bsc#1051510).

- brcmfmac: fix interface sanity check (git-fixes).

- brcmfmac: Fix memory leak in brcmf_usbdev_qinit (git-fixes).

- brcmfmac: Fix use after free in brcmf_sdio_readframes() (git-fixes).

- btrfs: abort transaction after failed inode updates in create_subvol (bsc#1161936).

- btrfs: add missing extents release on file extent cluster relocation error (bsc#1159483).

- btrfs: avoid fallback to transaction commit during fsync of files with holes (bsc#1159569).

- btrfs: dev-replace: remove warning for unknown return codes when finished (dependency for bsc#1162067).

- btrfs: do not call synchronize_srcu() in inode_tree_del (bsc#1161934).

- btrfs: Ensure we trim ranges across block group boundary (bsc#1151910).

- btrfs: fix block group remaining RO forever after error during device replace (bsc#1160442).

- btrfs: fix btrfs_write_inode vs delayed iput deadlock (bsc#1154243).

- btrfs: fix infinite loop during nocow writeback due to race (bsc#1160804).

- btrfs: fix integer overflow in calc_reclaim_items_nr (bsc#1160433).

- btrfs: fix missing data checksums after replaying a log tree (bsc#1161931).

- btrfs: fix negative subv_writers counter and data space leak after buffered write (bsc#1160802).

- btrfs: fix removal logic of the tree mod log that leads to use-after-free issues (bsc#1160803).

- btrfs: fix selftests failure due to uninitialized i_mode in test inodes (Fix for dependency of bsc#1157692).

- btrfs: handle ENOENT in btrfs_uuid_tree_iterate (bsc#1161937).

- btrfs: harden agaist duplicate fsid on scanned devices (bsc#1134973).

- btrfs: inode: Verify inode mode to avoid NULL pointer dereference (dependency for bsc#1157692).

- btrfs: make tree checker detect checksum items with overlapping ranges (bsc#1161931).

- btrfs: Move btrfs_check_chunk_valid() to tree-check.[ch] and export it (dependency for bsc#1157692).

- btrfs: record all roots for rename exchange on a subvol (bsc#1161933).

- btrfs: relocation: fix reloc_root lifespan and access (bsc#1159588).

- btrfs: scrub: Require mandatory block group RO for dev-replace (bsc#1162067).

- btrfs: send, skip backreference walking for extents with many references (bsc#1162139).

- btrfs: skip log replay on orphaned roots (bsc#1161935).

- btrfs: tree-checker: Check chunk item at tree block read time (dependency for bsc#1157692).

- btrfs: tree-checker: Check level for leaves and nodes (dependency for bsc#1157692).

- btrfs: tree-checker: Enhance chunk checker to validate chunk profile (dependency for bsc#1157692).

- btrfs: tree-checker: Fix wrong check on max devid (fixes for dependency of bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in block_group_err (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in check_block_group_item (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in check_csum_item (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in check_dev_item (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in check_dir_item (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in check_extent_data_item (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in check_inode_item (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in check_leaf (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in check_leaf_item (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in chunk_err (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in dev_item_err (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in dir_item_err (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in file_extent_err (dependency for bsc#1157692).

- btrfs: tree-checker: get fs_info from eb in generic_err (dependency for bsc#1157692).

- btrfs: tree-checker: Make btrfs_check_chunk_valid() return EUCLEAN instead of EIO (dependency for bsc#1157692).

- btrfs: tree-checker: Make chunk item checker messages more readable (dependency for bsc#1157692).

- btrfs: tree-checker: Verify dev item (dependency for bsc#1157692).

- btrfs: tree-checker: Verify inode item (dependency for bsc#1157692).

- btrfs: volumes: Use more straightforward way to calculate map length (bsc#1151910).

- can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs (bsc#1051510).

- can: gs_usb: gs_usb_probe(): use descriptors of current altsetting (bsc#1051510).

- can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode (bsc#1051510).

- can, slip: Protect tty->disc_data in write_wakeup and close with RCU (bsc#1051510).

- cfg80211: check for set_wiphy_params (bsc#1051510).

- cfg80211: fix page refcount issue in A-MSDU decap (bsc#1051510).

- cfg80211/mac80211: make ieee80211_send_layer2_update a public function (bsc#1051510).

- cgroup: pids: use atomic64_t for pids->limit (bsc#1161514).

- CIFS: add support for flock (bsc#1144333).

- CIFS: Close cached root handle only if it had a lease (bsc#1144333).

- CIFS: Close open handle after interrupted close (bsc#1144333).

- CIFS: close the shared root handle on tree disconnect (bsc#1144333).

- CIFS: Do not miss cancelled OPEN responses (bsc#1144333).

- CIFS: Fix lookup of root ses in DFS referral cache (bsc#1144333).

- CIFS: Fix memory allocation in __smb2_handle_cancelled_cmd() (bsc#1144333).

- CIFS: Fix mount options set in automount (bsc#1144333).

- CIFS: Fix NULL pointer dereference in mid callback (bsc#1144333).

- CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks (bsc#1144333).

- CIFS: Fix potential softlockups while refreshing DFS cache (bsc#1144333).

- CIFS: Fix retrieval of DFS referrals in cifs_mount() (bsc#1144333).

- CIFS: Fix use-after-free bug in cifs_reconnect() (bsc#1144333).

- CIFS: Properly process SMB3 lease breaks (bsc#1144333).

- CIFS: remove set but not used variables 'cinode' and 'netfid' (bsc#1144333).

- CIFS: Respect O_SYNC and O_DIRECT flags during reconnect (bsc#1144333).

- clk: Do not try to enable critical clocks if prepare failed (bsc#1051510).

- clk: rockchip: fix I2S1 clock gate register for rk3328 (bsc#1051510).

- clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 (bsc#1051510).

- clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering (bsc#1051510).

- clk: rockchip: fix rk3188 sclk_smc gate data (bsc#1051510).

- clk: sunxi: sun9i-mmc: Implement reset callback for reset controls (bsc#1051510).

- clocksource/drivers/bcm2835_timer: Fix memory leak of timer (bsc#1051510).

- clocksource/drivers/hyper-v: Set TSC clocksource as default w/ InvariantTSC (bsc#1170621).

- copy/pasted 'Recommends:' instead of 'Provides:', 'Obsoletes:' and 'Conflicts:

- crypto: af_alg - Use bh_lock_sock in sk_destruct (bsc#1051510).

- crypto: api - Check spawn->alg under lock in crypto_drop_spawn (bsc#1051510).

- crypto: api - Fix race condition in crypto_spawn_alg (bsc#1051510).

- crypto: atmel-sha - fix error handling when setting hmac key (bsc#1051510).

- crypto: ccp - fix uninitialized list head (bsc#1051510).

- crypto: chelsio - fix writing tfm flags to wrong place (bsc#1051510).

- crypto: pcrypt - Do not clear MAY_SLEEP flag in original request (bsc#1051510).

- crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill (bsc#1051510).

- crypto: reexport crypto_shoot_alg() (bsc#1051510, kABI fix).

- debugfs: add support for more elaborate ->d_fsdata (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.

- debugfs: call debugfs_real_fops() only after debugfs_file_get() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.

- debugfs: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.

- debugfs: debugfs_real_fops(): drop __must_hold sparse annotation (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.

- debugfs: debugfs_use_start/finish do not exist anymore (bsc#1159198). Prerequisite for bsc#1159198.

- debugfs: defer debugfs_fsdata allocation to first usage (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.

- debugfs: fix debugfs_real_fops() build error (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.

- debugfs: implement per-file removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.

- debugfs: purge obsolete SRCU based removal protection (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.

- debugfs: simplify __debugfs_remove_file() (bsc#1159198). Prerequisite for bsc#1159198.

- dmaengine: coh901318: Fix a double-lock bug (bsc#1051510).

- dmaengine: coh901318: Remove unused variable (bsc#1051510).

- dmaengine: Fix access to uninitialized dma_slave_caps (bsc#1051510).

- dma-mapping: fix return type of dma_set_max_seg_size() (bsc#1051510).

- drivers/base/memory.c: cache blocks in radix tree to accelerate lookup (bsc#1159955 ltc#182993).

- drivers/base/memory.c: do not access uninitialized memmaps in soft_offline_page_store() (bsc#1051510).

- drivers: HV: Send one page worth of kmsg dump over Hyper-V during panic (bsc#1170617).

- drivers: hv: vmbus: Fix the issue with freeing up hv_ctl_table_hdr (bsc#1170617).

- drivers: hv: vmbus: Get rid of MSR access from vmbus_drv.c (bsc#1170618).

- drivers: hv: vmus: Fix the check for return value from kmsg get dump buffer (bsc#1170617).

- drm/amdgpu: add function parameter description in 'amdgpu_gart_bind' (bsc#1051510).

- drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table (bsc#1051510).

- drm/amdgpu: remove always false comparison in 'amdgpu_atombios_i2c_process_i2c_ch' (bsc#1051510).

- drm/amdgpu: remove set but not used variable 'amdgpu_connector' (bsc#1051510).

- drm/amdgpu: remove set but not used variable 'dig' (bsc#1051510).

- drm/amdgpu: remove set but not used variable 'dig_connector' (bsc#1051510).

- drm/amdgpu: remove set but not used variable 'mc_shared_chmap' (bsc#1051510).

- drm/amdgpu: remove set but not used variable 'mc_shared_chmap' from 'gfx_v6_0.c' and 'gfx_v7_0.c' (bsc#1051510).

- drm: bridge: dw-hdmi: constify copied structure (bsc#1051510).

- drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ (bsc#1051510).

- drm/fb-helper: Round up bits_per_pixel if possible (bsc#1051510).

- drm/i810: Prevent underflow in ioctl (bsc#1114279)

- drm/i915: Add missing include file (bsc#1051510).

- drm/i915: Fix pid leak with banned clients (bsc#1114279)

- drm: limit to INT_MAX in create_blob ioctl (bsc#1051510).

- drm/mst: Fix MST sideband up-reply failure handling (bsc#1051510).

- drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler (bsc#1051510).

- drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() (bsc#1051510).

- drm/qxl: Return error if fbdev is not 32 bpp (bsc#1159028)

- drm/radeon: fix r1xx/r2xx register checker for POT textures (bsc#1114279)

- drm/rockchip: lvds: Fix indentation of a #define (bsc#1051510).

- drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add (bsc#1051510).

- e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait (bsc#1051510).

- exit: panic before exit_mm() on global init exit (bsc#1161549).

- extcon: max8997: Fix lack of path setting in USB device mode (bsc#1051510).

- firestream: fix memory leaks (bsc#1051510).

- fix autofs regression caused by follow_managed() changes (bsc#1159271).

- fix dget_parent() fastpath race (bsc#1159271).

- Fix partial checked out tree build ... so that bisection does not break.

- fjes: fix missed check in fjes_acpi_add (bsc#1051510).

- fs: cifs: Fix atime update check vs mtime (bsc#1144333).

- fs/namei.c: fix missing barriers when checking positivity (bsc#1159271).

- fs/namei.c: pull positivity check into follow_managed() (bsc#1159271).

- fs/xfs: fix f_ffree value for statfs when project quota is set (bsc#1165985).

- ftrace: Avoid potential division by zero in function profiler (bsc#1160784).

- futex: Prevent robust futex exit race (bsc#1161555).

- gpio: Fix error message on out-of-range GPIO in lookup table (bsc#1051510).

- HID: hidraw: Fix returning EPOLLOUT from hidraw_poll (bsc#1051510).

- HID: hidraw, uhid: Always report EPOLLOUT (bsc#1051510).

- hidraw: Return EPOLLOUT from hidraw_poll (bsc#1051510).

- HID: uhid: Fix returning EPOLLOUT from uhid_char_poll (bsc#1051510).

- hwmon: (adt7475) Make volt2reg return same reg as reg2volt input (bsc#1051510).

- hwmon: (core) Do not use device managed functions for memory allocations (bsc#1051510).

- hwmon: (nct7802) Fix voltage limits to wrong registers (bsc#1051510).

- i2c: imx: do not print error message on probe defer (bsc#1051510).

- IB/hfi1: convert to debugfs_file_get() and -put() (bsc#1159198 bsc#1109911). Prerequisite for bsc#1159198.

- ibmveth: Detect unsupported packets before sending to the hypervisor (bsc#1159484 ltc#182983).

- ibmvfc: do not send implicit logouts prior to NPIV login (bsc#1169625 ltc#184611).

- iio: adc: max9611: Fix too short conversion time delay (bsc#1051510).

- iio: buffer: align the size of scan bytes to size of the largest element (bsc#1051510).

- inet: protect against too small mtu values (networking-stable-19_12_16).

- Input: add safety guards to input_set_keycode() (bsc#1168075).

- Input: aiptek - fix endpoint sanity check (bsc#1051510).

- Input: cyttsp4_core - fix use after free bug (bsc#1051510).

- Input: goodix - add upside-down quirk for Teclast X89 tablet (bsc#1051510).

- Input: gtco - fix endpoint sanity check (bsc#1051510).

- Input: keyspan-remote - fix control-message timeouts (bsc#1051510).

- Input: pegasus_notetaker - fix endpoint sanity check (bsc#1051510).

- Input: pm8xxx-vib - fix handling of separate enable register (bsc#1051510).

- Input: rmi_f54 - read from FIFO in 32 byte blocks (bsc#1051510).

- Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register (bsc#1051510).

- Input: sur40 - fix interface sanity checks (bsc#1051510).

- Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers (bsc#1051510).

- Input: synaptics-rmi4 - simplify data read in rmi_f54_work (bsc#1051510).

- Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus (bsc#1051510).

- iommu: Remove device link to group on failure (bsc#1160755).

- iommu/vt-d: Unlink device if failed to add to group (bsc#1160756).

- iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop (git-fixes).

- iwlwifi: mvm: Send non offchannel traffic via AP sta (bsc#1051510).

- iwlwifi: mvm: synchronize TID queue removal (bsc#1051510).

- kABI: protect struct sctp_ep_common (kabi).

- kABI: restore debugfs_remove_recursive() (bsc#1159198).

- kABI workaround for can/skb.h inclusion (bsc#1051510).

- kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail (bsc#1160787).

- KEYS: reaching the keys quotas correctly (bsc#1171689).

- KVM: fix spectrev1 gadgets (bsc#1164705).

- KVM: x86: Host feature SSBD does not imply guest feature SPEC_CTRL_SSBD (bsc#1160476).

- KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks (bsc#1164734).

- KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks (bsc#1164728).

- KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks (bsc#1164729).

- KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks (bsc#1164712).

- KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks (bsc#1164730).

- KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c (bsc#1164733).

- KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks (bsc#1164731).

- KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks (bsc#1164732).

- KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks (bsc#1164735).

- KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks (bsc#1164705).

- KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks (bsc#1164727).

- leds: Allow to call led_classdev_unregister() unconditionally (bsc#1161674).

- leds: class: ensure workqueue is initialized before setting brightness (bsc#1161674).

- lib/scatterlist.c: adjust indentation in __sg_alloc_table (bsc#1051510).

- lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() (bsc#1051510).

- livepatch/samples/selftest: Use klp_shadow_alloc() API correctly (bsc#1071995).

- livepatch/selftest: Clean up shadow variable names and type (bsc#1071995).

- mac80211: Do not send Layer 2 Update frame before authorization (bsc#1051510).

- macvlan: do not assume mac_header is set in macvlan_broadcast() (bsc#1051510).

- macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() (bsc#1051510).

- md/raid0: Fix buffer overflow at debug print (bsc#1164051).

- media: cec.h: CEC_OP_REC_FLAG_ values were swapped (bsc#1051510).

- media: cec: report Vendor ID after initialization (bsc#1051510).

- media: iguanair: fix endpoint sanity check (bsc#1051510).

- media: ov519: add missing endpoint sanity checks (bsc#1168829).

- media: pulse8-cec: return 0 when invalidating the logical address (bsc#1051510).

- media: stkwebcam: Bugfix for wrong return values (bsc#1051510).

- media: stv06xx: add missing descriptor sanity checks (bsc#1168854).

- media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors (bsc#1051510).

- media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT (bsc#1051510).

- media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments (bsc#1051510).

- missing escaping of backslashes in macro expansions Fixes: f3b74b0ae86b ('rpm/kernel-subpackage-spec: Unify dependency handling.') Fixes: 3fd22e219f77 ('rpm/kernel-subpackage-spec: Fix empty Recommends tag (bsc#1143959)')

- mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode (bsc#1051510).

- mmc: sdhci: fix minimum clock rate for v3 controller (bsc#1051510).

- mmc: sdhci-of-esdhc: fix P2020 errata handling (bsc#1051510).

- mmc: sdhci-of-esdhc: Revert 'mmc: sdhci-of-esdhc: add erratum A-009204 support' (bsc#1051510).

- mmc: tegra: fix SDR50 tuning override (bsc#1051510).

- mm: memory_hotplug: use put_device() if device_register fail (bsc#1159955 ltc#182993).

- mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock (bsc#1159394).

- mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() (git-fixes).

- net: bridge: deny dev_set_mac_address() when unregistering (networking-stable-19_12_16).

- net: ena: Add PCI shutdown handler to allow safe kexec (bsc#1167421, bsc#1167423).

- net: ethernet: ti: cpsw: fix extra rx interrupt (networking-stable-19_12_16).

- netfilter: nf_queue: enqueue skbs with NULL dst (git-fixes).

- net/mlx4_en: fix mlx4 ethtool -N insertion (networking-stable-19_11_25).

- net/mlx5e: Fix set vf link state error flow (networking-stable-19_11_25).

- net/mlxfw: Fix out-of-memory error in mfa2 flash burning (bsc#1051858).

- net: psample: fix skb_over_panic (networking-stable-19_12_03).

- net: rtnetlink: prevent underflows in do_setvfinfo() (networking-stable-19_11_25).

- net/sched: act_pedit: fix WARN() in the traffic path (networking-stable-19_11_25).

- net: sched: fix `tc -s class show` no bstats on class with nolock subqueues (networking-stable-19_12_03).

- net: usb: lan78xx: limit size of local TSO packets (bsc#1051510).

- net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules (networking-stable-19_11_18).

- new helper: lookup_positive_unlocked() (bsc#1159271).

- NFC: pn533: fix bulk-message timeout (bsc#1051510).

- NFC: pn544: Adjust indentation in pn544_hci_check_presence (git-fixes).

- objtool: Fix stack offset tracking for indirect CFAs (bsc#1169514).

- openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() (networking-stable-19_12_03).

- openvswitch: remove another BUG_ON() (networking-stable-19_12_03).

- openvswitch: support asymmetric conntrack (networking-stable-19_12_16).

- orinoco_usb: fix interface sanity check (git-fixes).

- PCI: Do not disable bridge BARs when assigning bus resources (bsc#1051510).

- PCI/switchtec: Fix vep_vector_number ioread width (bsc#1051510).

- phy: qualcomm: Adjust indentation in read_poll_timeout (bsc#1051510).

- pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues (bsc#1051510).

- pinctrl: sh-pfc: r8a7778: Fix duplicate SDSELF_B and SD1_CLK_B (bsc#1051510).

- platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 (bsc#1051510).

- platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes (bsc#1051510).

- platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table (bsc#1051510).

- powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB (bnc#1151927 5.3.17).

- powerpc: Allow flush_icache_range to work across ranges >4GB (bnc#1151927 5.3.17).

- powerpc/archrandom: fix arch_get_random_seed_int() (bsc#1065729).

- powerpc: Fix vDSO clock_getres() (bsc#1065729).

- powerpc/irq: fix stack overflow verification (bsc#1065729).

- powerpc/mm: drop #ifdef CONFIG_MMU in is_ioremap_addr() (bsc#1065729).

- powerpc/mm: Remove kvm radix prefetch workaround for Power9 DD2.2 (bsc#1061840).

- powerpc/pkeys: remove unused pkey_allows_readwrite (bsc#1065729).

- powerpc/powernv: Disable native PCIe port management (bsc#1065729).

- powerpc/security: Fix debugfs data leak on 32-bit (bsc#1065729).

- powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery (bsc#1118338 ltc#173734).

- powerpc/tools: Do not quote $objdump in scripts (bsc#1065729).

- powerpc/xive: Discard ESB load value when interrupt is invalid (bsc#1085030).

- powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts (bsc#1085030).

- powerpc/xmon: do not access ASDR in VMs (bsc#1065729).

- ppp: Adjust indentation into ppp_async_input (git-fixes).

- prevent active file list thrashing due to refault detection (VM Performance, bsc#1156286).

- pstore/ram: Write new dumps to start of recycled zones (bsc#1051510).

- qede: Disable hardware gro when xdp prog is installed (bsc#1086314 bsc#1086313 bsc#1086301 ).

- r8152: add missing endpoint sanity check (bsc#1051510).

- random: always use batched entropy for get_random_u{32,64} (bsc#1164871).

- RDMA/bnxt_re: Avoid freeing MR resources if dereg fails (bsc#1050244).

- regulator: Fix return value of _set_load() stub (bsc#1051510).

- regulator: rk808: Lower log level on optional GPIOs being not available (bsc#1051510).

- regulator: rn5t618: fix module aliases (bsc#1051510).

- Revert 'Input: synaptics-rmi4 - do not increment rmiaddr for SMBus transfers' (bsc#1051510).

- Revert 'ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()' (bsc#1172221).

- Revert 'mmc: sdhci: Fix incorrect switch to HS mode' (bsc#1051510).

- rtc: dt-binding: abx80x: fix resistance scale (bsc#1051510).

- rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' (bsc#1051510).

- rtc: msm6242: Fix reading of 10-hour digit (bsc#1051510).

- rtc: pcf8523: set xtal load capacitance from DT (bsc#1051510).

- rtc: s35390a: Change buf's type to u8 in s35390a_init (bsc#1051510).

- scsi: ibmvfc: Avoid loss of all paths during SVC node reboot (bsc#1161951 ltc#183551).

- scsi: ibmvfc: Fix NULL return compiler warning (bsc#1161951 ltc#183551).

- scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport (bsc#1158013).

- scsi: qla2xxx: Add D-Port Diagnostic reason explanation logs (bsc#1158013).

- scsi: qla2xxx: Cleanup unused async_logout_done (bsc#1158013).

- scsi: qla2xxx: Consolidate fabric scan (bsc#1158013).

- scsi: qla2xxx: Correct fcport flags handling (bsc#1158013).

- scsi: qla2xxx: Fix fabric scan hang (bsc#1158013).

- scsi: qla2xxx: Fix mtcp dump collection failure (bsc#1158013).

- scsi: qla2xxx: Fix RIDA Format-2 (bsc#1158013).

- scsi: qla2xxx: Fix stuck login session using prli_pend_timer (bsc#1158013).

- scsi: qla2xxx: Fix stuck session in GNL (bsc#1158013).

- scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type (bsc#1158013).

- scsi: qla2xxx: Fix update_fcport for current_topology (bsc#1158013).

- scsi: qla2xxx: Improve readability of the code that handles qla_flt_header (bsc#1158013).

- scsi: qla2xxx: Remove defer flag to indicate immeadiate port loss (bsc#1158013).

- scsi: qla2xxx: Update driver version to 10.01.00.22-k (bsc#1158013).

- scsi: qla2xxx: Use common routine to free fcport struct (bsc#1158013).

- scsi: qla2xxx: Use get_unaligned_*() instead of open-coding these functions (bsc#1158013).

- sctp: cache netns in sctp_ep_common (networking-stable-19_12_03).

- serial: 8250_bcm2835aux: Fix line mismatch on driver unbind (bsc#1051510).

- serial: ifx6x60: add missed pm_runtime_disable (bsc#1051510).

- serial: pl011: Fix DMA ->flush_buffer() (bsc#1051510).

- serial: serial_core: Perform NULL checks for break_ctl ops (bsc#1051510).

- serial: stm32: fix transmit_chars when tx is stopped (bsc#1051510).

- sfc: Only cancel the PPS workqueue if it exists (networking-stable-19_11_25).

- sh_eth: check sh_eth_cpu_data::dual_port when dumping registers (bsc#1051510).

- sh_eth: fix dumping ARSTR (bsc#1051510).

- sh_eth: fix invalid context bug while calling auto-negotiation by ethtool (bsc#1051510).

- sh_eth: fix invalid context bug while changing link options by ethtool (bsc#1051510).

- sh_eth: fix TSU init on SH7734/R8A7740 (bsc#1051510).

- sh_eth: fix TXALCR1 offsets (bsc#1051510).

- sh_eth: TSU_QTAG0/1 registers the same as TSU_QTAGM0/1 (bsc#1051510).

- smb3: Fix crash in SMB2_open_init due to uninitialized field in compounding path (bsc#1144333).

- smb3: Fix persistent handles reconnect (bsc#1144333).

- smb3: fix refcount underflow warning on unmount when no directory leases (bsc#1144333).

- smb3: remove confusing dmesg when mounting with encryption ('seal') (bsc#1144333).

- soc: renesas: rcar-sysc: Add goto to of_node_put() before return (bsc#1051510).

- spi: tegra114: clear packed bit for unpacked mode (bsc#1051510).

- spi: tegra114: configure dma burst size to fifo trig level (bsc#1051510).

- spi: tegra114: fix for unpacked mode transfers (bsc#1051510).

- spi: tegra114: flush fifos (bsc#1051510).

- spi: tegra114: terminate dma and reset on transfer timeout (bsc#1051510).

- staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 (bsc#1051510).

- Staging: iio: adt7316: Fix i2c data reading, set the data field (bsc#1051510).

- staging: rtl8188eu: fix interface sanity check (bsc#1051510).

- staging: wlan-ng: ensure error return is actually returned (bsc#1051510).

- tcp: clear tp->packets_out when purging write queue (bsc#1160560).

- tcp: exit if nothing to retransmit on RTO timeout (bsc#1160560, stable 4.14.159).

- tcp: md5: fix potential overestimation of TCP option space (networking-stable-19_12_16).

- tracing: Have the histogram compare functions convert to u64 first (bsc#1160210).

- tracing: xen: Ordered comparison of function pointers (git-fixes).

- tty: n_hdlc: fix build on SPARC (bsc#1051510).

- tty/serial: atmel: Add is_half_duplex helper (bsc#1051510).

- tty: serial: msm_serial: Fix lockup for sysrq and oops (bsc#1051510).

- tty: vt: keyboard: reject invalid keycodes (bsc#1051510).

- USB: Allow USB device to be warm reset in suspended state (bsc#1051510).

- USB: atm: ueagle-atm: add missing endpoint check (bsc#1051510).

- USB: chipidea: host: Disable port power only if previously enabled (bsc#1051510).

- USB: core: hub: Improved device recognition on remote wakeup (bsc#1051510).

- USB: core: urb: fix URB structure initialization function (bsc#1051510).

- USB: documentation: flags on usb-storage versus UAS (bsc#1051510).

- USB: dwc3: debugfs: Properly print/set link state for HS (bsc#1051510).

- USB: dwc3: do not log probe deferrals; but do log other error codes (bsc#1051510).

- USB: dwc3: ep0: Clear started flag on completion (bsc#1051510).

- USB: dwc3: turn off VBUS when leaving host mode (bsc#1051510).

- USB: gadget: f_ecm: Use atomic_t to track in-flight request (bsc#1051510).

- USB: gadget: f_ncm: Use atomic_t to track in-flight request (bsc#1051510).

- USB: gadget: pch_udc: fix use after free (bsc#1051510).

- USB: gadget: u_serial: add missing port entry locking (bsc#1051510).

- USB: gadget: Zero ffs_io_data (bsc#1051510).

- USB: host: xhci-hub: fix extra endianness conversion (bsc#1051510).

- usbip: Fix receive error in vhci-hcd when using scatter-gather (bsc#1051510).

- USB: mtu3: fix dbginfo in qmu_tx_zlp_error_handler (bsc#1051510).

- USB: musb: dma: Correct parameter passed to IRQ handler (bsc#1051510).

- USB: musb: fix idling for suspend after disconnect interrupt (bsc#1051510).

- USB: serial: ch341: handle unbound port at reset_resume (bsc#1051510).

- USB: serial: io_edgeport: add missing active-port sanity check (bsc#1051510).

- USB: serial: io_edgeport: handle unbound ports on URB completion (bsc#1051510).

- USB: serial: io_edgeport: use irqsave() in USB's complete callback (bsc#1051510).

- USB: serial: ir-usb: add missing endpoint sanity check (bsc#1051510).

- USB: serial: ir-usb: fix IrLAP framing (bsc#1051510).

- USB: serial: ir-usb: fix link-speed handling (bsc#1051510).

- USB: serial: keyspan: handle unbound ports (bsc#1051510).

- USB: serial: opticon: fix control-message timeouts (bsc#1051510).

- USB: serial: option: Add support for Quectel RM500Q (bsc#1051510).

- USB: serial: quatech2: handle unbound ports (bsc#1051510).

- USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx (bsc#1051510).

- USB: serial: suppress driver bind attributes (bsc#1051510).

- USB: typec: tcpci: mask event interrupts when remove driver (bsc#1051510).

- USB: uas: heed CAPACITY_HEURISTICS (bsc#1051510).

- USB: uas: honor flag to avoid CAPACITY16 (bsc#1051510).

- USB: xhci: Fix build warning seen with CONFIG_PM=n (bsc#1051510).

- workqueue: Fix pwq ref leak in rescuer_thread() (bsc#1160211).

- x86/entry/64: Fix unwind hints in kernel exit path (bsc#1058115).

- x86/entry/64: Fix unwind hints in register clearing code (bsc#1058115).

- x86/entry/64: Fix unwind hints in rewind_stack_do_exit() (bsc#1058115).

- x86/entry/64: Fix unwind hints in __switch_to_asm() (bsc#1058115).

- x86/Hyper-V: Allow guests to enable InvariantTSC (bsc#1170621).

- x86/Hyper-V: Free hv_panic_page when fail to register kmsg dump (bsc#1170617).

- x86/Hyper-V: Report crash data in die() when panic_on_oops is set (bsc#1170617).

- x86/Hyper-V: Report crash register data or kmsg before running crash kernel (bsc#1170617).

- x86/Hyper-V: Report crash register data when sysctl_record_panic_msg is not set (bsc#1170617).

- x86/Hyper-V: report value of misc_features (git-fixes).

- x86/Hyper-V: Trigger crash enlightenment only once during system crash (bsc#1170617).

- x86/Hyper-V: Unload vmbus channel in hv panic callback (bsc#1170617).

- x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI (bsc#1114279).

- x86/mce/AMD: Allow any CPU to initialize the smca_banks array (bsc#1114279).

- x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks (bsc#1114279).

- x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() (bsc#1114279).

- x86/mce: Fix possibly incorrect severity calculation on AMD (bsc#1114279).

- x86/mm: Split vmalloc_sync_all() (bsc#1165741).

- x86/resctrl: Fix an imbalance in domain_remove_cpu() (bsc#1114279).

- x86/resctrl: Fix potential memory leak (bsc#1114279).

- x86/unwind/orc: Do not skip the first frame for inactive tasks (bsc#1058115).

- x86/unwind/orc: Fix error handling in __unwind_start() (bsc#1058115).

- x86/unwind/orc: Fix error path for bad ORC entry type (bsc#1058115).

- x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks (bsc#1058115).

- x86/unwind/orc: Prevent unwinding before ORC initialization (bsc#1058115).

- x86/unwind: Prevent false warnings for non-current tasks (bsc#1058115).

- x86/xen: fix booting 32-bit pv guest (bsc#1071995).

- x86/xen: Make the boot CPU idle task reliable (bsc#1071995).

- x86/xen: Make the secondary CPU idle tasks reliable (bsc#1071995).

- xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk (bsc#1065600).

- xen-blkfront: switch kcalloc to kvcalloc for large array allocation (bsc#1160917).

- xfrm: Fix transport mode skb control buffer usage (bsc#1161552).

- xfs: also remove cached ACLs when removing the underlying attr (bsc#1165873).

- xfs: bulkstat should copy lastip whenever userspace supplies one (bsc#1165984).

- xfs: Fix tail rounding in xfs_alloc_file_space() (bsc#1161087, bsc#1153917).

- xhci: Fix memory leak in xhci_add_in_port() (bsc#1051510).

- xhci: fix USB3 device initiated resume race with roothub autosuspend (bsc#1051510).

- xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour (bsc#1051510).

- xhci: make sure interrupts are restored to correct state (bsc#1051510).

- zd1211rw: fix storage endpoint lookup (git-fixes).

1159819,1169746,1171978,CVE-2019-17006,CVE-2020-12399

This update for mozilla-nspr, mozilla-nss fixes the following issues:

mozilla-nss was updated to version 3.53

- CVE-2020-12399: Fixed a timing attack on DSA signature generation (bsc#1171978).

- CVE-2019-17006: Added length checks for cryptographic primitives (bsc#1159819).

Release notes:

mozilla-nspr to version 4.25

1170154,1171546,1171995

This update for cloud-init contains the following fixes:

- rsyslog warning, '~' is deprecated: (bsc#1170154)

+ replace deprecated syntax '& ~' by '& stop' for more information please

see https://www.rsyslog.com/rsyslog-error-2307/.

+ Explicitly test for netconfig version 1 as well as 2.

+ Handle netconfig v2 device configurations (bsc#1171546, bsc#1171995)

1171863,1171864,1171866,1172348,CVE-2020-10543,CVE-2020-10878,CVE-2020-12723

This update for perl fixes the following issues:

- CVE-2020-10543: Fixed a heap buffer overflow in regular expression compiler which could have

allowed overwriting of allocated memory with attacker's data (bsc#1171863).

- CVE-2020-10878: Fixed multiple integer overflows which could have allowed the insertion of

instructions into the compiled form of Perl regular expression (bsc#1171864).

- CVE-2020-12723: Fixed an attacker's corruption of the intermediate language state of a

compiled regular expression (bsc#1171866).

- Fixed a bad warning in features.ph (bsc#1172348).

1157315,1162698,1164538,1169488,1171145,1172072

This update for systemd fixes the following issues:

- Merge branch 'SUSE/v234' into SLE15

units: starting suspend.target should not fail when suspend is successful (bsc#1172072)

core/mount: do not add Before=local-fs.target or remote-fs.target if nofail mount option is set

mount: let mount_add_extras() take care of remote-fs.target deps (bsc#1169488)

mount: set up local-fs.target/remote-fs.target deps in mount_add_default_dependencies() too

udev: rename the persistent link for ATA devices (bsc#1164538)

shared/install: try harder to find enablement symlinks when disabling a unit (bsc#1157315)

tmpfiles: remove unnecessary assert (bsc#1171145)

test-engine: manager_free() was called too early

pid1: by default make user units inherit their umask from the user manager (bsc#1162698)

1173027,CVE-2020-8177

This update for curl fixes the following issues:

- CVE-2020-8177: Fixed an issue where curl could have been tricked by a malicious

server to overwrite a local file when using the -J option (bsc#1173027).

1161573

This update for dracut fixes the following issue:

- Fix dracut timeout on missing root device (bsc#1161573)

1173274,CVE-2020-14422

This update for python3 fixes the following issues:

- CVE-2020-14422: Fixed an improper computation of hash values in the IPv4Interface and IPv6Interface

could have led to denial of service (bsc#1173274).

1082318,1133297

This update for zstd fixes the following issues:

- Fix for build error caused by wrong static libraries. (bsc#1133297)

- Correction in spec file marking the license as documentation. (bsc#1082318)

- Add new package for SLE-15. (jsc#ECO-1886)

1168669,1173032,CVE-2020-12402

This update for mozilla-nss fixes the following issues:

mozilla-nss was updated to version 3.53.1

- CVE-2020-12402: Fixed a potential side channel attack during RSA key generation (bsc#1173032)

- Fixed various FIPS issues in libfreebl3 which were causing segfaults in the test suite of chrony (bsc#1168669).

1169444

This update for fontforge, ghostscript-fonts, ttf-converter, xorg-x11-fonts fixes the following issues:

Changes in fontforge:

- Support transforming bitmap glyphs from python. (bsc#1169444)

- Allow python-Sphinx >= 3

Changes in ttf-converter:

- Update from version 1.0 to version 1.0.6:

* ftdump is now shipped additionally as new dependency for ttf-converter

* Standardize output when converting vector and bitmap fonts

* Add more subfamilies fixes (bsc#1169444)

* Add --family and --subfamily arguments to force values on those fields

* Add parameters to fix glyph unicode values

--fix-glyph-unicode : Try to fix unicode points and glyph names

based on glyph names containing hexadecimal codes (like

'$0C00', 'char12345' or 'uni004F')

--replace-unicode-values: When passed 2 comma separated numbers a,b the glyph with an unicode value of a is replaced with the

unicode value b. Can be used more than once.

--shift-unicode-values: When passed 3 comma separated numbers a,b,c this shifts the unicode values of glyphs between a and b

(both included) by adding c. Can be used more than once.

* Add --bitmapTransform parameter to transform bitmap glyphs. (bsc#1169444)

When used, all glyphs are modified with the transformation function and

values passed as parameters. The parameter has three values separated by

* Add support to convert bitmap fonts (bsc#1169444)

* Rename MediumItalic subfamily to Medium Italic

* Show some more information when removing duplicated glyphs

* Add a --force-monospaced argument instead of hardcoding font names

* Convert `BoldCond` subfamily to `Bold Condensed`

* Fixes for Monospaced fonts and force the Nimbus Mono L font to be Monospaced. (bsc#1169444 #c41)

* Add a --version argument

* Fix subfamily names so the converted font's subfamily match the original ones. (bsc#1169444 #c41)

Changes in xorg-x11-fonts:

- Use ttf-converter 1.0.6 to build an Italic version of cu12.pcf.gz in the converted subpackage

- Include the subfamily in the filename of converted fonts

- Use ttf-converter's new bitmap font support to convert Schumacher Clean and Schumacher Clean Wide (bsc#1169444 #c41)

- Replace some unicode values in cu-pua12.pcf.gz to fix them

- Shift some unicode values in arabic24.pcf.gz and cuarabic12.pcf.gz so glyphs

don't pretend to be latin characters when they're not.

- Don't distribute converted fonts with wrong unicode values in their glyphs. (bsc#1169444)

Bitstream-Charter-*.otb, Cursor.ttf,Sun-OPEN-LOOK-*.otb, MUTT-ClearlyU-Devangari-Extra-Regular,

MUTT-ClearlyU-Ligature-Wide-Regular, and MUTT-ClearlyU-Devanagari-Regular

Changes in ghostscript-fonts:

- Force the converted Nimbus Mono font to be monospaced. (bsc#1169444 #c41)

Use the --force-monospaced argument of ttf-converter 1.0.3

1172698,1172704,CVE-2020-8023

This update for openldap2 fixes the following issues:

- CVE-2020-8023: Fixed a potential local privilege escalation from ldap to root when OPENLDAP_CONFIG_BACKEND='ldap' was used (bsc#1172698).

- Changed DB_CONFIG to root:ldap permissions (bsc#1172704).

1171883

This update for permissions fixes the following issues:

- Removed conflicting entries which might expose pcp to security issues (bsc#1171883)

1130873,1154803,1164543,1165476,1165573,1166610,1167122,1168990,1169947,1170801,1171224,1172135,1172925

This update for libsolv, libzypp, zypper fixes the following issues:

libsolv was updated to 0.7.14:

- Enable zstd compression support

- Support blacklisted packages in solver_findproblemrule()

(bnc#1172135)

- Support rules with multiple negative literals in choice rule

generation

- Fix solvable swapping messing up idarrays

- fix ruleinfo of complex dependencies returning the wrong origin

libzypp was updated to 17.23.7:

- Enable zchunk metadata download if libsolv supports it.

- Older kernel-devel packages are not properly purged (bsc#1171224)

- doc: enhance service plugin example.

- Get retracted patch status from updateinfo data (jsc#SLE-8770)

libsolv injects the indicator provides into packages only.

- remove 'using namespace std;' (bsc#1166610, fixes #218)

- Online doc: add 'Hardware (modalias) dependencies' page

(fixes #216)

- Add HistoryLogReader actionFilter to parse only specific

HistoryActionIDs.

- RepoVariables: Add safe guard in case the caller does not own a

zypp instance.

- Enable c++17. Define libyzpp CXX_STANDARD in ZyppCommon.cmake.

- Fix package status computation regarding unneeded, orphaned, recommended

and suggested packages (broken in 17.23.0) (bsc#1165476)

- Log patch status changes to history (jsc#SLE-5116)

- Allow to disable all WebServer dependent tests when building. OBS

wants to be able to get rid of the nginx/FastCGI-devel build

requirement. Use 'rpmbuild --without mediabackend_tests' or

'cmake -DDISABLE_MEDIABACKEND_TESTS=1'.

- boost: Fix deprecated auto_unit_test.hpp includes.

- Disable zchunk on Leap-15.0 and SLE15-* while there is no libzck.

- Fix decision whether to download ZCHUNK files.

libzypp and libsolv must both be able to read the format.

- yum::Downloader: Prefer zchunk compressed metadata if libvsolv

supports it.

- Selectable: Fix highestAvailableVersionObj if only retracted

packages are available. Avoid using retracted items as candidate

(jsc#SLE-8770)

- RpmDb: Become rpmdb backend independent (jsc#SLE-7272)

- RpmDb: Close API offering a custom rpmdb path

It's actually not needed and for this to work also libsolv needs

to support it. You can sill use a librpmDb::db_const_iterator to

access a database at a custom location (ro).

- Remove legacy rpmV3database conversion code.

- Fix core dump with corrupted history file (bsc#1170801)

zypper was updated to 1.14.37:

- Reformat manpages to workaround asciidoctor shortcomings

(bsc#1154803, bsc#1167122, bsc#1168990)

- Remove undocumented rug legacy stuff.

- Remove 'using namespace std;' (bsc#1166610)

- patch table: Add 'Since' column if history data are available

(jsc#SLE-5116)

- Tag 'retracted' patch status in info and list-patches (jsc#SLE-8770)

- Tag 'R'etracted items in search tabes status columns (jsc#SLE-8770)

- Relax 'Do not allow the abbreviation of cli arguments' in

legacy distibutions (bsc#1164543)

- Correctly detect ambigous switch abbreviations (bsc#1165573)

- zypper-aptitude: don't supplement zypper.

supplementing zypper means zypper-aptitude gets installed by

default and pulls in perl. Neither is desired on small systems.

- Do not allow the abbreviation of cli arguments (bsc#1164543)

- accoring to according in all translation files.

- Always show exception history if available.

- Use default package cache location for temporary repos (bsc#1130873)

- Print switch abbrev warning to stderr (bsc#1172925)

- Fix typo in man page (bsc#1169947)

1173376,1173377,1173378,1173380,CVE-2020-15563,CVE-2020-15565,CVE-2020-15566,CVE-2020-15567

This update for xen fixes the following issues:

- CVE-2020-15563: Fixed inverted code paths in x86 dirty VRAM tracking (bsc#1173377).

- CVE-2020-15565: Fixed insufficient cache write-back under VT-d (bsc#1173378).

- CVE-2020-15566: Fixed incorrect error handling in event channel port allocation (bsc#1173376).

- CVE-2020-15567: Fixed non-atomic modification of live EPT PTE (bsc#1173380).

1164260

This update for parted fixes the following issue:

- fix support of NVDIMM (pmemXs) devices (bsc#1164260)

1172861,1172929

This update for openvswitch fixes the following issues:

- Preserve the old default OVS_USER_ID for users that removed the override at /etc/sysconfig/openvswitch. (bsc#1172861)

- Fix possible changes of openvswitch configuration during upgrades. (bsc#1172929)

1172807

This update for dracut fixes the following issues:

- PXE boot process times out (bsc#1172807)

1168994,1173812,1174463,1174570,CVE-2020-10713,CVE-2020-14308,CVE-2020-14309,CVE-2020-14310,CVE-2020-14311,CVE-2020-15706,CVE-2020-15707

This update for grub2 fixes the following issues:

- Fix for CVE-2020-10713 (bsc#1168994)

- Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311

(bsc#1173812)

- Fix for CVE-2020-15706 (bsc#1174463)

- Fix for CVE-2020-15707 (bsc#1174570)

- Use overflow checking primitives where the arithmetic expression for buffer

allocations may include unvalidated data

- Use grub_calloc for overflow check and return NULL when it would occur

- Use gcc-9 compiler for overflow check builtins

- Backport gcc-9 build fixes

1156913

This update for diffutils fixes the following issue:

- Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

1173227,1173229,1173422

This update for systemd fixes the following issues:

- migrate-sysconfig-i18n.sh: fixed marker handling (bsc#1173229)

The marker is used to make sure the script is run only once. Instead

of storing it in /usr, use /var which is more appropriate for such

file.

Also make it owned by systemd package.

- Fix inconsistent file modes for some ghost files (bsc#1173227)

Ghost files are assumed by rpm to have mode 000 by default which is

not consistent with file permissions set at runtime.

Also /var/lib/systemd/random-seed was tracked wrongly as a

directory.

Also don't track (ghost) /etc/systemd/system/runlevel*.target

aliases since we're not supposed to track units or aliases user

might define/override.

- Fix build of systemd on openSUSE Leap 15.2 (bsc#1173422)

1051510,1065729,1071995,1104967,1152107,1158755,1162002,1170011,1171078,1171673,1171732,1171868,1172257,1172775,1172781,1172782,1172783,1172999,1173265,1173280,1173514,1173567,1173573,1173659,1173999,1174000,1174115,1174462,1174543,CVE-2019-16746,CVE-2019-20908,CVE-2020-0305,CVE-2020-10766,CVE-2020-10767,CVE-2020-10768,CVE-2020-10769,CVE-2020-10773,CVE-2020-12771,CVE-2020-12888,CVE-2020-13974,CVE-2020-14416,CVE-2020-15393,CVE-2020-15780

The SUSE Linux Enterprise 15 GA LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-0305: In cdev_get of char_dev.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1174462).

- CVE-2019-20908: An issue was discovered in drivers/firmware/efi/efi.c where incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032 (bnc#1173567).

- CVE-2020-15780: An issue was discovered in drivers/acpi/acpi_configfs.c where injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30 (bnc#1173573).

- CVE-2020-15393: usbtest_disconnect in drivers/usb/misc/usbtest.c had a memory leak, aka CID-28ebeb8db770 (bnc#1173514).

- CVE-2020-12771: btree_gc_coalesce in drivers/md/bcache/btree.c has a deadlock if a coalescing operation fails (bnc#1171732).

- CVE-2019-16746: An issue was discovered in net/wireless/nl80211.c which did not check the length of variable elements in a beacon head, leading to a buffer overflow (bnc#1152107 1173659).

- CVE-2020-12888: The VFIO PCI driver mishandled attempts to access disabled memory space (bnc#1171868).

- CVE-2020-10769: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allowed a local attacker with user privileges to cause a denial of service (bnc#1173265).

- CVE-2020-10773: A kernel stack information leak on s390/s390x was fixed (bnc#1172999).

- CVE-2020-14416: A race condition in tty->disc_data handling in the slip and slcan line discipline could lead to a use-after-free, aka CID-0ace17d56824. This affects drivers/net/slip/slip.c and drivers/net/can/slcan.c (bnc#1162002).

- CVE-2020-10768: Indirect branch speculation could have been enabled after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command. (bnc#1172783).

- CVE-2020-10766: Fixed Rogue cross-process SSBD shutdown, where a Linux scheduler logical bug allows an attacker to turn off the SSBD protection. (bnc#1172781).

- CVE-2020-10767: Indirect Branch Prediction Barrier was force-disabled when STIBP is unavailable or enhanced IBRS is available. (bnc#1172782).

- CVE-2020-13974: drivers/tty/vt/keyboard.c had an integer overflow if k_ascii is called several times in a row, aka CID-b86dab054059 (bnc#1172775).

The following non-security bugs were fixed:

- Merge ibmvnic reset fixes (bsc#1158755 ltc#182094).

- block, bfq: add requeue-request hook (bsc#1104967 bsc#1171673).

- block, bfq: postpone rq preparation to insert or merge (bsc#1104967 bsc#1171673).

- ibmvnic: Do not process device remove during device reset (bsc#1065729).

- ibmvnic: Flush existing work items before device removal (bsc#1065729).

- ibmvnic: Harden device login requests (bsc#1170011 ltc#183538).

- ibmvnic: Skip fatal error reset after passive init (bsc#1171078 ltc#184239).

- ibmvnic: continue to init in CRQ reset returns H_CLOSED (bsc#1173280 ltc#185369).

- intel_idle: Graceful probe failure when MWAIT is disabled (bsc#1174115).

- livepatch: Apply vmlinux-specific KLP relocations early (bsc#1071995).

- livepatch: Disallow vmlinux.ko (bsc#1071995).

- livepatch: Make klp_apply_object_relocs static (bsc#1071995).

- livepatch: Prevent module-specific KLP rela sections from referencing vmlinux symbols (bsc#1071995).

- livepatch: Remove .klp.arch (bsc#1071995).

- vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1051510).

- vfio/pci: Fix SR-IOV VF handling with MMIO blocking (bsc#1174000).

- vfio/pci: Mask buggy SR-IOV VF INTx support (bsc#1051510).

- vfio/pci: Mask buggy SR-IOV VF INTx support (bsc#1173999).

- x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned (bsc#1172257).

1172356,1174543

This update for xen fixes the following issues:

- bsc#1174543 - secure boot related fixes

- bsc#1172356 - Not able to hot-plug NIC via virt-manager, asks to attach on next

reboot while it should be live attached

1173338

This update for rsyslog fixes the following issues:

- Fix for logrotate to avoid unexpected exit with coredump after logrotate. (bsc#1173338)

1170475,1170476,1173238,1173240,1173357,1174618,1174847

This update for supportutils-plugin-suse-public-cloud and python3-azuremetadata fixes the following issues:

supportutils-plugin-suse-public-cloud:

- Fixes an error when supportutils-plugin-suse-public-cloud and supportutils-plugin-salt

are installed at the same time (bsc#1174618)

- Sensitive information like credentials (such as access keys) will be removed when the

metadata is being collected (bsc#1170475, bsc#1170476)

python3-azuremetadata:

- Added latest support for `--listapis` and `--api` (bsc#1173238, bsc#1173240)

- Detects when the VM is running in ASM (Azure Classic) and does now handle the condition

to generate the data without requiring access to the full IMDS available, only in ARM

instances (bsc#1173357, bsc#1174847)

1130864,1155911,1160007

This update for SUSEConnect fixes the following issues:

Update from version 0.3.22 to version 0.3.25

- Don't fail de-activation when '-release' package already got removed.

- Fix cloud_provider detection on AWS large instances. (bsc#1160007)

- Forbid de-registration for on-demand Public Cloud instances. (bsc#1155911)

- Setup customer_center on read-only boot system. (bsc#1130864)

1100137,1107238,1171652

This update for zypper-migration-plugin fixes the following issues:

- Fix for an issue when not all release packages are installed after migration. (bsc#1171652)

- Fix for snapper configuration to avoid migration failures. (jira#SLE-7752)

- Fix for the issue when zypper migration tool does not provide a proper exit code if it is not mirrored on registration server. (bsc#1107238)

- Fix for failing salt migration by check for closed standard input. (bsc#1100137)

1171878,1172085

This update for glibc fixes the following issues:

- Fix concurrent changes on nscd aware files appeared by 'getent' when the NSCD cache was enabled. (bsc#1171878, BZ #23178)

- Implement correct locking and cancellation cleanup in syslog functions. (bsc#1172085, BZ #26100)

1174782,1175036,1175060

This update for grub2 fixes the following issues:

- A potential regression has been fixed that would cause systems with an

updated 'grub2' to boot no longer due to a missing 'grub-calloc' linker

symbol. (bsc#1174782)

1155305

This update for sysfsutils fixes the following issue:

- Fix cdev name comparison. (bsc#1155305)

1174091,CVE-2019-20907

This update for python3 fixes the following issues:

- bsc#1174091, CVE-2019-20907: avoiding possible infinite loop in specifically crafted tarball.

1173106,1174011

This update for libzypp fixes the following issues:

- Proactively send credentials if the URL specifes '?auth=basic' and a username.

(bsc#1174011)

- ZYPP_MEDIA_CURL_DEBUG: Strip credentials in header log. (bsc#1174011)

- Completey rework the purge-kernels algorithm. The new code is closer to the original

perl script, grouping the packages by name before applying the keep spec. (bsc#1173106)

- Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output.

1010996,1071152,1071390,1154871,1174673,973042

This update for ca-certificates-mozilla fixes the following issues:

update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)

Removed CAs:

* AddTrust External CA Root

* AddTrust Class 1 CA Root

* LuxTrust Global Root 2

* Staat der Nederlanden Root CA - G2

* Symantec Class 1 Public Primary Certification Authority - G4

* Symantec Class 2 Public Primary Certification Authority - G4

* VeriSign Class 3 Public Primary Certification Authority - G3

Added CAs:

* certSIGN Root CA G2

* e-Szigno Root CA 2017

* Microsoft ECC Root Certificate Authority 2017

* Microsoft RSA Root Certificate Authority 2017

- reverted p11-kit nss trust integration as it breaks in fresh installations (bsc#1154871)

1106843,1113719,941629,CVE-2018-18751

This update for gettext-runtime fixes the following issues:

- Fix boo941629-unnessary-rpath-on-standard-path.patch (bsc#941629)

- Added msgfmt-double-free.patch to fix a double free error

(CVE-2018-18751 bsc#1113719)

- Add patch msgfmt-reset-msg-length-after-remove.patch

which does reset the length of message string after a line

has been removed (bsc#1106843)

1172745,1174421,CVE-2020-15705

This update for grub2 fixes the following issues:

- CVE-2020-15705: Fail kernel validation without shim protocol (bsc#1174421).

- Add fibre channel device's ofpath support to grub-ofpathname and search hint to speed up root device discovery (bsc#1172745).

1172807

This update for dracut fixes the following issue:

- Fix typo in did setup conditional. (bsc#1172807)

1175250,1175251

This update for supportutils-plugin-suse-public-cloud contains the following fix:

- Update to version 1.0.5: (bsc#1175250, bsc#1175251)

+ Query for new GCE initialization code packages

1170964

This update for e2fsprogs fixes the following issues:

- Fix for an issue when system message with placeholders are not properly replaced. (bsc#1170964)

1142733,1146991,1158336,1172195,1172824,1173539

This update for systemd fixes the following issues:

- Improve logging when PID1 fails at setting a namespace up when spawning a command specified by

'Exec*='. (bsc#1172824, bsc#1142733)

pid1: improve message when setting up namespace fails.

execute: let's close glibc syslog channels too.

execute: normalize logging in *execute.c*.

execute: fix typo in error message.

execute: drop explicit *log_open()*/*log_close()* now that it is unnecessary.

execute: make use of the new logging mode in *execute.c*

log: add a mode where we open the log fds for every single log message.

log: let's make use of the fact that our functions return the negative error code for *log_oom()* too.

execute: downgrade a log message ERR → WARNING, since we proceed ignoring its result.

execute: rework logging in *setup_keyring()* to include unit info.

execute: improve and augment execution log messages.

- vconsole-setup: downgrade log message when setting font fails on dummy console. (bsc#1172195 bsc#1173539)

- fix infinite timeout. (bsc#1158336)

- bpf: mount bpffs by default on boot. (bsc#1146991)

- man: explain precedence for options which take a list.

- man: unify titling, fix description of precedence in sysusers.d(5)

- udev-event: fix timeout log messages.

1174551,1174736

This update for zlib provides the following fixes:

- Permit a deflateParams() parameter change as soon as possible. (bsc#1174736)

- Fix DFLTCC not flushing EOBS when creating raw streams. (bsc#1174551)

1175109,CVE-2020-8231

This update for curl fixes the following issues:

- An application that performs multiple requests with libcurl's

multi API and sets the 'CURLOPT_CONNECT_ONLY' option, might in

rare circumstances experience that when subsequently using the

setup connect-only transfer, libcurl will pick and use the wrong

connection and instead pick another one the application has

created since then. [bsc#1175109, CVE-2020-8231]

927831

This update for iputils fixes the following issue:

- ping: Remove workaround for bug in IP_RECVERR on raw sockets. (bsc#927831)

1174154,CVE-2020-15719

This update for openldap2 fixes the following issues:

- bsc#1174154 - CVE-2020-15719 - This resolves an issue with x509

SAN's falling back to CN validation in violation of rfc6125.

1058115,1071995,1154366,1165629,1165631,1171988,1172428,1173798,1174205,1174757,1175112,1175122,1175128,1175204,1175213,1175515,1175518,1175691,1175992,1176069,CVE-2020-10135,CVE-2020-14314,CVE-2020-14331,CVE-2020-14356,CVE-2020-14386,CVE-2020-16166,CVE-2020-1749,CVE-2020-24394

The SUSE Linux Enterprise 15 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2020-1749: Use ip6_dst_lookup_flow instead of ip6_dst_lookup (bsc#1165629).

- CVE-2020-14314: Fixed a potential negative array index in do_split() (bsc#1173798).

- CVE-2020-14356: Fixed a null pointer dereference in cgroupv2 subsystem which could have led to privilege escalation (bsc#1175213).

- CVE-2020-14331: Fixed a missing check in vgacon scrollback handling (bsc#1174205).

- CVE-2020-16166: Fixed a potential issue which could have allowed remote attackers to make observations that help to obtain sensitive information about the internal state of the network RNG (bsc#1174757).

- CVE-2020-24394: Fixed an issue which could set incorrect permissions on new filesystem objects when the filesystem lacks ACL support (bsc#1175518).

- CVE-2020-10135: Legacy pairing and secure-connections pairing authentication Bluetooth might have allowed an unauthenticated user to complete authentication without pairing credentials via adjacent access (bsc#1171988).

- CVE-2020-14386: Fixed a potential local privilege escalation via memory corruption (bsc#1176069).

The following non-security bugs were fixed:

- cifs: add support for fallocate mode 0 for non-sparse files (bsc#1175122).

- cifs: allow unlock flock and OFD lock across fork (bsc#1175122).

- cifs_atomic_open(): fix double-put on late allocation failure (bsc#1175122).

- cifs: Avoid doing network I/O while holding cache lock (bsc#1175122).

- cifs: call wake_up(&server->response_q) inside of cifs_reconnect() (bsc#1175122).

- cifs: Clean up DFS referral cache (bsc#1175122).

- cifs: document and cleanup dfs mount (bsc#1172428 bsc#1175122).

- cifs: do not ignore the SYNC flags in getattr (bsc#1175122).

- cifs: do not leak -EAGAIN for stat() during reconnect (bsc#1175122).

- cifs: do not share tcons with DFS (bsc#1175122).

- cifs: ensure correct super block for DFS reconnect (bsc#1175122).

- cifs: fail i/o on soft mounts if sessionsetup errors out (bsc#1175122).

- cifs: fiemap: do not return EINVAL if get nothing (bsc#1175122).

- cifs: Fix an error pointer dereference in cifs_mount() (bsc#1172428 bsc#1175122).

- cifs: fix double free error on share and prefix (bsc#1172428 bsc#1175122).

- cifs: fix leaked reference on requeued write (bsc#1175122).

- cifs: fix NULL dereference in match_prepath (bsc#1175122).

- cifs: Fix null pointer check in cifs_read (bsc#1175122).

- cifs: Fix potential deadlock when updating vol in cifs_reconnect() (bsc#1175122).

- cifs: fix potential mismatch of UNC paths (bsc#1175122).

- cifs: fix rename() by ensuring source handle opened with DELETE bit (bsc#1175122).

- cifs: Fix return value in __update_cache_entry (bsc#1175122).

- cifs: fix soft mounts hanging in the reconnect code (bsc#1175122).

- cifs: Fix task struct use-after-free on reconnect (bsc#1175122).

- cifs: fix uninitialised lease_key in open_shroot() (bsc#1175122).

- cifs: fix unitialized variable poential problem with network I/O cache lock patch (bsc#1175122).

- cifs: Get rid of kstrdup_const()'d paths (bsc#1175122).

- cifs: get rid of unused parameter in reconn_setup_dfs_targets() (bsc#1175122).

- cifs: handle empty list of targets in cifs_reconnect() (bsc#1172428 bsc#1175122).

- cifs: handle hostnames that resolve to same ip in failover (bsc#1175122).

- cifs: handle prefix paths in reconnect (bsc#1175122).

- cifs: handle RESP_GET_DFS_REFERRAL.PathConsumed in reconnect (bsc#1172428 bsc#1175122).

- cifs: improve read performance for page size 64KB & cache=strict & vers=2.1+ (bsc#1175122).

- cifs: Introduce helpers for finding TCP connection (bsc#1175122).

- cifs: make sure we do not overflow the max EA buffer size (bsc#1175122).

- cifs: make use of cap_unix(ses) in cifs_reconnect_tcon() (bsc#1175122).

- cifs: merge __{cifs,smb2}_reconnect[_tcon]() into cifs_tree_connect() (bsc#1172428 bsc#1175122).

- cifs: Merge is_path_valid() into get_normalized_path() (bsc#1175122).

- cifs: minor update to comments around the cifs_tcp_ses_lock mutex (bsc#1175122).

- cifs: only update prefix path of DFS links in cifs_tree_connect() (bsc#1172428 bsc#1175122).

- cifs: Optimize readdir on reparse points (bsc#1175122).

- cifs: potential unintitliazed error code in cifs_getattr() (bsc#1175122).

- cifs: protect updating server->dstaddr with a spinlock (bsc#1175122).

- cifs: reduce number of referral requests in DFS link lookups (bsc#1172428 bsc#1175122).

- cifs: rename reconn_inval_dfs_target() (bsc#1172428 bsc#1175122).

- cifs: set correct max-buffer-size for smb2_ioctl_init() (bsc#1175122).

- cifs: set up next DFS target before generic_ip_connect() (bsc#1175122).

- cifs: use mod_delayed_work() for &server->reconnect if already queued (bsc#1175122).

- cifs: use PTR_ERR_OR_ZERO() to simplify code (bsc#1175122).

- Drivers: hv: vmbus: Only notify Hyper-V for die events that are oops (bsc#1175128).

- ibmvnic: Fix IRQ mapping disposal in error path (bsc#1175112 ltc#187459).

- ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL (bsc#1175515).

- ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL (bsc#1175515).

- kabi: hide new parameter of ip6_dst_lookup_flow() (bsc#1165629).

- kabi: mask changes to struct ipv6_stub (bsc#1165629).

- mm: Avoid calling build_all_zonelists_init under hotplug context (bsc#1154366).

- mm, vmstat: reduce zone->lock holding time by /proc/pagetypeinfo (bsc#1175691).

- scripts/git_sort/git_sort.py: add bluetooth/bluetooth-next.git repository

- selftests/livepatch: fix mem leaks in test-klp-shadow-vars (bsc#1071995).

- selftests/livepatch: more verification in test-klp-shadow-vars (bsc#1071995).

- selftests/livepatch: rework test-klp-shadow-vars (bsc#1071995).

- selftests/livepatch: simplify test-klp-callbacks busy target tests (bsc#1071995).

- smb3: fix performance regression with setting mtime (bsc#1175122).

- smb3: query attributes on file close (bsc#1175122).

- smb3: remove unused flag passed into close functions (bsc#1175122).

- Update patch reference for a tipc fix patch (bsc#1175515)

- x86/unwind/orc: Fix ORC for newly forked tasks (bsc#1058115).

1176179,CVE-2020-24977

This update for libxml2 fixes the following issues:

- CVE-2020-24977: Fixed a global-buffer-overflow in xmlEncodeEntitiesInternal (bsc#1176179).

1174443,1174444

This update for cloud-init contains the following fixes:

- Update to version 20.2 (bsc#1174443, bsc#1174444)

+ Remove patches included upstream:

- 0001-Make-tests-work-with-Python-3.8-139.patch

- cloud-init-ostack-metadat-dencode.patch

- cloud-init-use-different-random-src.diff

- cloud-init-long-pass.patch

- cloud-init-mix-static-dhcp.patch

+ Remove patches build switched to Python 3 for all distributions

- cloud-init-python2-sigpipe.patch

- cloud-init-template-py2.patch

+ Add

- cloud-init-after-kvp.diff

- cloud-init-recognize-hpc.patch

+ doc/format: reference make-mime.py instead of an inline script (#334)

+ Add docs about creating parent folders (#330) [Adrian Wilkins]

+ DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470)

+ schema: ignore spurious pylint error (#332)

+ schema: add json schema for write_files module (#152)

+ BSD: find_devs_with_ refactoring (#298) [Goneri Le Bouder]

+ nocloud: drop work around for Linux 2.6 (#324) [Goneri Le Bouder]

+ cloudinit: drop dependencies on unittest2 and contextlib2 (#322)

+ distros: handle a potential mirror filtering error case (#328)

+ log: remove unnecessary import fallback logic (#327)

+ .travis.yml: don't run integration test on ubuntu/* branches (#321)

+ More unit test documentation (#314)

+ conftest: introduce disable_subp_usage autouse fixture (#304)

+ YAML align indent sizes for docs readability (#323) [Tak Nishigori]

+ network_state: add missing space to log message (#325)

+ tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910)

+ test_mounts: expand happy path test for both happy paths (#319)

+ cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836)

+ swap file 'size' being used before checked if str (#315) [Eduardo Otubo]

+ HACKING.rst: add pytest version gotchas section (#311)

+ docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers]

+ readme: OpenBSD is now supported (#309) [Goneri Le Bouder]

+ net: ignore 'renderer' key in netplan config (#306) (LP: #1870421)

+ Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370)

+ openbsd: set_passwd should not unlock user (#289) [Goneri Le Bouder]

+ tools/.github-cla-signers: add beezly as CLA signer (#301)

+ util: remove unnecessary lru_cache import fallback (#299)

+ HACKING.rst: reorganise/update CLA signature info (#297)

+ distros: drop leading/trailing hyphens from mirror URL labels (#296)

+ HACKING.rst: add note about variable annotations (#295)

+ CiTestCase: stop using and remove sys_exit helper (#283)

+ distros: replace invalid characters in mirror URLs with hyphens (#291)

(LP: #1868232)

+ rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy]

+ Fix cloud-init ignoring some misdeclared mimetypes in user-data.

[Kurt Garloff]

+ net: ubuntu focal prioritize netplan over eni even if both present

(#267) (LP: #1867029)

+ cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292)

+ net/cmdline: replace type comments with annotations (#294)

+ HACKING.rst: add Type Annotations design section (#293)

+ net: introduce is_ip_address function (#288)

+ CiTestCase: remove now-unneeded parse_and_read helper method (#286)

+ .travis.yml: allow 30 minutes of inactivity in cloud tests (#287)

+ sources/tests/test_init: drop use of deprecated inspect.getargspec (#285)

+ setup.py: drop NIH check_output implementation (#282)

+ Identify SAP Converged Cloud as OpenStack [Silvio Knizek]

+ add Openbsd support (#147) [Goneri Le Bouder]

+ HACKING.rst: add examples of the two test class types (#278)

+ VMWware: support to update guest info gc status if enabled (#261)

[xiaofengw-vmware]

+ Add lp-to-git mapping for kgarloff (#279)

+ set_passwords: avoid chpasswd on BSD (#268) [Goneri Le Bouder]

+ HACKING.rst: add Unit Testing design section (#277)

+ util: read_cc_from_cmdline handle urlencoded yaml content (#275)

+ distros/tests/test_init: add tests for _get_package_mirror_info (#272)

+ HACKING.rst: add links to new Code Review Process doc (#276)

+ freebsd: ensure package update works (#273) [Goneri Le Bouder]

+ doc: introduce Code Review Process documentation (#160)

+ tools: use python3 (#274)

+ cc_disk_setup: fix RuntimeError (#270) (LP: #1868327)

+ cc_apt_configure/util: combine search_for_mirror implementations (#271)

+ bsd: boottime does not depend on the libc soname (#269)

[Goneri Le Bouder]

+ test_oracle,DataSourceOracle: sort imports (#266)

+ DataSourceOracle: update .network_config docstring (#257)

+ cloudinit/tests: remove unneeded with_logs configuration (#263)

+ .travis.yml: drop stale comment (#255)

+ .gitignore: add more common directories (#258)

+ ec2: render network on all NICs and add secondary IPs as static (#114)

(LP: #1866930)

+ ec2 json validation: fix the reference to the 'merged_cfg' key (#256)

[Paride Legovini]

+ releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini]

+ cloudinit: remove six from packaging/tooling (#253)

+ util/netbsd: drop six usage (#252)

+ workflows: introduce stale pull request workflow (#125)

+ cc_resolv_conf: introduce tests and stabilise output across Python

versions (#251)

+ fix minor issue with resolv_conf template (#144) [andreaf74]

+ doc: CloudInit also support NetBSD (#250) [Goneri Le Bouder]

+ Add Netbsd support (#62) [Goneri Le Bouder]

+ tox.ini: avoid substition syntax that causes a traceback on xenial (#245)

+ Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby]

+ Introduce and use of a list of GitHub usernames that have signed CLA

(#244)

+ workflows/cla.yml: use correct username for CLA check (#243)

+ tox.ini: use xenial version of jsonpatch in CI (#242)

+ workflows: CLA validation altered to fail status on pull_request (#164)

+ tox.ini: bump pyflakes version to 2.1.1 (#239)

+ cloudinit: move to pytest for running tests (#211)

+ instance-data: add cloud-init merged_cfg and sys_info keys to json

(#214) (LP: #1865969)

+ ec2: Do not fallback to IMDSv1 on EC2 (#216)

+ instance-data: write redacted cfg to instance-data.json (#233)

(LP: #1865947)

+ net: support network-config:disabled on the kernel commandline (#232)

(LP: #1862702)

+ ec2: only redact token request headers in logs, avoid altering request

(#230) (LP: #1865882)

+ docs: typo fixed: dta → data [Alexey Vazhnov]

+ Fixes typo on Amazon Web Services (#217) [Nick Wales]

+ Fix docs for OpenStack DMI Asset Tag (#228)

[Mark T. Voelker] (LP: #1669875)

+ Add physical network type: cascading to openstack helpers (#200)

[sab-systems]

+ tests: add focal integration tests for ubuntu (#225)

- From 20.1 (first vesrion after 19.4)

+ ec2: Do not log IMDSv2 token values, instead use REDACTED (#219)

(LP: #1863943)

+ utils: use SystemRandom when generating random password. (#204)

[Dimitri John Ledkov]

+ docs: mount_default_files is a list of 6 items, not 7 (#212)

+ azurecloud: fix issues with instances not starting (#205) (LP: #1861921)

+ unittest: fix stderr leak in cc_set_password random unittest

output. (#208)

+ cc_disk_setup: add swap filesystem force flag (#207)

+ import sysvinit patches from freebsd-ports tree (#161) [Igor Galić]

+ docs: fix typo (#195) [Edwin Kofler]

+ sysconfig: distro-specific config rendering for BOOTPROTO option (#162)

[Robert Schweikert] (LP: #1800854)

+ cloudinit: replace 'from six import X' imports (except in util.py) (#183)

+ run-container: use 'test -n' instead of 'test ! -z' (#202)

[Paride Legovini]

+ net/cmdline: correctly handle static ip= config (#201)

[Dimitri John Ledkov] (LP: #1861412)

+ Replace mock library with unittest.mock (#186)

+ HACKING.rst: update CLA link (#199)

+ Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)

[Louis Bouchard]

+ cloudinit/cmd/devel/net_convert.py: add missing space (#191)

+ tools/run-container: drop support for python2 (#192) [Paride Legovini]

+ Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)

+ Make the RPM build use Python 3 (#190) [Paride Legovini]

+ cc_set_password: increase random pwlength from 9 to 20 (#189)

(LP: #1860795)

+ .travis.yml: use correct Python version for xenial tests (#185)

+ cloudinit: remove ImportError handling for mock imports (#182)

+ Do not use fallocate in swap file creation on xfs. (#70)

[Eduardo Otubo] (LP: #1781781)

+ .readthedocs.yaml: install cloud-init when building docs (#181)

(LP: #1860450)

+ Introduce an RTD config file, and pin the Sphinx version to the RTD

default (#180)

+ Drop most of the remaining use of six (#179)

+ Start removing dependency on six (#178)

+ Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]

+ docs: add proposed SRU testing procedure (#167)

+ util: rename get_architecture to get_dpkg_architecture (#173)

+ Ensure util.get_architecture() runs only once (#172)

+ Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann]

+ freebsd: remove superflu exception mapping (#166) [Goneri Le Bouder]

+ ssh_auth_key_fingerprints_disable test: fix capitalization (#165)

[Paride Legovini]

+ util: move uptime's else branch into its own boottime function (#53)

[Igor Galić] (LP: #1853160)

+ workflows: add contributor license agreement checker (#155)

+ net: fix rendering of 'static6' in network config (#77) (LP: #1850988)

+ Make tests work with Python 3.8 (#139) [Conrad Hoffmann]

+ fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74]

+ freebsd: fix create_group() cmd (#146) [Goneri Le Bouder]

+ doc: make apt_update example consistent (#154)

+ doc: add modules page toc with links (#153) (LP: #1852456)

+ Add support for the amazon variant in cloud.cfg.tmpl (#119)

[Frederick Lefebvre]

+ ci: remove Python 2.7 from CI runs (#137)

+ modules: drop cc_snap_config config module (#134)

+ migrate-lp-user-to-github: ensure Launchpad repo exists (#136)

+ docs: add initial troubleshooting to FAQ (#104) [Joshua Powers]

+ doc: update cc_set_hostname frequency and descrip (#109)

[Joshua Powers] (LP: #1827021)

+ freebsd: introduce the freebsd renderer (#61) [Goneri Le Bouder]

+ cc_snappy: remove deprecated module (#127)

+ HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130)

+ freebsd: cloudinit service requires devd (#132) [Goneri Le Bouder]

+ cloud-init: fix capitalisation of SSH (#126)

+ doc: update cc_ssh clarify host and auth keys

[Joshua Powers] (LP: #1827021)

+ ci: emit names of tests run in Travis (#120)

- Disable testing to aid elimination of unittest2 in Factory

1175811,1175830,1175831

This update for zlib fixes the following issues:

- Fix compression level switching (bsc#1175811, bsc#1175830, bsc#1175831)

- Enable hardware compression on s390/s390x (jsc#SLE-13776)

1175568,CVE-2020-8027

This update for openldap2 fixes the following issues:

- CVE-2020-8027: openldap_update_modules_path.sh starts daemons unconditionally and uses fixed paths in /tmp (bsc#1175568).

1173433

This update for rsyslog fixes the following issues:

- Fix the URL for bug reporting. (bsc#1173433)

1176343,1176344,1176345,1176346,1176347,1176348,1176349,1176350,CVE-2020-25595,CVE-2020-25596,CVE-2020-25597,CVE-2020-25599,CVE-2020-25600,CVE-2020-25601,CVE-2020-25603,CVE-2020-25604

This update for xen fixes the following issues:

- CVE-2020-25604: Fixed a race condition when migrating timers between x86

HVM vCPU-s (bsc#1176343,XSA-336)

- CVE-2020-25595: Fixed an issue where PCI passthrough code was reading back hardware registers (bsc#1176344,XSA-337)

- CVE-2020-25597: Fixed an issue where a valid event channels may not turn invalid (bsc#1176346,XSA-338)

- CVE-2020-25596: Fixed a potential denial of service in x86 pv guest kernel via SYSENTER (bsc#1176345,XSA-339)

- CVE-2020-25603: Fixed an issue due to missing barriers when accessing/allocating an event channel (bsc#1176347,XSA-340)

- CVE-2020-25600: Fixed out of bounds event channels available to 32-bit x86 domains (bsc#1176348,XSA-342)

- CVE-2020-25599: Fixed race conditions with evtchn_reset() (bsc#1176349,XSA-343)

- CVE-2020-25601: Fixed an issue due to lack of preemption in evtchn_reset() / evtchn_destroy() (bsc#1176350,XSA-344)

1161335,1176625

This update for permissions fixes the following issues:

- whitelist WMP (bsc#1161335, bsc#1176625)

1165424,1173273,1173529,1174240,1174561,1174918,1175342,1175592

This update for libzypp, zypper provides the following fixes:

Changes in libzypp:

- VendorAttr: Const-correct API and let Target provide its settings. (bsc#1174918)

- Support buildnr with commit hash in purge-kernels. This adds special behaviour for when

a kernel version has the rebuild counter before the kernel commit hash. (bsc#1175342)

- Improve Italian translation of the 'breaking dependencies' message. (bsc#1173529)

- Make sure reading from lsof does not block forever. (bsc#1174240)

- Just collect details for the signatures found.

Changes in zypper:

- man: Enhance description of the global package cache. (bsc#1175592)

- man: Point out that plain rpm packages are not downloaded to the global package cache.

(bsc#1173273)

- Directly list subcommands in 'zypper help'. (bsc#1165424)

- Remove extern C block wrapping augeas.h as it breaks the build on Arch Linux.

- Point out that plaindir repos do not follow symlinks. (bsc#1174561)

- Fix help command for list-patches.

1170347,1176759

This update for suse-build-key fixes the following issues:

- The SUSE Notary Container key is different from the build signing

key, include this key instead as suse-container-key. (PM-1845 bsc#1170347)

- The SUSE build key for SUSE Linux Enterprise 12 and 15 is extended by 4 more years. (bsc#1176759)

1011548,1153943,1153946,1161239,1171762

This update for aaa_base fixes the following issues:

- DIR_COLORS (bug#1006973):

- add screen.xterm-256color

- add TERM rxvt-unicode-256color

- sort and merge TERM entries in etc/DIR_COLORS

- check for Packages.db and use this instead of Packages. (bsc#1171762)

- Rename path() to _path() to avoid using a general name.

- refresh_initrd call modprobe as /sbin/modprobe (bsc#1011548)

- etc/profile add some missing ;; in case esac statements

- profile and csh.login: on s390x set TERM to dumb on dumb terminal (bsc#1153946)

- backup-rpmdb: exit if zypper is running (bsc#1161239)

- Add color alias for ip command (jsc#sle-9880, jsc#SLE-7679, bsc#1153943)

1176410,1177143,CVE-2020-25219,CVE-2020-26154

This update for libproxy fixes the following issues:

- CVE-2020-25219: Rewrote url::recvline to be nonrecursive (bsc#1176410).

- CVE-2020-26154: Fixed a buffer overflow when PAC is enabled (bsc#1177143).

1100369,1109160,1118367,1118368,1128220,1156205,1157051,1161168,1170667,1170713,1171313,1171740,1172958,1173307,1173311,1173983,1175443,1176092,1176674,906079,CVE-2017-3136,CVE-2018-5741,CVE-2019-6477,CVE-2020-8616,CVE-2020-8617,CVE-2020-8618,CVE-2020-8619,CVE-2020-8620,CVE-2020-8621,CVE-2020-8622,CVE-2020-8623,CVE-2020-8624

This update for bind fixes the following issues:

BIND was upgraded to version 9.16.6:

Note:

- bind is now more strict in regards to DNSSEC. If queries are not working,

check for DNSSEC issues. For instance, if bind is used in a namserver

forwarder chain, the forwarding DNS servers must support DNSSEC.

Fixing security issues:

- CVE-2020-8616: Further limit the number of queries that can be triggered from

a request. Root and TLD servers are no longer exempt

from max-recursion-queries. Fetches for missing name server. (bsc#1171740)

Address records are limited to 4 for any domain.

- CVE-2020-8617: Replaying a TSIG BADTIME response as a request could trigger an

assertion failure. (bsc#1171740)

- CVE-2019-6477: Fixed an issue where TCP-pipelined queries could bypass

the tcp-clients limit (bsc#1157051).

- CVE-2018-5741: Fixed the documentation (bsc#1109160).

- CVE-2020-8618: It was possible to trigger an INSIST when determining

whether a record would fit into a TCP message buffer (bsc#1172958).

- CVE-2020-8619: It was possible to trigger an INSIST in

lib/dns/rbtdb.c:new_reference() with a particular zone content

and query patterns (bsc#1172958).

- CVE-2020-8624: 'update-policy' rules of type 'subdomain' were

incorrectly treated as 'zonesub' rules, which allowed

keys used in 'subdomain' rules to update names outside

of the specified subdomains. The problem was fixed by

making sure 'subdomain' rules are again processed as

described in the ARM (bsc#1175443).

- CVE-2020-8623: When BIND 9 was compiled with native PKCS#11 support, it

was possible to trigger an assertion failure in code

determining the number of bits in the PKCS#11 RSA public

key with a specially crafted packet (bsc#1175443).

- CVE-2020-8621: named could crash in certain query resolution scenarios

where QNAME minimization and forwarding were both

enabled (bsc#1175443).

- CVE-2020-8620: It was possible to trigger an assertion failure by

sending a specially crafted large TCP DNS message (bsc#1175443).

- CVE-2020-8622: It was possible to trigger an assertion failure when

verifying the response to a TSIG-signed request (bsc#1175443).

Other issues fixed:

- Add engine support to OpenSSL EdDSA implementation.

- Add engine support to OpenSSL ECDSA implementation.

- Update PKCS#11 EdDSA implementation to PKCS#11 v3.0.

- Warn about AXFR streams with inconsistent message IDs.

- Make ISC rwlock implementation the default again.

- Fixed issues when using cookie-secrets for AES and SHA2 (bsc#1161168)

- Installed the default files in /var/lib/named and created

chroot environment on systems using transactional-updates (bsc#1100369, fate#325524)

- Fixed an issue where bind was not working in FIPS mode (bsc#906079).

- Fixed dependency issues (bsc#1118367 and bsc#1118368).

- GeoIP support is now discontinued, now GeoIP2 is used(bsc#1156205).

- Fixed an issue with FIPS (bsc#1128220).

- The liblwres library is discontinued upstream and is no longer included.

- Added service dependency on NTP to make sure the clock is accurate when bind is starts (bsc#1170667, bsc#1170713).

- Reject DS records at the zone apex when loading master files. Log but otherwise ignore attempts to add DS records at the zone apex via UPDATE.

- The default value of 'max-stale-ttl' has been changed from 1 week to 12 hours.

- Zone timers are now exported via statistics channel.

- The 'primary' and 'secondary' keywords, when used as parameters for 'check-names', were not processed correctly and were being ignored.

- 'rndc dnstap -roll ' did not limit the number of saved files to .

- Add 'rndc dnssec -status' command.

- Addressed a couple of situations where named could crash.

- Changed /var/lib/named to owner root:named and perms rwxrwxr-t

so that named, being a/the only member of the 'named' group

has full r/w access yet cannot change directories owned by root

in the case of a compromized named.

[bsc#1173307, bind-chrootenv.conf]

- Added '/etc/bind.keys' to NAMED_CONF_INCLUDE_FILES in /etc/sysconfig/named to suppress warning message re missing file (bsc#1173983).

- Removed '-r /dev/urandom' from all invocations of rndc-confgen

(init/named system/lwresd.init system/named.init in vendor-files)

as this option is deprecated and causes rndc-confgen to fail.

(bsc#1173311, bsc#1176674, bsc#1170713)

- /usr/bin/genDDNSkey: Removing the use of the -r option in the call

of /usr/sbin/dnssec-keygen as BIND now uses the random number

functions provided by the crypto library (i.e., OpenSSL or a

PKCS#11 provider) as a source of randomness rather than /dev/random.

Therefore the -r command line option no longer has any effect on

dnssec-keygen. Leaving the option in genDDNSkey as to not break

compatibility. Patch provided by Stefan Eisenwiener.

[bsc#1171313]

- Put libns into a separate subpackage to avoid file conflicts

in the libisc subpackage due to different sonums (bsc#1176092).

- Require /sbin/start_daemon: both init scripts, the one used in

systemd context as well as legacy sysv, make use of start_daemon.

1172798,1172846,1173972,1174753,1174817,1175168,CVE-2020-13844

This update for gcc10, nvptx-tools fixes the following issues:

This update provides the GCC10 compiler suite and runtime libraries.

The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by

the gcc10 variants.

The new compiler variants are available with '-10' suffix, you can specify them

via:

CC=gcc-10

CXX=g++-10

or similar commands.

For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html

Changes in nvptx-tools:

- Enable build on aarch64

1176142

This update for gettext-runtime fixes the following issues:

- Fix for an issue when 'xgettext' crashes during creating a 'POT' file. (bsc#1176142)

1158830

This update for procps fixes the following issues:

- Fixes an issue when command 'ps -C' does not allow anymore an argument longer than 15 characters. (bsc#1158830)

1175847,1177479

This update for openssl-1_1 fixes the following issues:

FIPS:

* Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be NIST SP800-56Arev3 compliant (bsc#1175847, bsc#1177479).

* Add shared secret KAT to FIPS DH selftest (bsc#1175847).

1176173

This update for mozilla-nss fixes the following issue:

- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be

NIST SP800-56Arev3 compliant (bsc#1176173).

1176123

This update for file fixes the following issues:

- Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

1176086,1176181,1176671,CVE-2020-24659

This update for gnutls fixes the following issues:

- Fix heap buffer overflow in handshake with no_renegotiation alert sent (CVE-2020-24659 bsc#1176181)

- FIPS: Implement (EC)DH requirements from SP800-56Arev3 (bsc#1176086)

- FIPS: Use 2048 bit prime in DH selftest (bsc#1176086)

- FIPS: Add TLS KDF selftest (bsc#1176671)

1171806

This update for chrony fixes the following issues:

- Integrate three upstream patches to fix an infinite loop in chronyc. (bsc#1171806)

1177914,CVE-2020-15999

This update for freetype2 fixes the following issues:

- CVE-2020-15999: fixed a heap buffer overflow found in the handling of embedded PNG bitmaps (bsc#1177914).

1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885

This update for libsolv, libzypp, yaml-cpp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- When kernel-rt has been installed, the purge-kernels service fails during boot. (bsc#1176902)

- Use package name provides as group key in purge-kernel (bsc#1176740 bsc#1176192)

kernel-default-base has new packaging, where the kernel uname -r

does not reflect the full package version anymore. This patch

adds additional logic to use the most generic/shortest edition

each package provides with %{packagename}= to group the

kernel packages instead of the rpm versions.

This also changes how the keep-spec for specific versions is

applied, instead of matching the package versions, each of the

package name provides will be matched.

- RepoInfo: Return the type of the local metadata cache as

fallback (bsc#1176435)

- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.

Enhance API and testcases. (bsc#1174918)

- Update docs regarding 'opensuse' namepace matching.

- Link against libzstd to close libsolvs open references

(as we link statically)

yaml-cpp:

- The libyaml-cpp0_6 library package is added the to the Basesystem module, LTSS and ESPOS

channels, and the INSTALLER channels, as a new libzypp dependency.

No source changes were done to yaml-cpp.

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '

' are richtext

(bsc#935885)

- help: prevent 'whatis' from writing to stderr (bsc#1176712)

- wp: point out that command is aliased to a search command and

searches case-insensitive (jsc#SLE-16271)

libsolv was updated to 0.7.15 to fix:

- make testcase_mangle_repo_names deal correctly with freed repos

[bsc#1177238]

- fix deduceq2addedmap clearing bits outside of the map

- conda: feature depriorization first

- conda: fix startswith implementation

- move find_update_seeds() call in cleandeps calculation

- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers- new testcase_mangle_repo_names() function

- new solv_fmemopen() function

1177409,1177412,1177413,1177414,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27673

This update for xen fixes the following issues:

- bsc#1177409 - VUL-0: CVE-2020-27673: xen: x86 PV guest INVLPG-like flushes may leave stale TLB entries (XSA-286)

- bsc#1177412 - VUL-0: CVE-2020-27672: xen: Race condition in Xen mapping code (XSA-345)

- bsc#1177413 - VUL-0: CVE-2020-27671: xen: undue deferral of IOMMU TLB flushes (XSA-346)

- bsc#1177414 - VUL-0: CVE-2020-27670: xen: unsafe AMD IOMMU page table updates (XSA-347)

1176155

This update for catatonit fixes the following issues:

- Fixes an issue when catatonit hangs when process dies in very specific way. (bsc#1176155)

1177460

This update for timezone fixes the following issues:

- timezone update 2020b (bsc#1177460)

* Revised predictions for Morocco's changes starting in 2023.

* Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08.

* Macquarie Island has stayed in sync with Tasmania since 2011.

* Casey, Antarctica is at +08 in winter and +11 in summer.

* zic no longer supports -y, nor the TYPE field of Rules.

1177526

This update for cloud-init fixes the following issues:

- Update cloud-init-write-routes.patch (bsc#1177526)

+ Avoid exception if no gateway information is present and warning

is triggered for existing routing.

1177460,1178346,1178350,1178353

This update for timezone fixes the following issues:

- Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)

- Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)

- Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

1104902,1154935,1165502,1167471,1173422,1176513,1176800

This update for systemd fixes the following issues:

- seccomp: shm{get,at,dt} now have their own numbers everywhere (bsc#1173422)

- test-seccomp: log function names

- test-seccomp: add log messages when skipping tests

- basic/virt: Detect PowerVM hypervisor (bsc#1176800)

- fs-util: suppress world-writable warnings if we read /dev/null

- udevadm: rename option '--log-priority' into '--log-level'

- udev: rename kernel option 'log_priority' into 'log_level'

- fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513)

- Fix memory protection default (bsc#1167471)

- cgroup: Support 0-value for memory protection directives and accepts MemorySwapMax=0 (bsc#1154935)

- Improve latency and reliability when users log in/out (bsc#1104902, bsc#1165502)

1155027

This update for SUSEConnect fixes the following issues:

- Recognize more formats when parsing the '.curlrc' for proxy credentials. (bsc#1155027)

- Add 'rpmlintrc' to filter false-positive warning about patch not applied

- Extend the YaST API in order to access to the package search functionality. (jsc#SLE-9109)

1177864

This update for ca-certificates-mozilla fixes the following issues:

The SSL Root CA store was updated to the 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)

- Removed CAs:

- EE Certification Centre Root CA

- Taiwan GRCA

- Added CAs:

- Trustwave Global Certification Authority

- Trustwave Global ECC P256 Certification Authority

- Trustwave Global ECC P384 Certification Authority

1174697,1176173

This update for mozilla-nss fixes the following issues:

- Fixes an issue for Mozilla Firefox which has failed in fips mode (bsc#1174697)

- FIPS: Adjust the Diffie-Hellman and Elliptic Curve Diffie-Hellman algorithms to be

NIST SP800-56Arev3 compliant (bsc#1176173).

1175894,1177603,1177790,1177913,1177915,1178078

This update for bind fixes the following issues:

- Add '/usr/lib64/named' to the files and directories in bind config to include external plugins for chroot. (bsc#1178078)

- Replaced named's dependency on time-sync with a dependency on time-set in 'named.service' to avoid a dependency-loop. (bsc#1177790)

- Removed 'dnssec-enable' from named.conf as it has been obsoleted and may break. (bsc#1177915)

- Added a comment for reference which should be removed in the future. (bsc#1177603)

- Added a comment to the 'dnssec-validation' in named.conf with a reference to forwarders which do not return signed responses. (bsc#1175894)

- Replaced an INSIST macro which calls abort with a test and a diagnostic output. (bsc#1177913)

1174232

This update for findutils fixes the following issues:

- Do not unconditionally use leaf optimization for NFS. (bsc#1174232)

NFS st_nlink are not accurate on all implementations, leading to aborts() if that assumption is made.

1177939

This update for openssh fixes the following issues:

- Ensure that only approved DH parameters are used in FIPS mode, to meet NIST 800-56arev3 restrictions. (bsc#1177939).

1178387,CVE-2020-25692

This update for openldap2 fixes the following issues:

- CVE-2020-25692: Fixed an unauthenticated remote denial of service due to incorrect validation of modrdn equality rules (bsc#1178387).

1174918,1176192,1176435,1176712,1176740,1176902,1177238,935885

This update for libsolv, libzypp, zypper fixes the following issues:

libzypp was updated to 17.25.1:

- Fix bsc#1176902: When kernel-rt has been installed, the

purge-kernels service fails during boot.

- Use package name provides as group key in purge-kernel

(bsc#1176740 bsc#1176192)

kernel-default-base has new packaging, where the kernel uname -r

does not reflect the full package version anymore. This patch

adds additional logic to use the most generic/shortest edition

each package provides with %{packagename}= to group the

kernel packages instead of the rpm versions.

This also changes how the keep-spec for specific versions is

applied, instead of matching the package versions, each of the

package name provides will be matched.

- RepoInfo: Return the type of the local metadata cache as

fallback (bsc#1176435)

- VendorAttr: Fix broken 'suse,opensuse' equivalence handling.

Enhance API and testcases. (bsc#1174918)

- Update docs regarding 'opensuse' namepace matching.

- New solver testcase format.

- Link against libzsd to close libsolvs open references

(as we link statically)

zypper was updated to 1.14.40:

- info: Assume descriptions starting with '

' are richtext

(bsc#935885)

- help: prevent 'whatis' from writing to stderr (bsc#1176712)

- wp: point out that command is aliased to a search command and

searches case-insensitive (jsc#SLE-16271)

libsolv was updated to 0.7.16:

- do not ask the namespace callback for splitprovides when writing

a testcase

- fix add_complex_recommends() selecting conflicted packages in

rare cases leading to crashes

- improve choicerule generation so that package updates are

prefered in more cases

- make testcase_mangle_repo_names deal correctly with freed repos

[bsc#1177238]

- fix deduceq2addedmap clearing bits outside of the map

- conda: feature depriorization first

- conda: fix startswith implementation

- move find_update_seeds() call in cleandeps calculation

- set SOLVABLE_BUILDHOST in rpm and rpmmd parsers- new testcase_mangle_repo_names() function

- new solv_fmemopen() function

1178466,CVE-2020-8037

This update for tcpdump fixes the following issues:

- CVE-2020-8037: Fixed an issue where PPP decapsulator did not allocate the right buffer size (bsc#1178466).

1178512,CVE-2020-28196

This update for krb5 fixes the following security issue:

- CVE-2020-28196: Fixed an unbounded recursion via an ASN.1-encoded Kerberos message (bsc#1178512).

1177458,1177490,1177510

This update for systemd fixes the following issues:

- build-sys: optionally disable support of journal over the network (bsc#1177458)

- ask-password: prevent buffer overflow when reading from keyring (bsc#1177510)

- mount: don't propagate errors from mount_setup_unit() further up

- Rely on the new build option --disable-remote for journal_remote

This allows to drop the workaround that consisted in cleaning journal-upload files and

{sysusers.d,tmpfiles.d}/systemd-remote.conf manually when 'journal_remote' support was disabled.

- Move journal-{remote,upload}.conf.5.gz man pages into systemd-journal_remote sub package

- Make sure {sysusers.d,tmpfiles.d}/systemd-remote.conf are not shipped with --without=journal_remote (bsc#1177458)

These files were incorrectly packaged in the main package when systemd-journal_remote was disabled.

- Make use of %{_unitdir} and %{_sysusersdir}

- Remove mq-deadline selection from 60-io-scheduler.rules (bsc#1177490)

1177950,1178591,CVE-2020-28368

This update for xen fixes the following issues:

Security issue fixed:

- CVE-2020-28368: Fixed the Intel RAPL sidechannel attack, aka PLATYPUS attack, aka XSA-351 (bsc#1178591).

Non-security issue fixed:

- Adjusted help for --max_iters, default is 5 (bsc#1177950).

1177983

This update for bind fixes the following issue:

- Build the 'Administrator Reference Manual' which is built using python3-Sphinx (bsc#1177983)

1174593,1177858,1178727

This update for pam and sudo fixes the following issue:

pam:

- pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)

- Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)

- Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

sudo:

- Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

1172952,1176062,1177957,1178278

This update for grub2 fixes the following issues:

- Fixed an issue, where the https boot was interrupted by an unrecognized network address

error message (bsc#1172952)

- Improve the error handling when grub2-install fails with short mbr gap (bsc#1176062)

- Fixed an error in grub2-install where it exited with 'failed to get canonical path

of `/boot/grub2/i386-pc'.' (bsc#1177957)

- Fixed a boot failure issue on blocklist installations (bsc#1178278)

1178882,CVE-2020-8277

This update for c-ares fixes the following issues:

- Version update to 1.17.0

* CVE-2020-8277: Fixed a Denial of Service through DNS request (bsc#1178882)

* For further details see https://c-ares.org/changelog.html

1166602,1173256,1174564,1176549

This update for vim doesn't fix any user visible issues and it is optional to install.

- Introduce vim-small package with reduced requirements for small installations (bsc#1166602).

- Stop owning /etc/vimrc so the old, distro provided config actually gets removed.

- Own some dirs in vim-data-common so installation of vim-small doesn't leave not owned directories. (bsc#1173256)

- Add vi as slave to update-alternatives so that every package has a matching 'vi' symlink. (bsc#1174564, bsc#1176549)

1051510,1058115,1065600,1131277,1160947,1161360,1163524,1166965,1170232,1170415,1171417,1172073,1172366,1173115,1173233,1175306,1175721,1175749,1175882,1176011,1176235,1176278,1176381,1176423,1176482,1176485,1176698,1176721,1176722,1176723,1176725,1176732,1176877,1176907,1176922,1176990,1177027,1177086,1177121,1177165,1177206,1177226,1177410,1177411,1177470,1177511,1177513,1177724,1177725,1177766,1178003,1178123,1178330,1178393,1178622,1178765,1178782,1178838,CVE-2020-0404,CVE-2020-0427,CVE-2020-0430,CVE-2020-0431,CVE-2020-0432,CVE-2020-12351,CVE-2020-12352,CVE-2020-14351,CVE-2020-14381,CVE-2020-14390,CVE-2020-16120,CVE-2020-25212,CVE-2020-25284,CVE-2020-25285,CVE-2020-25641,CVE-2020-25643,CVE-2020-25645,CVE-2020-25656,CVE-2020-25668,CVE-2020-25704,CVE-2020-25705,CVE-2020-26088,CVE-2020-27673,CVE-2020-27675,CVE-2020-8694

The SUSE Linux Enterprise 15 LTSS kernel was updated to receive various security and bug fixes.

The following security bugs were fixed:

- CVE-2020-25705: A flaw in the way reply ICMP packets are limited in was found that allowed to quickly scan open UDP ports. This flaw allowed an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software and services that rely on UDP source port randomization (like DNS) are indirectly affected as well. Kernel versions may be vulnerable to this issue (bsc#1175721, bsc#1178782).

- CVE-2020-25704: Fixed a memory leak in perf_event_parse_addr_filter() (bsc#1178393).

- CVE-2020-25668: Fixed a use-after-free in con_font_op() (bnc#1178123).

- CVE-2020-25656: Fixed a concurrency use-after-free in vt_do_kdgkb_ioctl (bnc#1177766).

- CVE-2020-25285: Fixed a race condition between hugetlb sysctl handlers in mm/hugetlb.c (bnc#1176485).

- CVE-2020-0430: Fixed an OOB read in skb_headlen of /include/linux/skbuff.h (bnc#1176723).

- CVE-2020-14351: Fixed a race in the perf_mmap_close() function (bsc#1177086).

- CVE-2020-16120: Fixed permission check to open real file when using overlayfs. It was possible to have a file not readable by an unprivileged user be copied to a mountpoint controlled by that user and then be able to access the file (bsc#1177470).

- CVE-2020-8694: Restricted energy meter to root access (bsc#1170415).

- CVE-2020-12351: Fixed a type confusion while processing AMP packets aka 'BleedingTooth' aka 'BadKarma' (bsc#1177724).

- CVE-2020-12352: Fixed an information leak when processing certain AMP packets aka 'BleedingTooth' (bsc#1177725).

- CVE-2020-25212: Fixed getxattr kernel panic and memory overflow (bsc#1176381).

- CVE-2020-25645: Fixed an an issue in IPsec that caused traffic between two Geneve endpoints to be unencrypted (bnc#1177511).

- CVE-2020-2521: Fixed getxattr kernel panic and memory overflow (bsc#1176381).

- CVE-2020-14381: Fixed a use-after-free in the fast user mutex (futex) wait operation, which could have lead to memory corruption and possibly privilege escalation (bsc#1176011).

- CVE-2020-25643: Fixed a memory corruption and a read overflow which could have caused by improper input validation in the ppp_cp_parse_cr function (bsc#1177206).

- CVE-2020-25641: Fixed a zero-length biovec request issued by the block subsystem could have caused the kernel to enter an infinite loop, causing a denial of service (bsc#1177121).

- CVE-2020-26088: Fixed an improper CAP_NET_RAW check in NFC socket creation could have been used by local attackers to create raw sockets, bypassing security mechanisms (bsc#1176990).

- CVE-2020-14390: Fixed an out-of-bounds memory write leading to memory corruption or a denial of service when changing screen size (bnc#1176235).

- CVE-2020-0432: Fixed an out of bounds write due to an integer overflow (bsc#1176721).

- CVE-2020-0427: Fixed an out of bounds read due to a use after free (bsc#1176725).

- CVE-2020-0431: Fixed an out of bounds write due to a missing bounds check (bsc#1176722).

- CVE-2020-0404: Fixed a linked list corruption due to an unusual root cause (bsc#1176423).

- CVE-2020-25284: Fixed an incomplete permission checking for access to rbd devices, which could have been leveraged by local attackers to map or unmap rbd block devices (bsc#1176482).

- CVE-2020-27673: Fixed an issue where rogue guests could have caused denial of service of Dom0 via high frequency events (XSA-332 bsc#1177411)

- CVE-2020-27675: Fixed a race condition in event handler which may crash dom0 (XSA-331 bsc#1177410).

The following non-security bugs were fixed:

- btrfs: cleanup root usage by btrfs_get_alloc_profile (bsc#1131277).

- btrfs: reloc: clear DEAD_RELOC_TREE bit for orphan roots to prevent runaway balance (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922).

- btrfs: reloc: fix reloc root leak and NULL pointer dereference (bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922).

- btrfs: remove root usage from can_overcommit (bsc#1131277).

- hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306).

- hyperv_fb: Update screen_info after removing old framebuffer (bsc#1175306).

- livepatch: Add -fdump-ipa-clones to build (). Add support for -fdump-ipa-clones GCC option. Update config files accordingly.

- livepatch: Test if -fdump-ipa-clones is really available As of now we add -fdump-ipa-clones unconditionally. It does not cause a trouble if the kernel is build with the supported toolchain. Otherwise it could fail easily. Do the correct thing and test for the availability.

- powerpc/pseries/cpuidle: add polling idle for shared processor guests (bsc#1178765 ltc#188968).

- scsi: qla2xxx: Do not consume srb greedily (bsc#1173233).

- scsi: qla2xxx: Handle incorrect entry_type entries (bsc#1173233).

- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V host (bsc#1175306).

- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V frame buffer driver (bsc#1175306).

- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs (bsc#1175306).

- x86/hyperv: Create and use Hyper-V page definitions (bsc#1176877).

- x86/kexec: Use up-to-dated screen_info copy to fill boot params (bsc#1175306).

- x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels (bsc#1058115 bsc#1176907).

- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).

- xen: do not reschedule in preemption off sections (bsc#1175749).

- xen/events: add a new 'late EOI' evtchn framework (XSA-332 bsc#1177411).

- xen/events: add a proper barrier to 2-level uevent unmasking (XSA-332 bsc#1177411).

- xen/events: avoid removing an event channel while handling it (XSA-331 bsc#1177410).

- xen/events: block rogue events for some time (XSA-332 bsc#1177411).

- xen/events: defer eoi in case of excessive number of events (XSA-332 bsc#1177411).

- xen/events: do not use chip_data for legacy IRQs (XSA-332 bsc#1065600).

- xen/events: fix race in evtchn_fifo_unmask() (XSA-332 bsc#1177411).

- xen/events: switch user event channels to lateeoi model (XSA-332 bsc#1177411).

- xen/events: use a common cpu hotplug hook for event channels (XSA-332 bsc#1177411).

- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).

- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).

- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).

1172695

This update for gnutls fixes the following issue:

- Avoid spurious audit messages about incompatible signature algorithms (bsc#1172695)

1178346

This update for glib2 fixes the following issues:

- Add support for slim format of timezone. (bsc#1178346)

- Fix DST incorrect end day when using slim format. (bsc#1178346)

1178376

This update for libusb-1_0 fixes the following issues:

- Fixes a build failure for libusb for the inclusion of 'sys/time.h' on PowerPC. (bsc#1178376)

1176262,1179193,CVE-2019-20916

This update for python3 fixes the following issues:

Update to 3.6.12 (bsc#1179193), including:

- Fixed a directory traversal in _download_http_url() (bsc#1176262 CVE-2019-20916)

1177526,1178029,1179150,1179151

This update for cloud-init includes the following fixes:

- Add wget as a requirement (bsc#1178029)

+ wget is used in the CloudStack data source

- Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151)

+ Properly set the password for the default user in all circumstances

- Patch the full package version into the cloud-init version file

- Update cloud-init default route patch. (bsc#1177526)

+ Fix missing default route when dual stack network setup is used. Once

a default route was configured for Ipv6 or IPv4 the default route

configuration for the othre protocol was skipped.

1178882

- Fixed incomplete c-ares-devel dependencies introduced by the privous update (bsc#1178882).

This update for pam fixes the following issues:

- Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720)

- Check whether the password contains a substring of of the user's name of at least `` characters length in

some form. This is enabled by the new parameter `usersubstr=`

1177409,1177412,1177413,1177414,1178591,1178963,CVE-2020-27670,CVE-2020-27671,CVE-2020-27672,CVE-2020-27674,CVE-2020-28368

This update for xen fixes the following issues:

- bsc#1178963 - VUL-0: xen: stack corruption from XSA-346 change (XSA-355)

1179431

This update for aaa_base fixes the following issue:

- Avoid semicolon within (t)csh login script on S/390. (bsc#1179431)

1179491,CVE-2020-1971

This update for openssl-1_1 fixes the following issues:

- CVE-2020-1971: Fixed a null pointer dereference in EDIPARTYNAME (bsc#1179491).

1179398,1179399,1179593,CVE-2020-8284,CVE-2020-8285,CVE-2020-8286

This update for curl fixes the following issues:

- CVE-2020-8286: Fixed improper OSCP verification in the client side (bsc#1179593).

- CVE-2020-8285: Fixed a stack overflow due to FTP wildcard (bsc#1179399).

- CVE-2020-8284: Fixed an issue where a malicius FTP server could make curl connect to a different IP (bsc#1179398).

Severity

Image Advisory ID : SUSE-IU-2020:117-1

Image Tags : suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64:20201210

Image Release :

Severity : important

Type : security

SUSE: 2020:117-1 suse-sles-15-chost-byos-v20201210-hvm-ssd-x86_64 Security Update

Summary

References

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By