SUSE Image Update Advisory: sles-15-sp1-chost-byos-v20220127
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2022:49-1
Image Tags        : sles-15-sp1-chost-byos-v20220127:20220127
Image Release     : 
Severity          : critical
Type              : security
References        : 1014440 1021918 1027496 1029961 1029961 1029961 1040589 1046305
                        1046306 1046540 1046542 1046648 1047218 1047233 1050242 1050244
                        1050536 1050538 1050545 1050625 1056653 1056657 1056787 1064802
                        1065600 1065729 1066129 1073513 1074220 1075020 1078466 1080040
                        1083473 1085917 1086282 1086301 1086313 1086314 1089870 1098633
                        1100416 1102408 1103990 1103991 1103992 1104270 1104277 1104279
                        1104353 1104427 1104742 1104745 1106014 1108488 1109837 1111981
                        1112178 1112374 1112500 1113013 1113956 1115408 1119113 1122417
                        1125671 1125886 1126206 1126390 1127354 1127371 1129735 1129770
                        1129898 1131314 1131553 1133374 1134353 1136348 1136513 1140565
                        1146705 1148868 1149032 1149813 1149954 1152308 1152489 1153687
                        1153720 1154353 1154393 1154837 1154935 1157818 1158812 1158958
                        1158959 1158960 1159491 1159715 1159847 1159850 1159886 1160309
                        1160438 1160439 1160452 1160462 1161268 1162581 1162964 1163019
                        1163617 1164713 1164719 1165198 1165780 1165780 1167471 1167756
                        1167773 1168481 1168894 1169122 1169348 1170092 1170094 1170442
                        1170774 1170858 1171420 1171479 1171962 1172091 1172115 1172234
                        1172236 1172240 1172308 1172380 1172383 1172384 1172385 1172386
                        1172442 1172455 1172478 1172505 1172670 1172863 1172863 1172973
                        1172974 1173485 1173612 1173641 1173746 1173760 1173886 1174016
                        1174026 1174075 1174206 1174304 1174306 1174386 1174504 1174514
                        1174641 1174697 1174978 1175081 1175289 1175441 1175448 1175449
                        1175519 1175534 1175570 1175740 1175741 1175821 1175960 1175970
                        1176201 1176206 1176262 1176370 1176473 1176673 1176681 1176682
                        1176684 1176708 1176711 1176720 1176724 1176784 1176785 1176831
                        1176846 1176855 1176934 1176940 1177081 1177125 1177222 1177238
                        1177275 1177315 1177315 1177371 1177411 1177427 1177460 1177583
                        1177666 1177789 1177883 1177976 1178036 1178049 1178049 1178168
                        1178174 1178181 1178219 1178236 1178377 1178379 1178386 1178469
                        1178490 1178491 1178561 1178565 1178577 1178624 1178675 1178683
                        1178775 1178801 1178801 1178874 1178900 1178910 1178934 1178935
                        1178966 1178969 1179031 1179032 1179082 1179083 1179093 1179142
                        1179156 1179222 1179264 1179265 1179382 1179428 1179454 1179466
                        1179467 1179468 1179477 1179484 1179508 1179509 1179563 1179573
                        1179575 1179610 1179660 1179686 1179694 1179721 1179756 1179816
                        1179847 1179878 1179908 1179909 1180020 1180038 1180058 1180064
                        1180073 1180077 1180083 1180125 1180130 1180197 1180243 1180262
                        1180304 1180401 1180401 1180432 1180433 1180434 1180435 1180478
                        1180501 1180523 1180596 1180663 1180686 1180721 1180765 1180812
                        1180827 1180851 1180891 1180912 1180933 1180964 1180995 1181011
                        1181018 1181108 1181126 1181131 1181158 1181161 1181170 1181173
                        1181193 1181230 1181231 1181260 1181299 1181306 1181309 1181328
                        1181349 1181351 1181358 1181371 1181425 1181443 1181504 1181505
                        1181535 1181536 1181540 1181594 1181610 1181622 1181639 1181641
                        1181651 1181671 1181677 1181679 1181696 1181730 1181730 1181732
                        1181732 1181747 1181749 1181753 1181809 1181831 1181843 1181854
                        1181874 1181911 1181933 1181960 1181967 1181976 1182011 1182012
                        1182016 1182047 1182057 1182057 1182057 1182072 1182117 1182130
                        1182137 1182140 1182168 1182175 1182246 1182262 1182263 1182279
                        1182309 1182324 1182328 1182331 1182333 1182362 1182372 1182379
                        1182408 1182411 1182412 1182413 1182415 1182416 1182417 1182418
                        1182419 1182420 1182425 1182451 1182476 1182577 1182604 1182629
                        1182651 1182672 1182715 1182716 1182717 1182791 1182793 1182846
                        1182904 1182917 1182936 1182947 1182950 1182968 1182975 1183012
                        1183022 1183024 1183063 1183064 1183069 1183070 1183085 1183094
                        1183194 1183194 1183239 1183268 1183370 1183371 1183374 1183374
                        1183405 1183414 1183415 1183421 1183453 1183456 1183457 1183509
                        1183572 1183572 1183574 1183574 1183589 1183593 1183628 1183646
                        1183686 1183696 1183732 1183738 1183761 1183775 1183791 1183797
                        1183800 1183826 1183855 1183858 1183933 1183936 1183947 1183979
                        1184120 1184124 1184124 1184136 1184161 1184167 1184168 1184170
                        1184192 1184193 1184194 1184196 1184198 1184208 1184211 1184260
                        1184310 1184326 1184358 1184388 1184391 1184393 1184397 1184399
                        1184400 1184401 1184435 1184439 1184454 1184507 1184509 1184511
                        1184512 1184514 1184521 1184583 1184611 1184614 1184614 1184616
                        1184644 1184650 1184673 1184675 1184677 1184690 1184761 1184768
                        1184804 1184804 1184815 1184829 1184912 1184942 1184962 1184967
                        1184994 1184994 1184997 1184997 1185016 1185046 1185089 1185113
                        1185163 1185170 1185232 1185232 1185239 1185244 1185261 1185261
                        1185302 1185325 1185331 1185345 1185377 1185405 1185405 1185408
                        1185408 1185409 1185409 1185410 1185410 1185417 1185428 1185438
                        1185441 1185441 1185464 1185464 1185464 1185464 1185524 1185540
                        1185562 1185588 1185591 1185611 1185621 1185621 1185642 1185677
                        1185680 1185698 1185701 1185725 1185726 1185726 1185758 1185762
                        1185807 1185848 1185849 1185859 1185860 1185861 1185862 1185863
                        1185898 1185899 1185901 1185910 1185938 1185950 1185958 1185961
                        1185961 1185961 1185973 1185987 1185991 1185993 1186012 1186015
                        1186037 1186049 1186060 1186061 1186062 1186078 1186109 1186111
                        1186114 1186285 1186290 1186347 1186390 1186390 1186397 1186447
                        1186463 1186482 1186484 1186484 1186489 1186498 1186503 1186561
                        1186565 1186602 1186672 1186687 1186791 1186910 1186975 1186975
                        1187038 1187050 1187060 1187071 1187105 1187153 1187167 1187196
                        1187210 1187212 1187215 1187224 1187260 1187260 1187270 1187273
                        1187292 1187338 1187364 1187365 1187366 1187367 1187386 1187400
                        1187425 1187452 1187466 1187499 1187512 1187529 1187538 1187539
                        1187554 1187565 1187595 1187601 1187654 1187668 1187696 1187696
                        1187704 1187738 1187760 1187911 1187921 1187937 1187939 1187993
                        1188018 1188062 1188062 1188063 1188063 1188063 1188067 1188090
                        1188116 1188127 1188156 1188160 1188161 1188172 1188179 1188217
                        1188218 1188219 1188220 1188282 1188282 1188291 1188344 1188401
                        1188435 1188563 1188571 1188601 1188616 1188623 1188651 1188651
                        1188713 1188763 1188838 1188868 1188876 1188881 1188891 1188904
                        1188921 1188983 1188985 1188986 1188992 1189031 1189041 1189057
                        1189097 1189145 1189206 1189241 1189262 1189287 1189291 1189297
                        1189399 1189400 1189465 1189465 1189480 1189521 1189521 1189552
                        1189683 1189702 1189706 1189743 1189803 1189841 1189841 1189846
                        1189879 1189884 1189884 1189929 1189938 1189983 1189984 1189996
                        1190023 1190023 1190025 1190052 1190059 1190062 1190067 1190115
                        1190115 1190117 1190159 1190159 1190199 1190225 1190234 1190276
                        1190325 1190349 1190351 1190356 1190358 1190373 1190374 1190375
                        1190406 1190432 1190440 1190465 1190467 1190479 1190523 1190534
                        1190534 1190543 1190552 1190576 1190595 1190596 1190598 1190598
                        1190601 1190620 1190626 1190645 1190670 1190679 1190705 1190712
                        1190717 1190717 1190739 1190746 1190758 1190784 1190785 1190793
                        1190815 1190826 1190858 1190915 1190933 1190975 1190984 1191015
                        1191121 1191172 1191193 1191193 1191200 1191240 1191242 1191252
                        1191260 1191286 1191292 1191315 1191317 1191324 1191334 1191349
                        1191355 1191370 1191434 1191457 1191480 1191500 1191563 1191566
                        1191609 1191628 1191675 1191690 1191790 1191800 1191804 1191888
                        1191922 1191961 1191987 1192045 1192146 1192161 1192248 1192267
                        1192284 1192337 1192379 1192400 1192436 1192688 1192717 1192775
                        1192781 1192790 1192802 1192849 1193170 1193436 1193480 1193481
                        1193488 1193521 1193845 1194251 1194362 1194474 1194476 1194477
                        1194478 1194479 1194480 928700 928701 954813 CVE-2015-3414 CVE-2015-3415
                        CVE-2016-10228 CVE-2016-2124 CVE-2017-9271 CVE-2018-13405 CVE-2018-9517
                        CVE-2019-15890 CVE-2019-16884 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603
                        CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19921 CVE-2019-19923
                        CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-19977
                        CVE-2019-20218 CVE-2019-20838 CVE-2019-20916 CVE-2019-25013 CVE-2019-3874
                        CVE-2019-3900 CVE-2020-0429 CVE-2020-0433 CVE-2020-10756 CVE-2020-11080
                        CVE-2020-11947 CVE-2020-12049 CVE-2020-12400 CVE-2020-12401 CVE-2020-12403
                        CVE-2020-12762 CVE-2020-12770 CVE-2020-12829 CVE-2020-13361 CVE-2020-13362
                        CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632
                        CVE-2020-13659 CVE-2020-13765 CVE-2020-13987 CVE-2020-13988 CVE-2020-14155
                        CVE-2020-14343 CVE-2020-14364 CVE-2020-14364 CVE-2020-14372 CVE-2020-15257
                        CVE-2020-15358 CVE-2020-15469 CVE-2020-15863 CVE-2020-16092 CVE-2020-17437
                        CVE-2020-17438 CVE-2020-24370 CVE-2020-24371 CVE-2020-24586 CVE-2020-24587
                        CVE-2020-24588 CVE-2020-25084 CVE-2020-25085 CVE-2020-25613 CVE-2020-25624
                        CVE-2020-25625 CVE-2020-25632 CVE-2020-25639 CVE-2020-25647 CVE-2020-25648
                        CVE-2020-25659 CVE-2020-25670 CVE-2020-25671 CVE-2020-25672 CVE-2020-25673
                        CVE-2020-25707 CVE-2020-25717 CVE-2020-25717 CVE-2020-25723 CVE-2020-25723
                        CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2020-26558
                        CVE-2020-27170 CVE-2020-27171 CVE-2020-27617 CVE-2020-27618 CVE-2020-27673
                        CVE-2020-27749 CVE-2020-27779 CVE-2020-27815 CVE-2020-27821 CVE-2020-27835
                        CVE-2020-27840 CVE-2020-27840 CVE-2020-28916 CVE-2020-29129 CVE-2020-29129
                        CVE-2020-29130 CVE-2020-29130 CVE-2020-29361 CVE-2020-29368 CVE-2020-29374
                        CVE-2020-29443 CVE-2020-29562 CVE-2020-29568 CVE-2020-29569 CVE-2020-29573
                        CVE-2020-35503 CVE-2020-35504 CVE-2020-35505 CVE-2020-35506 CVE-2020-35512
                        CVE-2020-35519 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224
                        CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229
                        CVE-2020-36230 CVE-2020-36310 CVE-2020-36311 CVE-2020-36312 CVE-2020-36322
                        CVE-2020-36385 CVE-2020-36386 CVE-2020-3702 CVE-2020-3702 CVE-2020-4788
                        CVE-2020-6829 CVE-2020-8608 CVE-2020-8625 CVE-2020-9327 CVE-2021-0129
                        CVE-2021-0342 CVE-2021-0512 CVE-2021-0605 CVE-2021-0941 CVE-2021-20177
                        CVE-2021-20181 CVE-2021-20193 CVE-2021-20203 CVE-2021-20208 CVE-2021-20219
                        CVE-2021-20221 CVE-2021-20225 CVE-2021-20231 CVE-2021-20232 CVE-2021-20233
                        CVE-2021-20254 CVE-2021-20255 CVE-2021-20257 CVE-2021-20257 CVE-2021-20277
                        CVE-2021-20277 CVE-2021-20305 CVE-2021-20322 CVE-2021-21284 CVE-2021-21284
                        CVE-2021-21285 CVE-2021-21285 CVE-2021-21334 CVE-2021-22543 CVE-2021-22555
                        CVE-2021-22876 CVE-2021-22898 CVE-2021-22922 CVE-2021-22923 CVE-2021-22924
                        CVE-2021-22925 CVE-2021-22946 CVE-2021-22947 CVE-2021-23133 CVE-2021-23134
                        CVE-2021-23336 CVE-2021-23840 CVE-2021-23841 CVE-2021-24031 CVE-2021-24032
                        CVE-2021-25214 CVE-2021-25215 CVE-2021-25219 CVE-2021-25317 CVE-2021-26720
                        CVE-2021-26930 CVE-2021-26931 CVE-2021-26932 CVE-2021-27212 CVE-2021-27218
                        CVE-2021-27219 CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 CVE-2021-28038
                        CVE-2021-28660 CVE-2021-28688 CVE-2021-28950 CVE-2021-28964 CVE-2021-28965
                        CVE-2021-28971 CVE-2021-28972 CVE-2021-29154 CVE-2021-29155 CVE-2021-29264
                        CVE-2021-29265 CVE-2021-29647 CVE-2021-29650 CVE-2021-30002 CVE-2021-30465
                        CVE-2021-30465 CVE-2021-3156 CVE-2021-3177 CVE-2021-31799 CVE-2021-31810
                        CVE-2021-31916 CVE-2021-32066 CVE-2021-32399 CVE-2021-32760 CVE-2021-32760
                        CVE-2021-33033 CVE-2021-33034 CVE-2021-33200 CVE-2021-33200 CVE-2021-3326
                        CVE-2021-3347 CVE-2021-3348 CVE-2021-33560 CVE-2021-33574 CVE-2021-33624
                        CVE-2021-33909 CVE-2021-33909 CVE-2021-33910 CVE-2021-33910 CVE-2021-3416
                        CVE-2021-3419 CVE-2021-3426 CVE-2021-3426 CVE-2021-3428 CVE-2021-3444
                        CVE-2021-34556 CVE-2021-3468 CVE-2021-34693 CVE-2021-3483 CVE-2021-3491
                        CVE-2021-34981 CVE-2021-3516 CVE-2021-3516 CVE-2021-3517 CVE-2021-3517
                        CVE-2021-3518 CVE-2021-3518 CVE-2021-3520 CVE-2021-3527 CVE-2021-3537
                        CVE-2021-3541 CVE-2021-3542 CVE-2021-35477 CVE-2021-3580 CVE-2021-3582
                        CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-35942 CVE-2021-3595
                        CVE-2021-3607 CVE-2021-3608 CVE-2021-3609 CVE-2021-3611 CVE-2021-36222
                        CVE-2021-3640 CVE-2021-3653 CVE-2021-3655 CVE-2021-3656 CVE-2021-3659
                        CVE-2021-3669 CVE-2021-3672 CVE-2021-3679 CVE-2021-3682 CVE-2021-3712
                        CVE-2021-3712 CVE-2021-3713 CVE-2021-3715 CVE-2021-37159 CVE-2021-3732
                        CVE-2021-3733 CVE-2021-3737 CVE-2021-3744 CVE-2021-3744 CVE-2021-3748
                        CVE-2021-3752 CVE-2021-3752 CVE-2021-3753 CVE-2021-37576 CVE-2021-3759
                        CVE-2021-3760 CVE-2021-37600 CVE-2021-3764 CVE-2021-3764 CVE-2021-3772
                        CVE-2021-37750 CVE-2021-38160 CVE-2021-38185 CVE-2021-38185 CVE-2021-38198
                        CVE-2021-38204 CVE-2021-39537 CVE-2021-40490 CVE-2021-40490 CVE-2021-41089
                        CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 CVE-2021-41617 CVE-2021-41864
                        CVE-2021-42008 CVE-2021-42252 CVE-2021-42739 CVE-2021-43527 CVE-2021-43618
                        CVE-2021-43784 CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823
                        CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 
-----------------------------------------------------------------

The container sles-15-sp1-chost-byos-v20220127 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2019:2810-1
Released:    Tue Oct 29 14:56:44 2019
Summary:     Security update for runc
Type:        security
Severity:    moderate
References:  1131314,1131553,1152308,CVE-2019-16884
This update for runc fixes the following issues:

Security issue fixed:

- CVE-2019-16884: Fixed an LSM bypass via malicious Docker images that mount over a /proc directory. (bsc#1152308)

Non-security issues fixed:

- Includes upstreamed patches for regressions (bsc#1131314 bsc#1131553).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2020:944-1
Released:    Tue Apr  7 15:49:33 2020
Summary:     Security update for runc
Type:        security
Severity:    moderate
References:  1149954,1160452,CVE-2019-19921
This update for runc fixes the following issues:

runc was updated to v1.0.0~rc10

- CVE-2019-19921: Fixed a mount race condition with shared mounts (bsc#1160452).
- Fixed an issue where podman run hangs when spawned by salt-minion process (bsc#1149954).	  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:305-1
Released:    Thu Feb  4 15:00:37 2021
Summary:     Recommended update for libprotobuf
Type:        recommended
Severity:    moderate
References:  

libprotobuf was updated to fix:

- ship the libprotobuf-lite15 on the base products. (jsc#ECO-2911)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:435-1
Released:    Thu Feb 11 14:47:25 2021
Summary:     Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Type:        security
Severity:    important
References:  1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732,CVE-2020-15257,CVE-2021-21284,CVE-2021-21285
This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:

Security issues fixed:

- CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969).
- CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
- CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730)

Non-security issues fixed:

- Update Docker to 19.03.15-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for
  bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).

- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
  It appears that SLES doesn't like the patch. (bsc#1180401)

- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
  fixes CVE-2020-15257. bsc#1180243

- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
  bsc#1176708

- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
  https://github.com/docker/docker-ce/releases/tag/v19.03.14

- Enable fish-completion

- Add a patch which makes Docker compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (bsc#1178801, SLE-16460)

- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Emergency fix: %requires_eq does not work with provide symbols,
  only effective package names. Convert back to regular Requires.

- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
  spurrious errors due to Go returning -EINTR from I/O syscalls much more often
  (due to Go 1.14's pre-emptive goroutine support).
- Add BuildRequires for all -git dependencies so that we catch missing
  dependencies much more quickly.

- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
  bsc#1180243

- Add patch which makes libnetwork compatible with firewalld with
  nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
  (bsc#1178801, SLE-16460)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:502-1
Released:    Thu Feb 18 05:33:06 2021
Summary:     Recommended update for openssh
Type:        recommended
Severity:    moderate
References:  1180501
This update for openssh fixes the following issues:

- Fixed a crash which sometimes occured on connection termination, caused
  by accessing freed memory (bsc#1180501)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:507-1
Released:    Thu Feb 18 09:34:49 2021
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1182246,CVE-2020-8625
This update for bind fixes the following issues:

- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
  negotiation can be targeted by a buffer overflow attack [bsc#1182246]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:516-1
Released:    Thu Feb 18 14:42:51 2021
Summary:     Recommended update for docker, golang-github-docker-libnetwork
Type:        recommended
Severity:    moderate
References:  1178801,1180401,1182168
This update for docker, golang-github-docker-libnetwork fixes the following issues:

- A libnetwork firewalld integration enhancement was broken, disable it (bsc#1178801,bsc#1180401,bsc#1182168)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:529-1
Released:    Fri Feb 19 14:53:47 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1176262,1179756,1180686,1181126,CVE-2019-20916,CVE-2021-3177
This update for python3 fixes the following issues:

- CVE-2021-3177: Fixed buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution (bsc#1181126).
- Provide the newest setuptools wheel (bsc#1176262, CVE-2019-20916) in their correct form (bsc#1180686).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:532-1
Released:    Fri Feb 19 17:29:03 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1149032,1174206,1176831,1176846,1178036,1178049,1178900,1179093,1179142,1179508,1179509,1179563,1179573,1179575,1179878,1180130,1180765,1180812,1180891,1180912,1181018,1181170,1181230,1181231,1181260,1181349,1181425,1181504,1181809,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348
 The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2021-3347: A use-after-free was discovered in the PI futexes during fault handling, allowing local users to execute code in the kernel (bnc#1181349).
- CVE-2021-3348: Fixed a use-after-free in nbd_add_socket that could be triggered by local attackers (with access to the nbd device) via an I/O request at a certain point during device setup (bnc#1181504).
- CVE-2021-20177: Fixed a kernel panic related to iptables string matching rules. A privileged user could insert a rule which could lead to denial of service (bnc#1180765).
- CVE-2021-0342: In tun_get_user of tun.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges required. (bnc#1180812)
- CVE-2020-27835: A use-after-free in the infiniband hfi1 driver was found, specifically in the way user calls Ioctl after open dev file and fork. A local user could use this flaw to crash the system (bnc#1179878).
- CVE-2020-25639: Fixed a NULL pointer dereference via nouveau ioctl (bnc#1176846).
- CVE-2020-29569: Fixed a potential privilege escalation and information leaks related to the PV block backend, as used by Xen (bnc#1179509).
- CVE-2020-29568: Fixed a denial of service issue, related to processing watch events (bnc#1179508).

The following non-security bugs were fixed:

- ACPI: scan: Harden acpi_device_add() against device ID overflows (git-fixes).
- ACPI: scan: Make acpi_bus_get_device() clear return pointer on error (git-fixes).
- ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI (git-fixes).
- ALSA: doc: Fix reference to mixart.rst (git-fixes).
- ALSA: fireface: Fix integer overflow in transmit_midi_msg() (git-fixes).
- ALSA: firewire-tascam: Fix integer overflow in midi_port_work() (git-fixes).
- ALSA: hda/via: Add minimum mute flag (git-fixes).
- ALSA: hda/via: Fix runtime PM for Clevo W35xSS (git-fixes).
- ALSA: pcm: Clear the full allocated memory at hw_params (git-fixes).
- ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() (git-fixes).
- ASoC: Intel: haswell: Add missing pm_ops (git-fixes).
- ASoC: dapm: remove widget from dirty list on free (git-fixes).
- EDAC/amd64: Fix PCI component registration (bsc#1112178).
- IB/mlx5: Fix DEVX support for MLX5_CMD_OP_INIT2INIT_QP command (bsc#1103991).
- KVM: SVM: Initialize prev_ga_tag before use (bsc#1180912).
- KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages (bsc#1181230).
- NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock (git-fixes).
- NFS: nfs_igrab_and_active must first reference the superblock (git-fixes).
- NFS: switch nfsiod to be an UNBOUND workqueue (git-fixes).
- NFSv4.2: condition READDIR's mask for security label based on LSM state (git-fixes).
- RDMA/addr: Fix race with netevent_callback()/rdma_addr_cancel() (bsc#1103992).
- RDMA/bnxt_re: Do not add user qps to flushlist (bsc#1050244 ).
- RDMA/bnxt_re: Do not report transparent vlan from QP1 (bsc#1104742).
- RDMA/cma: Do not overwrite sgid_attr after device is released (bsc#1103992).
- RDMA/core: Ensure security pkey modify is not lost (bsc#1046306 ).
- RDMA/core: Fix pkey and port assignment in get_new_pps (bsc#1046306).
- RDMA/core: Fix protection fault in get_pkey_idx_qp_list (bsc#1046306).
- RDMA/core: Fix reported speed and width (bsc#1046306 ).
- RDMA/core: Fix return error value in _ib_modify_qp() to negative (bsc#1103992).
- RDMA/core: Fix use of logical OR in get_new_pps (bsc#1046306 ).
- RDMA/hns: Bugfix for memory window mtpt configuration (bsc#1104427).
- RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver (bsc#1104427).
- RDMA/hns: Fix cmdq parameter of querying pf timer resource (bsc#1104427 bsc#1126206).
- RDMA/hns: Fix missing sq_sig_type when querying QP (bsc#1104427 ).
- RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver (bsc#1104427).
- RDMA/iw_cxgb4: Fix incorrect function parameters (bsc#1136348 jsc#SLE-4684).
- RDMA/iw_cxgb4: initiate CLOSE when entering TERM (bsc#1136348 jsc#SLE-4684).
- RDMA/mlx5: Add init2init as a modify command (bsc#1103991 ).
- RDMA/mlx5: Fix typo in enum name (bsc#1103991).
- RDMA/mlx5: Fix wrong free of blue flame register on error (bsc#1103991).
- RDMA/qedr: Fix inline size returned for iWARP (bsc#1050545 ).
- SUNRPC: cache: ignore timestamp written to 'flush' file (bsc#1178036).
- USB: ehci: fix an interrupt calltrace error (git-fixes).
- USB: gadget: legacy: fix return error code in acm_ms_bind() (git-fixes).
- USB: serial: iuu_phoenix: fix DMA from stack (git-fixes).
- USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set (git-fixes).
- USB: yurex: fix control-URB timeout handling (git-fixes).
- __netif_receive_skb_core: pass skb by reference (bsc#1109837).
- arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() (bsc#1180130).
- arm64: pgtable: Fix pte_accessible() (bsc#1180130).
- bnxt_en: Do not query FW when netif_running() is false (bsc#1086282).
- bnxt_en: Fix accumulation of bp->net_stats_prev (bsc#1104745 ).
- bnxt_en: Improve stats context resource accounting with RDMA driver loaded (bsc#1104745).
- bnxt_en: Release PCI regions when DMA mask setup fails during probe (git-fixes).
- bnxt_en: Reset rings if ring reservation fails during open() (bsc#1086282).
- bnxt_en: fix HWRM error when querying VF temperature (bsc#1104745).
- bnxt_en: fix error return code in bnxt_init_board() (git-fixes).
- bnxt_en: fix error return code in bnxt_init_one() (bsc#1050242 ).
- bnxt_en: read EEPROM A2h address using page 0 (git-fixes).
- bnxt_en: return proper error codes in bnxt_show_temp (bsc#1104745).
- bonding: set dev->needed_headroom in bond_setup_by_slave() (git-fixes).
- btrfs: add a flag to iterate_inodes_from_logical to find all extent refs for uncompressed extents (bsc#1174206).
- btrfs: add a flags argument to LOGICAL_INO and call it LOGICAL_INO_V2 (bsc#1174206).
- btrfs: increase output size for LOGICAL_INO_V2 ioctl (bsc#1174206).
- btrfs: qgroup: do not try to wait flushing if we're already holding a transaction (bsc#1179575).
- caif: no need to check return value of debugfs_create functions (git-fixes).
- can: c_can: c_can_power_up(): fix error handling (git-fixes).
- can: dev: prevent potential information leak in can_fill_info() (git-fixes).
- can: vxcan: vxcan_xmit: fix use after free bug (git-fixes).
- chelsio/chtls: correct function return and return type (bsc#1104270).
- chelsio/chtls: correct netdevice for vlan interface (bsc#1104270 ).
- chelsio/chtls: fix a double free in chtls_setkey() (bsc#1104270 ).
- chelsio/chtls: fix always leaking ctrl_skb (bsc#1104270 ).
- chelsio/chtls: fix deadlock issue (bsc#1104270).
- chelsio/chtls: fix memory leaks caused by a race (bsc#1104270 ).
- chelsio/chtls: fix memory leaks in CPL handlers (bsc#1104270 ).
- chelsio/chtls: fix panic during unload reload chtls (bsc#1104270 ).
- chelsio/chtls: fix socket lock (bsc#1104270).
- chelsio/chtls: fix tls record info to user (bsc#1104270 ).
- chtls: Added a check to avoid NULL pointer dereference (bsc#1104270).
- chtls: Fix chtls resources release sequence (bsc#1104270 ).
- chtls: Fix hardware tid leak (bsc#1104270).
- chtls: Remove invalid set_tcb call (bsc#1104270).
- chtls: Replace skb_dequeue with skb_peek (bsc#1104270 ).
- cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled (bsc#1109837).
- cxgb3: fix error return code in t3_sge_alloc_qset() (git-fixes).
- cxgb4/cxgb4vf: fix flow control display for auto negotiation (bsc#1046540 bsc#1046542).
- cxgb4: fix SGE queue dump destination buffer context (bsc#1073513).
- cxgb4: fix adapter crash due to wrong MC size (bsc#1073513).
- cxgb4: fix all-mask IP address comparison (bsc#1064802 bsc#1066129).
- cxgb4: fix large delays in PTP synchronization (bsc#1046540 bsc#1046648).
- cxgb4: fix the panic caused by non smac rewrite (bsc#1064802 bsc#1066129).
- cxgb4: fix thermal zone device registration (bsc#1104279 bsc#1104277).
- cxgb4: fix throughput drop during Tx backpressure (bsc#1127354 bsc#1127371).
- cxgb4: move DCB version extern to header file (bsc#1104279 ).
- cxgb4: remove cast when saving IPv4 partial checksum (bsc#1074220).
- cxgb4: set up filter action after rewrites (bsc#1064802 bsc#1066129).
- cxgb4: use correct type for all-mask IP address comparison (bsc#1064802 bsc#1066129).
- cxgb4: use unaligned conversion for fetching timestamp (bsc#1046540 bsc#1046648).
- dm: avoid filesystem lookup in dm_get_dev_t() (bsc#1178049).
- dmaengine: xilinx_dma: check dma_async_device_register return value (git-fixes).
- dmaengine: xilinx_dma: fix mixed_enum_type coverity warning (git-fixes).
- docs: Fix reST markup when linking to sections (git-fixes).
- drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' (git-fixes).
- drm/amd/powerplay: fix a crash when overclocking Vega M (bsc#1113956)
- drm/amdkfd: Put ACPI table after using it (bsc#1129770) Backporting changes: 	* context changes
- drm/atomic: put state on error path (git-fixes).
- drm/i915: Check for all subplatform bits (git-fixes).
- drm/i915: Clear the repeater bit on HDCP disable (bsc#1112178)
- drm/i915: Fix sha_text population code (bsc#1112178)
- drm/msm: Avoid div-by-zero in dpu_crtc_atomic_check() (bsc#1129770)
- drm/msm: Fix WARN_ON() splat in _free_object() (bsc#1129770)
- drm/msm: Fix use-after-free in msm_gem with carveout (bsc#1129770)
- drm/nouveau/bios: fix issue shadowing expansion ROMs (git-fixes).
- drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields (git-fixes).
- drm/nouveau/privring: ack interrupts the same way as RM (git-fixes).
- drm/tve200: Fix handling of platform_get_irq() error (bsc#1129770)
- drm/vgem: Replace opencoded version of drm_gem_dumb_map_offset() (bsc#1112178)
- drm: sun4i: hdmi: Fix inverted HPD result (bsc#1112178)
- drm: sun4i: hdmi: Remove extra HPD polling (bsc#1112178)
- ehci: fix EHCI host controller initialization sequence (git-fixes).
- ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() (git-fixes).
- floppy: reintroduce O_NDELAY fix (boo#1181018).
- futex: Do not enable IRQs unconditionally in put_pi_state() (bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi() (bsc#1181349 bsc#1149032).
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- futex: Handle faults correctly for PI futexes (bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349 bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349 bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349 bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state() (bsc#1181349 bsc#1149032).
- i2c: octeon: check correct size of maximum RECV_LEN packet (git-fixes).
- i40e: Fix removing driver while bare-metal VFs pass traffic (git-fixes).
- i40e: avoid premature Rx buffer reuse (bsc#1111981).
- igb: Report speed and duplex as unknown when device is runtime suspended (git-fixes).
- igc: fix link speed advertising (jsc#SLE-4799).
- iio: ad5504: Fix setting power-down state (git-fixes).
- iommu/vt-d: Do not dereference iommu_device if IOMMU_API is not built (bsc#1181260, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181260, jsc#ECO-3191).
- ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K (bsc#1109837).
- ixgbe: avoid premature Rx buffer reuse (bsc#1109837 ).
- kABI: Fix kABI for extended APIC-ID support (bsc#1181260, jsc#ECO-3191).
- kernfs: deal with kernfs_fill_super() failures (bsc#1181809).
- lockd: do not use interval-based rebinding over TCP (git-fixes).
- locking/futex: Allow low-level atomic operations to return -EAGAIN (bsc#1149032).
- md/raid10: initialize r10_bio->read_slot before use (git-fixes).
- md: fix a warning caused by a race between concurrent md_ioctl()s (git-fixes).
- media: gp8psk: initialize stats at power control logic (git-fixes).
- misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells() (git-fixes).
- misdn: dsp: select CONFIG_BITREVERSE (git-fixes).
- mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish() (git-fixes).
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init (bsc#1112374).
- mlxsw: spectrum: Do not modify cloned SKBs during xmit (git-fixes).
- mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails (bsc#1112374).
- mlxsw: switchx2: Do not modify cloned SKBs during xmit (git-fixes).
- mm, page_alloc: fix core hung in free_pcppages_bulk() (git fixes (mm/hotplug)).
- mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() (git fixes (mm/pgalloc)).
- mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly (git fixes (mm/hmm)).
- mm/slab: use memzero_explicit() in kzfree() (git fixes (mm/slab)).
- mm: do not wake kswapd prematurely when watermark boosting is disabled (git fixes (mm/vmscan)).
- mm: hwpoison: disable memory error handling on 1GB hugepage (git fixes (mm/hwpoison)).
- mmc: sdhci-xenon: fix 1.8v regulator stabilization (git-fixes).
- nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
- net/af_iucv: always register net_device notifier (git-fixes).
- net/af_iucv: fix null pointer dereference on shutdown (bsc#1179563 LTC#190108).
- net/af_iucv: set correct sk_protocol for child sockets (git-fixes).
- net/filter: Permit reading NET in load_bytes_relative when MAC not set (bsc#1109837).
- net/liquidio: Delete driver version assignment (git-fixes).
- net/liquidio: Delete non-working LIQUIDIO_PACKAGE check (git-fixes).
- net/mlx4_en: Avoid scheduling restart task if it is already running (git-fixes).
- net/mlx5: Add handling of port type in rule deletion (bsc#1103991).
- net/mlx5: Fix memory leak on flow table creation error flow (bsc#1046305).
- net/mlx5e: Fix VLAN cleanup flow (git-fixes).
- net/mlx5e: Fix VLAN create flow (git-fixes).
- net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups (git-fixes).
- net/mlx5e: Fix two double free cases (bsc#1046305).
- net/mlx5e: IPoIB, Drop multicast packets that this interface sent (bsc#1075020).
- net/mlx5e: TX, Fix consumer index of error cqe dump (bsc#1103990 ).
- net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq (bsc#1103990).
- net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels (bsc#1109837).
- net/smc: cancel event worker during device removal (git-fixes).
- net/smc: check for valid ib_client_data (git-fixes).
- net/smc: fix sleep bug in smc_pnet_find_roce_resource() (git-fixes).
- net/smc: receive pending data after RCV_SHUTDOWN (git-fixes).
- net/smc: receive returns without data (git-fixes).
- net/sonic: Add mutual exclusion for accessing shared state (git-fixes).
- net: atlantic: fix potential error handling (git-fixes).
- net: atlantic: fix use after free kasan warn (git-fixes).
- net: bcmgenet: keep MAC in reset until PHY is up (git-fixes).
- net: bcmgenet: reapply manual settings to the PHY (git-fixes).
- net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() (git-fixes).
- net: cbs: Fix software cbs to consider packet sending time (bsc#1109837).
- net: dsa: LAN9303: select REGMAP when LAN9303 enable (git-fixes).
- net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL (git-fixes).
- net: ena: set initial DMA width to avoid intel iommu issue (git-fixes).
- net: ethernet: mlx4: Avoid assigning a value to ring_cons but not used it anymore in mlx4_en_xmit() (git-fixes).
- net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() (git-fixes).
- net: freescale: fec: Fix ethtool -d runtime PM (git-fixes).
- net: hns3: add a missing uninit debugfs when unload driver (bsc#1104353).
- net: hns3: add compatible handling for command HCLGE_OPC_PF_RST_DONE (git-fixes).
- net: hns3: add management table after IMP reset (bsc#1104353 ).
- net: hns3: check reset interrupt status when reset fails (git-fixes).
- net: hns3: clear reset interrupt status in hclge_irq_handle() (git-fixes).
- net: hns3: fix a TX timeout issue (bsc#1104353).
- net: hns3: fix a wrong reset interrupt status mask (git-fixes).
- net: hns3: fix error VF index when setting VLAN offload (bsc#1104353).
- net: hns3: fix error handling for desc filling (bsc#1104353 ).
- net: hns3: fix for not calculating TX BD send size correctly (bsc#1126390).
- net: hns3: fix interrupt clearing error for VF (bsc#1104353 ).
- net: hns3: fix mis-counting IRQ vector numbers issue (bsc#1104353).
- net: hns3: fix shaper parameter algorithm (bsc#1104353 ).
- net: hns3: fix the number of queues actually used by ARQ (bsc#1104353).
- net: hns3: fix use-after-free when doing self test (bsc#1104353 ).
- net: hns3: reallocate SSU' buffer size when pfc_en changes (bsc#1104353).
- net: mvpp2: Fix GoP port 3 Networking Complex Control configurations (bsc#1098633).
- net: mvpp2: Fix error return code in mvpp2_open() (bsc#1119113 ).
- net: mvpp2: fix pkt coalescing int-threshold configuration (bsc#1098633).
- net: phy: Allow BCM54616S PHY to setup internal TX/RX clock delay (git-fixes).
- net: phy: broadcom: Fix RGMII delays configuration for BCM54210E (git-fixes).
- net: phy: micrel: Discern KSZ8051 and KSZ8795 PHYs (git-fixes).
- net: phy: micrel: make sure the factory test bit is cleared (git-fixes).
- net: qca_spi: Move reset_count to struct qcaspi (git-fixes).
- net: smc911x: Adjust indentation in smc911x_phy_configure (git-fixes).
- net: stmmac: 16KB buffer must be 16 byte aligned (git-fixes).
- net: stmmac: Do not accept invalid MTU values (git-fixes).
- net: stmmac: Enable 16KB buffer size (git-fixes).
- net: stmmac: RX buffer size must be 16 byte aligned (git-fixes).
- net: stmmac: dwmac-meson8b: Fix signedness bug in probe (git-fixes).
- net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes (git-fixes).
- net: stmmac: fix length of PTP clock's name string (git-fixes).
- net: stmmac: gmac4+: Not all Unicast addresses may be available (git-fixes).
- net: sunrpc: interpret the return value of kstrtou32 correctly (git-fixes).
- net: team: fix memory leak in __team_options_register (git-fixes).
- net: tulip: Adjust indentation in {dmfe, uli526x}_init_module (git-fixes).
- net: usb: lan78xx: Fix error message format specifier (git-fixes).
- net: vlan: avoid leaks on register_vlan_dev() failures (git-fixes).
- net_failover: fixed rollback in net_failover_open() (bsc#1109837).
- net_sched: let qdisc_put() accept NULL pointer (bsc#1056657 bsc#1056653 bsc#1056787).
- nfp: validate the return code from dev_queue_xmit() (git-fixes).
- nfs_common: need lock during iterate through the list (git-fixes).
- nfsd4: readdirplus shouldn't return parent of export (git-fixes).
- nfsd: Fix message level for normal termination (git-fixes).
- pNFS: Mark layout for return if return-on-close was not sent (git-fixes).
- page_frag: Recover from memory pressure (git fixes (mm/pgalloc)).
- powerpc/perf: Add generic compat mode pmu driver (bsc#1178900 ltc#189284).
- powerpc/perf: Fix crashes with generic_compat_pmu & BHRB (bsc#1178900 ltc#189284 git-fixes).
- powerpc/perf: init pmu from core-book3s (bsc#1178900 ltc#189284).
- qed: Fix race condition between scheduling and destroying the slowpath workqueue (bsc#1086314 bsc#1086313 bsc#1086301).
- qed: Fix use after free in qed_chain_free (bsc#1050536 bsc#1050538).
- r8152: Add Lenovo Powered USB-C Travel Hub (git-fixes).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock() (bsc#1181349 bsc#1149032).
- s390/cio: fix use-after-free in ccw_device_destroy_console (git-fixes).
- s390/dasd: fix list corruption of lcu list (bsc#1181170 LTC#190915).
- s390/dasd: fix list corruption of pavgroup group list (bsc#1181170 LTC#190915).
- s390/dasd: prevent inconsistent LCU device data (bsc#1181170 LTC#190915).
- s390/qeth: delay draining the TX buffers (git-fixes).
- s390/qeth: fix L2 header access in qeth_l3_osa_features_check() (git-fixes).
- s390/qeth: fix deadlock during recovery (git-fixes).
- s390/qeth: fix locking for discipline setup / removal (git-fixes).
- s390/smp: perform initial CPU reset also for SMT siblings (git-fixes).
- sched/fair: Fix enqueue_task_fair warning (bsc#1179093).
- sched/fair: Fix enqueue_task_fair() warning some more (bsc#1179093).
- sched/fair: Fix reordering of enqueue/dequeue_task_fair() (bsc#1179093).
- sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list (bsc#1179093).
- sched/fair: Reorder enqueue/dequeue_task_fair path (bsc#1179093).
- scsi: core: Fix VPD LUN ID designator priorities (bsc#1178049, git-fixes).
- scsi: ibmvfc: Set default timeout to avoid crash during migration (bsc#1181425 ltc#188252).
- scsi: lpfc: Enhancements to LOG_TRACE_EVENT for better readability (bsc#1180891).
- scsi: lpfc: Fix FW reset action if I/Os are outstanding (bsc#1180891).
- scsi: lpfc: Fix NVMe recovery after mailbox timeout (bsc#1180891).
- scsi: lpfc: Fix PLOGI S_ID of 0 on pt2pt config (bsc#1180891).
- scsi: lpfc: Fix auto sli_mode and its effect on CONFIG_PORT for SLI3 (bsc#1180891).
- scsi: lpfc: Fix crash when a fabric node is released prematurely (bsc#1180891).
- scsi: lpfc: Fix error log messages being logged following SCSI task mgnt (bsc#1180891).
- scsi: lpfc: Fix target reset failing (bsc#1180891).
- scsi: lpfc: Fix vport create logging (bsc#1180891).
- scsi: lpfc: Implement health checking when aborting I/O (bsc#1180891).
- scsi: lpfc: Prevent duplicate requests to unregister with cpuhp framework (bsc#1180891).
- scsi: lpfc: Refresh ndlp when a new PRLI is received in the PRLI issue state (bsc#1180891).
- scsi: lpfc: Simplify bool comparison (bsc#1180891).
- scsi: lpfc: Update lpfc version to 12.8.0.7 (bsc#1180891).
- scsi: lpfc: Use the nvme-fc transport supplied timeout for LS requests (bsc#1180891).
- scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit (bsc#1179142).
- serial: mvebu-uart: fix tx lost characters at power off (git-fixes).
- spi: cadence: cache reference clock rate during probe (git-fixes).
- team: set dev->needed_headroom in team_setup_by_port() (git-fixes).
- tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS (bsc#1109837).
- usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() (git-fixes).
- usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion (git-fixes).
- usb: gadget: configfs: Preserve function ordering after bind failure (git-fixes).
- usb: gadget: f_uac2: reset wMaxPacketSize (git-fixes).
- usb: gadget: select CONFIG_CRC32 (git-fixes).
- usb: udc: core: Use lock when write to soft_connect (git-fixes).
- veth: Adjust hard_start offset on redirect XDP frames (bsc#1109837).
- vfio iommu: Add dma available capability (bsc#1179573 LTC#190106).
- vfio-pci: Use io_remap_pfn_range() for PCI IO memory (bsc#1181231).
- vhost/vsock: fix vhost vsock cid hashing inconsistent (git-fixes).
- virtio_net: Keep vnet header zeroed if XDP is loaded for small buffer (git-fixes).
- wan: ds26522: select CONFIG_BITREVERSE (git-fixes).
- wil6210: select CONFIG_CRC32 (git-fixes).
- x86/apic: Fix x2apic enablement without interrupt remapping (bsc#1181260, jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where available (bsc#1181260, jsc#ECO-3191).
- x86/hyperv: Fix kexec panic/hang issues (bsc#1176831).
- x86/i8259: Use printk_deferred() to prevent deadlock (bsc#1112178).
- x86/ioapic: Handle Extended Destination ID field in RTE (bsc#1181260, jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181260, jsc#ECO-3191).
- x86/mm/numa: Remove uninitialized_var() usage (bsc#1112178).
- x86/mm: Fix leak of pmd ptlock (bsc#1112178).
- x86/msi: Only use high bits of MSI address for DMAR unit (bsc#1181260, jsc#ECO-3191).
- x86/mtrr: Correct the range check before performing MTRR type lookups (bsc#1112178).
- x86/resctrl: Do not move a task to the same resource group (bsc#1112178).
- x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR (bsc#1112178).
- xdp: Fix xsk_generic_xmit errno (bsc#1109837).
- xhci: make sure TRB is fully written before giving it to the controller (git-fixes).
- xhci: tegra: Delay for disabling LFPS detector (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:551-1
Released:    Tue Feb 23 09:31:53 2021
Summary:     Security update for avahi
Type:        security
Severity:    moderate
References:  1180827,CVE-2021-26720
This update for avahi fixes the following issues:

- CVE-2021-26720: drop privileges when invoking avahi-daemon-check-dns.sh (bsc#1180827)
- Update avahi-daemon-check-dns.sh from Debian. Our previous version relied on ifconfig, route, and init.d.
- Add sudo to requires: used to drop privileges.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:556-1
Released:    Tue Feb 23 11:17:20 2021
Summary:     Recommended update for open-lldp
Type:        recommended
Severity:    moderate
References:  1175570
This update for open-lldp fixes the following issue:

Update to version v1.0.1+65.f3b70663b55e
- Event interface: only set receive buffer size if too small (bsc#1175570)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:653-1
Released:    Fri Feb 26 19:53:43 2021
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1178386,1179694,1179721,1180038,1181505,1182117,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326
This update for glibc fixes the following issues:

- Fix buffer overrun in EUC-KR conversion module (CVE-2019-25013, bsc#1182117, BZ #24973)
- x86: Harden printf against non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
- gconv: Fix assertion failure in ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- iconv: Accept redundant shift sequences in IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
- iconv: Fix incorrect UCS4 inner loop bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
- Fix parsing of /sys/devices/system/cpu/online (bsc#1180038, BZ #25859)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:684-1
Released:    Tue Mar  2 19:05:30 2021
Summary:     Security update for grub2
Type:        security
Severity:    important
References:  1175970,1176711,1177883,1179264,1179265,1182057,1182262,1182263,CVE-2020-14372,CVE-2020-25632,CVE-2020-25647,CVE-2020-27749,CVE-2020-27779,CVE-2021-20225,CVE-2021-20233
This update for grub2 fixes the following issues:

grub2 now implements the new 'SBAT' method for SHIM based secure boot revocation. (bsc#1182057)

Following security issues are fixed that can violate secure boot constraints:

- CVE-2020-25632: Fixed a use-after-free in rmmod command (bsc#1176711)
- CVE-2020-25647: Fixed an out-of-bound write in grub_usb_device_initialize() (bsc#1177883)
- CVE-2020-27749: Fixed a stack buffer overflow in grub_parser_split_cmdline (bsc#1179264)
- CVE-2020-27779, CVE-2020-14372: Disallow cutmem and acpi commands in secure boot mode (bsc#1179265 bsc#1175970)
- CVE-2021-20225: Fixed a heap out-of-bounds write in short form option parser (bsc#1182262)
- CVE-2021-20233: Fixed a heap out-of-bound write due to mis-calculation of space required for quoting (bsc#1182263)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:689-1
Released:    Tue Mar  2 19:08:40 2021
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1180933
This update for bind fixes the following issues:

- dnssec-keygen can no longer generate HMAC keys. Use tsig-keygen instead. [bsc#1180933]

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:723-1
Released:    Mon Mar  8 16:45:27 2021
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1182279,1182408,1182411,1182412,1182413,1182415,1182416,1182417,1182418,1182419,1182420,CVE-2020-36221,CVE-2020-36222,CVE-2020-36223,CVE-2020-36224,CVE-2020-36225,CVE-2020-36226,CVE-2020-36227,CVE-2020-36228,CVE-2020-36229,CVE-2020-36230,CVE-2021-27212
This update for openldap2 fixes the following issues:

- bsc#1182408 CVE-2020-36230 - an assertion failure in slapd in the
  X.509 DN parsing in decode.c ber_next_element, resulting in denial
  of service.
- bsc#1182411 CVE-2020-36229 - ldap_X509dn2bv crash in the X.509 DN
  parsing in ad_keystring, resulting in denial of service.
- bsc#1182412 CVE-2020-36228 - integer underflow leading to crash
  in the Certificate List Exact Assertion processing, resulting in
  denial of service.
- bsc#1182413 CVE-2020-36227 - infinite loop in slapd with the
  cancel_extop Cancel operation, resulting in denial of service.
- bsc#1182416 CVE-2020-36225 - double free and slapd crash in the
  saslAuthzTo processing, resulting in denial of service.
- bsc#1182417 CVE-2020-36224 - invalid pointer free and slapd crash
  in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182415 CVE-2020-36226 - memch->bv_len miscalculation and slapd
  crash in the saslAuthzTo processing, resulting in denial of service.
- bsc#1182419 CVE-2020-36222 - assertion failure in slapd in the
  saslAuthzTo validation, resulting in denial of service.
- bsc#1182420 CVE-2020-36221 - slapd crashes in the Certificate Exact
  Assertion processing, resulting in denial of service (schema_init.c
  serialNumberAndIssuerCheck).
- bsc#1182418 CVE-2020-36223 - slapd crash in the Values Return Filter
  control handling, resulting in denial of service (double free and
  out-of-bounds read).
- bsc#1182279 CVE-2021-27212 - an assertion failure in slapd can occur
    in the issuerAndThisUpdateCheck function via a crafted packet,
    resulting in a denial of service (daemon exit) via a short timestamp.
    This is related to schema_init.c and checkTime.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:737-1
Released:    Tue Mar  9 16:07:48 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1065600,1163617,1170442,1176855,1179082,1179428,1179660,1180058,1180262,1180964,1181671,1181747,1181753,1181843,1181854,1182047,1182130,1182140,1182175,CVE-2020-29368,CVE-2020-29374,CVE-2021-26930,CVE-2021-26931,CVE-2021-26932
The SUSE Linux Enterprise 15 SP1 kernel was updated receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2021-26930: Fixed an improper error handling in blkback's grant mapping (XSA-365 bsc#1181843).
- CVE-2021-26931: Fixed an issue where Linux  kernel was treating grant mapping errors as bugs (XSA-362 bsc#1181753).
- CVE-2021-26932: Fixed improper error handling issues in Linux grant mapping (XSA-361 bsc#1181747).
  by remote attackers to read or write files via directory traversal in an XCOPY request (bsc#178372).
- CVE-2020-29368,CVE-2020-29374: Fixed an issue in copy-on-write implementation which could have granted unintended write access
  because of a race condition in a THP mapcount check (bsc#1179660, bsc#1179428).

The following non-security bugs were fixed:

- btrfs: Cleanup try_flush_qgroup (bsc#1182047).
- btrfs: Do not flush from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve (bsc#1182130)
- btrfs: Free correct amount of space in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: Remove btrfs_inode from btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: Simplify code flow in btrfs_delayed_inode_reserve_metadata (bsc#1182047).
- btrfs: Unlock extents in btrfs_zero_range in case of errors (bsc#1182047).
- Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() (git-fixes).
- ibmvnic: fix a race between open and reset (bsc#1176855 ltc#187293).
- kernel-binary.spec: Add back initrd and image symlink ghosts to filelist (bsc#1182140). Fixes: 76a9256314c3 ('rpm/kernel-{source,binary}.spec: do not include ghost symlinks (boo#1179082).')
- libnvdimm/dimm: Avoid race between probe and available_slots_show() (bsc#1170442).
- net: bcmgenet: add support for ethtool rxnfc flows (git-fixes).
- net: bcmgenet: code movement (git-fixes).
- net: bcmgenet: fix mask check in bcmgenet_validate_flow() (git-fixes).
- net: bcmgenet: Fix WoL with password after deep sleep (git-fixes).
- net: bcmgenet: re-remove bcmgenet_hfb_add_filter (git-fixes).
- net: bcmgenet: set Rx mode before starting netif (git-fixes).
- net: bcmgenet: use __be16 for htons(ETH_P_IP) (git-fixes).
- net: bcmgenet: Use correct I/O accessors (git-fixes).
- net: lpc-enet: fix error return code in lpc_mii_init() (git-fixes).
- net/mlx4_en: Handle TX error CQE (bsc#1181854).
- net: moxa: Fix a potential double 'free_irq()' (git-fixes).
- net: sun: fix missing release regions in cas_init_one() (git-fixes).
- nvme-multipath: Early exit if no path is available (bsc#1180964).
- rpm/post.sh: Avoid purge-kernel for the first installed kernel (bsc#1180058)
- scsi: target: fix unmap_zeroes_data boolean initialisation (bsc#1163617).
- usb: dwc2: Abort transaction after errors with unknown reason (bsc#1180262).
- usb: dwc2: Do not update data length if it is 0 on inbound transfers (bsc#1180262).
- usb: dwc2: Make 'trimming xfer length' a debug message (bsc#1180262).
- vmxnet3: Remove buf_info from device accessible structures (bsc#1181671).
- xen/netback: avoid race in xenvif_rx_ring_slots_available() (bsc#1065600).
- xen/netback: fix spurious event detection for common event case (bsc#1182175).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:753-1
Released:    Tue Mar  9 17:09:57 2021
Summary:     Security update for openssl-1_1
Type:        security
Severity:    moderate
References:  1182331,1182333,CVE-2021-23840,CVE-2021-23841
This update for openssl-1_1 fixes the following issues:

- CVE-2021-23840: Fixed an Integer overflow in CipherUpdate (bsc#1182333)
- CVE-2021-23841: Fixed a Null pointer dereference in X509_issuer_and_serial_hash() (bsc#1182331)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:784-1
Released:    Mon Mar 15 11:19:08 2021
Summary:     Recommended update for efivar
Type:        recommended
Severity:    moderate
References:  1181967
This update for efivar fixes the following issues:

- Fixed an issue with the NVME path parsing (bsc#1181967)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:786-1
Released:    Mon Mar 15 11:19:23 2021
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1176201
This update for zlib fixes the following issues:

- Fixed hw compression on z15 (bsc#1176201)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:890-1
Released:    Fri Mar 19 15:51:41 2021
Summary:     Security update for glib2
Type:        security
Severity:    important
References:  1182328,1182362,CVE-2021-27218,CVE-2021-27219
This update for glib2 fixes the following issues:

- CVE-2021-27218: g_byte_array_new_take takes a gsize as length but stores in a guint, this patch will refuse if the length is larger than guint. (bsc#1182328)

- CVE-2021-27219: g_memdup takes a guint as parameter and sometimes leads into an integer overflow, so add a g_memdup2 function which uses gsize to replace it. (bsc#1182362)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:924-1
Released:    Tue Mar 23 10:00:49 2021
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1078466,1146705,1175519,1178775,1180020,1180083,1180596,1181011,1181831,1183094
This update for filesystem the following issues:

- Remove duplicate line due to merge error
- Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011) 
- Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
- Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
- Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

This update for systemd fixes the following issues:

- Fix for a possible memory leak. (bsc#1180020)
- Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
- Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
- Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
- Don't use shell redirections when calling a rpm macro. (bsc#1183094)
- 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:926-1
Released:    Tue Mar 23 13:20:24 2021
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
References:  1083473,1112500,1115408,1165780,1183012
This update for systemd-presets-common-SUSE fixes the following issues:

- Add default user preset containing:
  - enable `pulseaudio.socket` (bsc#1083473)
  - enable `pipewire.socket` (bsc#1183012)
  - enable `pipewire-pulse.socket` (bsc#1183012)
  - enable `pipewire-media-session.service` (used with pipewire >= 0.3.23)
- Changes to the default preset:
  - enable `btrfsmaintenance-refresh.path`.
  - disable `btrfsmaintenance-refresh.service`.
  - enable `dnf-makecache.timer`.
  - enable `ignition-firstboot-complete.service`.
  - enable logwatch.timer and avoid to have logwatch out of sync with logrotate. (bsc#1112500)
  - enable `mlocate.timer`. Recent versions of mlocate don't use `updatedb.timer` any more. (bsc#1115408)
  - remove enable `updatedb.timer` 
- Avoid needless refresh on boot. (bsc#1165780)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:931-1
Released:    Wed Mar 24 12:10:41 2021
Summary:     Security update for nghttp2
Type:        security
Severity:    important
References:  1172442,1181358,CVE-2020-11080
This update for nghttp2 fixes the following issues:

- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:933-1
Released:    Wed Mar 24 12:16:14 2021
Summary:     Security update for ruby2.5
Type:        security
Severity:    important
References:  1177125,1177222,CVE-2020-25613
This update for ruby2.5 fixes the following issues:

- CVE-2020-25613: Fixed a potential HTTP Request Smuggling  in WEBrick (bsc#1177125).
- Enable optimizations also on ARM64 (bsc#1177222)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:934-1
Released:    Wed Mar 24 12:18:21 2021
Summary:     Security update for gnutls
Type:        security
Severity:    important
References:  1183456,1183457,CVE-2021-20231,CVE-2021-20232
This update for gnutls fixes the following issues:

- CVE-2021-20232: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183456).
- CVE-2021-20231: Fixed a use after free issue which could have led to memory corruption and other potential consequences (bsc#1183457).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:944-1
Released:    Wed Mar 24 13:41:45 2021
Summary:     Security update for ldb
Type:        security
Severity:    important
References:  1183572,1183574,CVE-2020-27840,CVE-2021-20277
This update for ldb fixes the following issues:

- CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572).
- CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:947-1
Released:    Wed Mar 24 14:30:58 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1182379,CVE-2021-23336
This update for python3 fixes the following issues:

- python36 was updated to 3.6.13
- CVE-2021-23336: Fixed a potential web cache poisoning by using a semicolon in query parameters use of semicolon as a query string separator (bsc#1182379).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:948-1
Released:    Wed Mar 24 14:31:34 2021
Summary:     Security update for zstd
Type:        security
Severity:    moderate
References:  1183370,1183371,CVE-2021-24031,CVE-2021-24032
This update for zstd fixes the following issues:

- CVE-2021-24031: Added read permissions to files while being compressed or uncompressed (bsc#1183371).
- CVE-2021-24032: Fixed a race condition which could have allowed an attacker to access world-readable destination file (bsc#1183370).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:951-1
Released:    Thu Mar 25 14:36:20 2021
Summary:     Recommended update for rsyslog
Type:        recommended
Severity:    moderate
References:  1178490
This update for rsyslog fixes the following issues:

- Fix groupname retrieval for large groups. (bsc#1178490)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:956-1
Released:    Thu Mar 25 19:19:02 2021
Summary:     Security update for libzypp, zypper
Type:        security
Severity:    moderate
References:  1050625,1174016,1177238,1177275,1177427,1177583,1178910,1178966,1179083,1179222,1179816,1179847,1179909,1180077,1180663,1180721,1181328,1181622,1182629,CVE-2017-9271
This update for libzypp, zypper fixes the following issues:

Update zypper to version 1.14.43:

- doc: give more details about creating versioned package locks
  (bsc#1181622)
- man: Document synonymously used patch categories (bsc#1179847)
- Fix source-download commands help (bsc#1180663)
- man: Recommend to use the --non-interactive global option rather than the command option -y (bsc#1179816)
- Extend apt packagemap (fixes #366)
- --quiet: Fix install summary to write nothing if there's nothing todo (bsc#1180077)
- Prefer /run over /var/run.

Update libzypp to 17.25.8:

- Try to provide a mounted /proc in --root installs (bsc#1181328)
  Some systemd tools require /proc to be mounted and fail if it's
  not there.
- Enable release packages to request a releaxed suse/opensuse
  vendorcheck in dup when migrating. (bsc#1182629)
- Patch: Identify well-known category names (bsc#1179847)
  This allows to use the RH and SUSE patch categrory names
  synonymously:
  (recommended = bugfix) and (optional = feature = enhancement).
- Add missing includes for GCC 11 compatibility.
- Fix %posttrans script execution (fixes #265)
  The scripts are execuable. No need to call them through 'sh -c'.
- Commit: Fix rpmdb compat symlink in case rpm got removed.
- Repo: Allow multiple baseurls specified on one line (fixes #285)
- Regex: Fix memory leak and undefined behavior.
- Add rpm buildrequires for test suite (fixes #279)
- Use rpmdb2solv new -D switch to tell the location ob the
  rpmdatabase to use.
- CVE-2017-9271: Fixed information leak in the log file (bsc#1050625 bsc#1177583)
- RepoManager: Force refresh if repo url has changed (bsc#1174016)
- RepoManager: Carefully tidy up the caches. Remove non-directory entries. (bsc#1178966)
- RepoInfo: ignore legacy type= in a .repo file and let RepoManager probe (bsc#1177427).
- RpmDb: If no database exists use the _dbpath configured in rpm.  Still makes sure a compat
  symlink at /var/lib/rpm exists in case the configures _dbpath is elsewhere. (bsc#1178910)
- Fixed update of gpg keys with elongated expire date (bsc#1179222)
- needreboot: remove udev from the list (bsc#1179083)
- Fix lsof monitoring (bsc#1179909)
- Rephrase solver problem descriptions (jsc#SLE-8482)
- Adapt to changed gpg2/libgpgme behavior (bsc#1180721)
- Multicurl backend breaks with with unknown filesize (fixes #277)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:974-1
Released:    Mon Mar 29 19:31:27 2021
Summary:     Security update for tar
Type:        security
Severity:    low
References:  1181131,CVE-2021-20193
This update for tar fixes the following issues:

CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:985-1
Released:    Tue Mar 30 14:43:43 2021
Summary:     Recommended update for the Azure SDK and CLI
Type:        recommended
Severity:    moderate
References:  1125671,1140565,1154393,1174514,1175289,1176784,1176785,1178168,CVE-2020-14343,CVE-2020-25659

This update for the Azure SDK and CLI adds support for the AHB (Azure Hybrid Benefit).
(bsc#1176784, jsc#ECO=3105)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:991-1
Released:    Wed Mar 31 13:28:37 2021
Summary:     Recommended update for vim
Type:        recommended
Severity:    moderate
References:  1182324
This update for vim provides the following fixes:

- Install SUSE vimrc in /usr. (bsc#1182324)
- Source correct suse.vimrc file. (bsc#1182324)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1004-1
Released:    Thu Apr  1 15:07:09 2021
Summary:     Recommended update for libcap
Type:        recommended
Severity:    moderate
References:  1180073
This update for libcap fixes the following issues:

- Added support for the ambient capabilities (jsc#SLE-17092, jsc#ECO-3460)
- Changed the license tag from 'BSD-3-Clause and GPL-2.0' to 'BSD-3-Clause OR GPL-2.0-only' (bsc#1180073)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1021-1
Released:    Tue Apr  6 14:30:30 2021
Summary:     Recommended update for cups
Type:        recommended
Severity:    moderate
References:  1175960
This update for cups fixes the following issues:

- Fixed the web UI kerberos authentication (bsc#1175960)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1141-1
Released:    Mon Apr 12 13:13:36 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    low
References:  1182791
This update for openldap2 fixes the following issues:

- Improved the proxy connection timeout options to prune connections properly (bsc#1182791)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1161-1
Released:    Tue Apr 13 11:35:57 2021
Summary:     Security update for cifs-utils
Type:        security
Severity:    moderate
References:  1183239,CVE-2021-20208
This update for cifs-utils fixes the following issues:

- CVE-2021-20208: Fixed a potential kerberos auth leak escaping from container (bsc#1183239)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1164-1
Released:    Tue Apr 13 14:01:58 2021
Summary:     Security update for open-iscsi
Type:        security
Severity:    important
References:  1173886,1179908,1183421,CVE-2020-13987,CVE-2020-13988,CVE-2020-17437,CVE-2020-17438
This update for open-iscsi fixes the following issues:

- CVE-2020-17437: uIP Out-of-Bounds Write (bsc#1179908)
- CVE-2020-17438: uIP Out-of-Bounds Write (bsc#1179908)
- CVE-2020-13987: uIP Out-of-Bounds Read (bsc#1179908)
- CVE-2020-13988: uIP Integer Overflow (bsc#1179908)
- Enabled no-wait ('-W') iscsiadm option for iscsi login service (bsc#1173886, bsc#1183421)
- Added the ability to perform async logins (bsc#1173886)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1169-1
Released:    Tue Apr 13 15:01:42 2021
Summary:     Recommended update for procps
Type:        recommended
Severity:    low
References:  1181976
This update for procps fixes the following issues:

- Corrected a statement in the man page about processor pinning via taskset (bsc#1181976)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1245-1
Released:    Fri Apr 16 14:46:38 2021
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1172383,1172384,1172385,1172386,1172478,1173612,1174386,1174641,1175441,1176673,1176682,1176684,1178049,1178174,1178565,1178934,1179466,1179467,1179468,1179686,1180523,1181108,1181639,1181933,1182137,1182425,1182577,1182968,1183979,CVE-2020-11947,CVE-2020-12829,CVE-2020-13361,CVE-2020-13362,CVE-2020-13659,CVE-2020-13765,CVE-2020-14364,CVE-2020-15469,CVE-2020-15863,CVE-2020-16092,CVE-2020-25084,CVE-2020-25624,CVE-2020-25625,CVE-2020-25723,CVE-2020-27617,CVE-2020-27821,CVE-2020-28916,CVE-2020-29129,CVE-2020-29130,CVE-2020-29443,CVE-2021-20181,CVE-2021-20203,CVE-2021-20221,CVE-2021-20257,CVE-2021-3416
This update for qemu fixes the following issues:


- Fix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)
- Fix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)
- Fix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)
- Fix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)
- Fix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)
- Fix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)
- Fix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)
- Fix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)
- Fix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)
- Fix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)
- Fix null pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)
- Fix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)
- Fix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)
- Fix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)
- Fix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)
- Fix null pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386)
- Fix issue where s390 guest fails to find zipl boot menu index (bsc#1183979)
- Fix OOB access in iscsi (CVE-2020-11947 bsc#1180523)
- Fix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)
- Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)
- Fix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)
- Apply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. (bsc#1178049)
- Fix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)
- Tweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel
- Fix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)
- Fix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)
- Fix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)
- Fix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)
- Fix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)
- Use '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid 'Failed to try-restart [email protected]' error while updating the qemu-guest-agent. (bsc#1178565)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1270-1
Released:    Tue Apr 20 14:04:29 2021
Summary:     Recommended update for grub2
Type:        recommended
Severity:    important
References:  1181696,1182012,1183761
This update for grub2 fixes the following issues:

- Fix error `grub_file_filters not found` in Azure virtual machine. (bsc#1182012)
- Fix a migration issue due to a lower build number in higher service packs. (bsc#1183761)
- Fix executable stack marking in `grub-emu`. (bsc#1181696)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1275-1
Released:    Tue Apr 20 14:31:26 2021
Summary:     Security update for sudo
Type:        security
Severity:    important
References:  1183936,CVE-2021-3156
This update for sudo fixes the following issues:

- L3: Tenable Scan reports sudo is vulnerable to CVE-2021-3156 (bsc#1183936)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1280-1
Released:    Tue Apr 20 14:34:19 2021
Summary:     Security update for ruby2.5
Type:        security
Severity:    moderate
References:  1184644,CVE-2021-28965
This update for ruby2.5 fixes the following issues:

- Update to 2.5.9
- CVE-2021-28965: XML round-trip vulnerability in REXML (bsc#1184644)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1295-1
Released:    Wed Apr 21 14:08:19 2021
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
References:  1184136
This update for systemd-presets-common-SUSE fixes the following issues:

- Enabled hcn-init.service for HNV on POWER (bsc#1184136)

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1296-1
Released:    Wed Apr 21 14:09:28 2021
Summary:     Optional update for e2fsprogs
Type:        optional
Severity:    low
References:  1183791
This update for e2fsprogs fixes the following issues:

- Fixed an issue when building e2fsprogs (bsc#1183791)

This patch does not fix any user visible issues and is therefore optional to install.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1297-1
Released:    Wed Apr 21 14:10:10 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1178219
This update for systemd fixes the following issues:

- Improved the logs emitted by systemd-shutdown during the shutdown process, when applications cannot
  be stopped properly and would leave mount points mounted.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1407-1
Released:    Wed Apr 28 15:49:02 2021
Summary:     Recommended update for libcap
Type:        recommended
Severity:    important
References:  1184690
This update for libcap fixes the following issues:

- Add explicit dependency on 'libcap2' with version to 'libcap-progs' and 'pam_cap'. (bsc#1184690)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1412-1
Released:    Wed Apr 28 17:09:28 2021
Summary:     Security update for libnettle
Type:        security
Severity:    important
References:  1184401,CVE-2021-20305
This update for libnettle fixes the following issues:

- CVE-2021-20305: Fixed the multiply function which was being called with out-of-range scalars (bsc#1184401).

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1425-1
Released:    Thu Apr 29 06:23:08 2021
Summary:     Optional update for tcpdump
Type:        optional
Severity:    low
References:  1183800
This update for tcpdump fixes the following issues:

- Disabled five regression tests that fail with libpcap > 1.8.1 (bsc#1183800)

This patch does not fix any user visible issues and is therefore optional to install.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1449-1
Released:    Fri Apr 30 08:08:25 2021
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    moderate
References:  1165780
This update for systemd-presets-branding-SLE fixes the following issues:

- Don't enable 'btrfsmaintenance-refresh.service', 'btrfsmaintenance' is managed by systemd-presets-common-SUSE instead. (bsc#1165780)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1454-1
Released:    Fri Apr 30 09:22:26 2021
Summary:     Security update for cups
Type:        security
Severity:    important
References:  1184161,CVE-2021-25317
This update for cups fixes the following issues:

- CVE-2021-25317: ownership of /var/log/cups could allow privilege escalation from lp user to root via symlink attacks (bsc#1184161)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1456-1
Released:    Fri Apr 30 12:00:01 2021
Summary:     Recommended update for cifs-utils
Type:        recommended
Severity:    important
References:  1184815
This update for cifs-utils fixes the following issues:

- Fixed a bug where it was no longer possible to mount CIFS filesystem after the
  last maintenance update (bsc#1184815)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1471-1
Released:    Tue May  4 08:36:57 2021
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1183453,1185345,CVE-2021-25214,CVE-2021-25215
This update for bind fixes the following issues:

- CVE-2021-25214: Fixed a broken inbound incremental zone update (IXFR) which could have caused named to terminate unexpectedly (bsc#1185345).
- CVE-2021-25215: Fixed an assertion check which could have failed while answering queries for DNAME records that required the DNAME to be processed to resolve itself (bsc#1185345).
- make /usr/bin/delv in bind-tools position independent (bsc#1183453).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1493-1
Released:    Tue May  4 17:13:34 2021
Summary:     Security update for avahi
Type:        security
Severity:    moderate
References:  1184521,CVE-2021-3468
This update for avahi fixes the following issues:

- CVE-2021-3468: avoid infinite loop by handling  HUP event in client_work (bsc#1184521).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1498-1
Released:    Tue May  4 17:17:43 2021
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1178469,1179156,1183572,1183574,1184310,1184677,CVE-2020-27840,CVE-2021-20254,CVE-2021-20277
This update for samba fixes the following issues:

- CVE-2021-20277: Fixed an out of bounds read in ldb_handler_fold (bsc#1183574).
- CVE-2021-20254: Fixed a buffer overrun in sids_to_unixids() (bsc#1184677).
- CVE-2020-27840: Fixed an unauthenticated remote heap corruption via bad DNs (bsc#1183572).
- Avoid free'ing our own pointer in memcache when memcache_trim attempts to reduce cache size (bsc#1179156).
- s3-libads: use dns name to open a ldap session (bsc#1184310).
- Adjust smbcacls '--propagate-inheritance' feature to align with upstream (bsc#1178469).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1523-1
Released:    Wed May  5 18:24:20 2021
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1185408,1185409,1185410,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518
This update for libxml2 fixes the following issues:

- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1527-1
Released:    Thu May  6 08:58:53 2021
Summary:     Recommended update for bash
Type:        recommended
Severity:    important
References:  1183064
This update for bash fixes the following issues:

- Fixed a segmentation fault that used to occur when bash read a history file
  that was malformed in a very specific way. (bsc#1183064)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1533-1
Released:    Thu May  6 17:04:28 2021
Summary:     Recommended update for google-guest-agent, google-guest-configs, google-guest-oslogin, google-osconfig-agent
Type:        recommended
Severity:    moderate
References:  1174304,1174306,1175740,1175741,1179031,1179032,1180304,1182793,1183414,1183415
This update for google-guest-agent, google-guest-configs, google-guest-oslogin, google-osconfig-agent contains the following fixes:

Changes in google-guest-agent:
- Update to version 20210223.01 (bsc#1183414, bsc#1183415)
  * add a match block to sshd_config for SAs (#99)
  * add ipv6 forwarded ip support (#101)
  * call restorecon on ssh host keys (#98)
  * Include startup and shutdown in preset (#96)
  * set metadata URL earlier (#94)
- Fix activation logic of systemd services (bsc#1182793)

- Update to version 20201211.00
  * Require snapshot scripts to live under /etc/google/snapshots (#90)
  * Adding support for Windows user account password lengths
    between 15 and 255 characters. (#91)
  * Adding bkatyl to OWNERS (#92)

Changes in google-guest-configs:
- Update to version 20210317.00 (bsc#1183414, bsc#1183415)
  * dracut.conf wants spaces around values (#19)
  * make the same change for debian (#18)
  * change path back for google_nvme_id (#17)
  * move google_nvme_id to /usr/bin (#16)
  * correct udev rule syntax (#15)
  * prune el6 spec (#13)
  * Updated udev rules (#11)
- Remove empty %{_sbindir} from %install and %files section

- Remove service files (bsc#1180304)
  + google-optimize-local-ssd.service, google-set-multiqueue.service
    scripts are called from within the guest agent

Changes in google-guest-oslogin:
- Update to version 20210316.00 (bsc#1183414, bsc#1183415)
  * call correct function in pwenthelper (#53)

- Update to version 20210108.00
  * Update logic in the cache_refresh binary (#52)
  * remove old unused workflow files (#49)

  * add getpwnam,getpwuid,getgrnam,getgrgid (#42)
  * Change requires to not require the python library for policycoreutils. (#44)
  * add dial and recvline (#41)
  * PR feedback
  * new client component and tests

Changes in google-osconfig-agent:

- Update to version 20210316.00 (bsc#1183414, bsc#1183415)
  * call correct function in pwenthelper (#53)

- Update to version 20210108.00
  * Update logic in the cache_refresh binary (#52)
  * remove old unused workflow files (#49)

- Update to version 20200925.00 (bsc#1179031, bsc#1179032)
  * add getpwnam,getpwuid,getgrnam,getgrgid (#42)
  * Change requires to not require the python library for policycoreutils. (#44)
  * add dial and recvline (#41)
  * PR feedback
  * new client component and tests

- Update to version 20200819.00 (bsc#1175740, bsc#1175741)
  * deny non-2fa users (#37)
  * use asterisks instead (#39)
  * set passwords to ! (#38)
  * correct index 0 bug (#36)
  * Support security key generated OTP challenges. (#35)

- No post action for ssh

- Initial build (bsc#1174304, bsc#1174306, jsc#ECO-2099, jsc#PM-1945)
  + Version 20200507.00
  + Replaces google-compute-engine-oslogin package
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1543-1
Released:    Fri May  7 15:16:33 2021
Summary:     Recommended update for patterns-microos
Type:        recommended
Severity:    moderate
References:  1184435
This update for patterns-microos provides the following fix:

- Require the libvirt-daemon-qemu package and include the needed dependencies in the
  product. (bsc#1184435)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1549-1
Released:    Mon May 10 13:48:00 2021
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1185417
This update for procps fixes the following issues:

- Support up to 2048 CPU as well. (bsc#1185417)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1557-1
Released:    Tue May 11 09:50:00 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1183374,CVE-2021-3426
This update for python3 fixes the following issues:

- CVE-2021-3426: Fixed an information disclosure via pydoc (bsc#1183374)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1564-1
Released:    Tue May 11 13:29:55 2021
Summary:     Security update for shim
Type:        security
Severity:    important
References:  1177315,1182057,1185464
This update for shim fixes the following issues:

- Update to the unified shim binary for SBAT support (bsc#1182057)
  + Merged EKU codesign check (bsc#1177315)
- shim-install: Always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1565-1
Released:    Tue May 11 14:20:04 2021
Summary:     Recommended update for krb5
Type:        recommended
Severity:    moderate
References:  1185163
This update for krb5 fixes the following issues:

- Use '/run' instead of '/var/run' for daemon PID files. (bsc#1185163);

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1566-1
Released:    Wed May 12 09:39:16 2021
Summary:     Recommended update for chrony
Type:        recommended
Severity:    moderate
References:  1162964,1184400
This update for chrony fixes the following issues:

- Fix build with glibc-2.31 (bsc#1162964)
- Use /run instead of /var/run for PIDFile in chronyd.service (bsc#1184400)

-----------------------------------------------------------------
Advisory ID: SUSE-OU-2021:1592-1
Released:    Wed May 12 13:47:41 2021
Summary:     Optional update for sed
Type:        optional
Severity:    low
References:  1183797
This update for sed fixes the following issues:

- Fixed a building issue with glibc-2.31 (bsc#1183797).

This patch is optional to install.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1602-1
Released:    Thu May 13 16:35:19 2021
Summary:     Recommended update for libsolv, libzypp
Type:        recommended
Severity:    moderate
References:  1180851,1181874,1182936,1183628,1184997,1185239
This update for libsolv and libzypp fixes the following issues:

libsolv:

Upgrade from version 0.7.17 to version 0.7.19

- Fix rare segfault in `resolve_jobrules()` that could happen if new rules are learned.
- Fix memory leaks in error cases
- Fix error handling in `solv_xfopen_fd()`
- Fix regex code on win32
- fixed memory leak in choice rule generation
- `repo_add_conda`: add a flag to skip version 2 packages.

libzypp:

Upgrade from version 17.25.8 to version 17.25.10

- Properly handle permission denied when providing optional files. (bsc#1185239)
- Fix service detection with `cgroupv2`. (bsc#1184997)
- Add missing includes for GCC 11. (bsc#1181874)
- Fix unsafe usage of static in media verifier.
- `Solver`: Avoid segfault if no system is loaded. (bsc#1183628)
- `MediaVerifier`: Relax media set verification in case of a single not-volatile medium. (bsc#1180851)
- Do no cleanup in custom cache dirs. (bsc#1182936)
- `ZConfig`: let `pubkeyCachePath` follow `repoCachePath`.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1612-1
Released:    Fri May 14 17:09:39 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1184614
This update for openldap2 fixes the following issue:

- Provide `openldap2-contrib` to the modules SUSE Linux Enterprise Legacy 15-SP2 and 15-SP3. (bsc#1184614)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1624-1
Released:    Tue May 18 14:14:41 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1047233,1172455,1173485,1176720,1177411,1178181,1179454,1180197,1181960,1182011,1182672,1182715,1182716,1182717,1183022,1183063,1183069,1183509,1183593,1183646,1183686,1183696,1183775,1184120,1184167,1184168,1184170,1184192,1184193,1184194,1184196,1184198,1184208,1184211,1184388,1184391,1184393,1184397,1184509,1184511,1184512,1184514,1184583,1184650,1184942,1185113,1185244,CVE-2020-0433,CVE-2020-25670,CVE-2020-25671,CVE-2020-25672,CVE-2020-25673,CVE-2020-27170,CVE-2020-27171,CVE-2020-27673,CVE-2020-27815,CVE-2020-35519,CVE-2020-36310,CVE-2020-36311,CVE-2020-36312,CVE-2020-36322,CVE-2021-20219,CVE-2021-27363,CVE-2021-27364,CVE-2021-27365,CVE-2021-28038,CVE-2021-28660,CVE-2021-28688,CVE-2021-28950,CVE-2021-28964,CVE-2021-28971,CVE-2021-28972,CVE-2021-29154,CVE-2021-29155,CVE-2021-29264,CVE-2021-29265,CVE-2021-29647,CVE-2021-29650,CVE-2021-30002,CVE-2021-3428,CVE-2021-3444,CVE-2021-3483
The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2020-36312: Fixed an issue in virt/kvm/kvm_main.c that had a kvm_io_bus_unregister_dev memory leak upon a kmalloc failure (bnc#1184509).
- CVE-2021-29650: Fixed an issue inside the netfilter subsystem that allowed attackers to cause a denial of service (panic) because net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a full memory barrier upon the assignment of a new table value (bnc#1184208).
- CVE-2021-29155: Fixed an issue within kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations (bnc#1184942).
- CVE-2020-36310: Fixed an issue in arch/x86/kvm/svm/svm.c that allowed a set_memory_region_test infinite loop for certain nested page faults (bnc#1184512).
- CVE-2020-27673: Fixed an issue in Xen where a guest OS users could have caused a denial of service (host OS hang) via a high rate of events to dom0 (bnc#1177411, bnc#1184583).
- CVE-2021-29154: Fixed BPF JIT compilers that allowed to execute arbitrary code within the kernel context (bnc#1184391).
- CVE-2020-25673: Fixed NFC endless loops caused by repeated llcp_sock_connect() (bsc#1178181).
- CVE-2020-25672: Fixed NFC memory leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25671: Fixed NFC refcount leak in llcp_sock_connect() (bsc#1178181).
- CVE-2020-25670: Fixed NFC refcount leak in llcp_sock_bind() (bsc#1178181).
- CVE-2020-36311: Fixed an issue in arch/x86/kvm/svm/sev.c that allowed attackers to cause a denial of service (soft lockup) by triggering destruction of a large SEV VM (which requires unregistering many encrypted regions) (bnc#1184511).
- CVE-2021-28950: Fixed an issue in fs/fuse/fuse_i.h where a 'stall on CPU' could have occured because a retry loop continually finds the same bad inode (bnc#1184194, bnc#1184211).
- CVE-2020-36322: Fixed an issue inside the FUSE filesystem implementation where fuse_do_getattr() calls make_bad_inode() in inappropriate situations, could have caused a system crash. NOTE: the original fix for this vulnerability was incomplete, and its incompleteness is tracked as CVE-2021-28950 (bnc#1184211).
- CVE-2021-30002: Fixed a memory leak issue when a webcam device exists (bnc#1184120).
- CVE-2021-3483: Fixed a use-after-free bug in nosy_ioctl() (bsc#1184393).
- CVE-2021-20219: Fixed a denial of service vulnerability in drivers/tty/n_tty.c of the Linux kernel. In this flaw a local attacker with a normal user privilege could have delayed the loop and cause a threat to the system availability (bnc#1184397).
- CVE-2021-28964: Fixed a race condition in fs/btrfs/ctree.c that could have caused a denial of service because of a lack of locking on an extent buffer before a cloning operation (bnc#1184193).
- CVE-2021-3444: Fixed the bpf verifier as it did not properly handle mod32 destination register truncation when the source register was known to be 0. A local attacker with the ability to load bpf programs could use this gain out-of-bounds reads in kernel memory leading to information disclosure (kernel memory), and possibly out-of-bounds writes that could potentially lead to code execution (bnc#1184170).
- CVE-2021-28971: Fixed a potential local denial of service in intel_pmu_drain_pebs_nhm where userspace applications can cause a system crash because the PEBS status in a PEBS record is mishandled (bnc#1184196).
- CVE-2021-28688: Fixed XSA-365 that includes initialization of pointers such that subsequent cleanup code wouldn't use uninitialized or stale values. This initialization went too far and may under certain conditions also overwrite pointers which are in need of cleaning up. The lack of cleanup would result in leaking persistent grants. The leak in turn would prevent fully cleaning up after a respective guest has died, leaving around zombie domains (bnc#1183646).
- CVE-2021-29265: Fixed an issue in usbip_sockfd_store in drivers/usb/usbip/stub_dev.c that allowed attackers to cause a denial of service (GPF) because the stub-up sequence has race conditions during an update of the local and shared status (bnc#1184167).
- CVE-2021-29264: Fixed an issue in drivers/net/ethernet/freescale/gianfar.c in the Freescale Gianfar Ethernet driver that allowed attackers to cause a system crash because a negative fragment size is calculated in situations involving an rx queue overrun when jumbo packets are used and NAPI is enabled (bnc#1184168).
- CVE-2021-28972: Fixed an issue in drivers/pci/hotplug/rpadlpar_sysfs.c where the RPA PCI Hotplug driver had a user-tolerable buffer overflow when writing a new device name to the driver from userspace, allowing userspace to write data to the kernel stack frame directly. This occurs because add_slot_store and remove_slot_store mishandle drc_name '\0' termination (bnc#1184198).
- CVE-2021-29647: Fixed an issue in kernel qrtr_recvmsg in net/qrtr/qrtr.c that allowed attackers to obtain sensitive information from kernel memory because of a partially uninitialized data structure (bnc#1184192).
- CVE-2020-27171: Fixed an issue in kernel/bpf/verifier.c that had an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory (bnc#1183686, bnc#1183775).
- CVE-2020-27170: Fixed an issue in kernel/bpf/verifier.c that performed undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. This affects pointer types that do not define a ptr_limit (bnc#1183686 bnc#1183775).
- CVE-2021-28660: Fixed rtw_wx_set_scan in drivers/staging/rtl8188eu/os_dep/ioctl_linux.c that allowed writing beyond the end of the ssid array (bnc#1183593).
- CVE-2020-35519: Update patch reference for x25 fix (bsc#1183696).
- CVE-2021-3428: Fixed ext4 integer overflow in ext4_es_cache_extent (bsc#1173485, bsc#1183509).
- CVE-2020-0433: Fixed blk_mq_queue_tag_busy_iter of blk-mq-tag.c, where a possible use after free due to improper locking could have happened. This could have led to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation (bnc#1176720).
- CVE-2021-28038: Fixed an issue with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during misbehavior of a networking frontend driver. NOTE: this issue exists because of an incomplete fix for CVE-2021-26931 (bnc#1183022, bnc#1183069).
- CVE-2020-27815: Fixed jfs array index bounds check in dbAdjTree (bsc#1179454).
- CVE-2021-27365: Fixed an issue inside the iSCSI data structures that does not have appropriate length constraints or checks, and can exceed the PAGE_SIZE value. An unprivileged user can send a Netlink message that is associated with iSCSI, and has a length up to the maximum length of a Netlink message (bnc#1182715).
- CVE-2021-27363: Fixed an issue with a kernel pointer leak that could have been used to determine the address of the iscsi_transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi_transport/$TRANSPORT_NAME/handle. When read, the show_transport_handle function (in drivers/scsi/scsi_transport_iscsi.c) is called, which leaks the handle. This handle is actually the pointer to an iscsi_transport struct in the kernel module's global variables (bnc#1182716).
- CVE-2021-27364: Fixed an issue in drivers/scsi/scsi_transport_iscsi.c where an unprivileged user can craft Netlink messages (bnc#1182717).

The following non-security bugs were fixed:

- Revert 'rpm/kernel-binary.spec.in: Fix dependency of kernel-*-devel package (bsc#1184514)' This turned out to be a bad idea: the kernel-$flavor-devel package must be usable without kernel-$flavor, e.g. at the build of a KMP. And this change brought superfluous installation of kernel-preempt when a system had kernel-syms (bsc#1185113).
- Xen/gnttab: handle p2m update errors on a per-slot basis (bsc#1183022 XSA-367).
- bfq: Fix kABI for update internal depth state when queue depth changes (bsc#1172455).
- bfq: update internal depth state when queue depth changes (bsc#1172455).
- bpf: Add sanity check for upper ptr_limit (bsc#1183686 bsc#1183775).
- bpf: Simplify alu_limit masking for pointer arithmetic (bsc#1183686 bsc#1183775).
- handle also the opposite type of race condition
- ibmvnic: Clear failover_pending if unable to schedule (bsc#1181960 ltc#190997).
- ibmvnic: always store valid MAC address (bsc#1182011 ltc#191844).
- ibmvnic: store valid MAC address (bsc#1182011).
- macros.kernel-source: Use spec_install_pre for certificate installation (boo#1182672).
- nvme: return an error if nvme_set_queue_count() fails (bsc#1180197).
- post.sh: Return an error when module update fails (bsc#1047233 bsc#1184388).
- rpm/kernel-obs-build.spec.in: Include essiv with dm-crypt (boo#1183063).
- rpm/macros.kernel-source: fix KMP failure in %install (bsc#1185244)
- rpm/mkspec: Use tilde instead of dot for version string with rc (bsc#1184650)
- xen-netback: respect gnttab_map_refs()'s return value (bsc#1183022, XSA-367).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1643-1
Released:    Wed May 19 13:51:48 2021
Summary:     Recommended update for pam
Type:        recommended
Severity:    important
References:  1181443,1184358,1185562
This update for pam fixes the following issues:

- Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
- Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to
  an attempt to resolve it as a hostname (bsc#1184358)
- In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1647-1
Released:    Wed May 19 13:59:12 2021
Summary:     Security update for lz4
Type:        security
Severity:    important
References:  1185438,CVE-2021-3520
This update for lz4 fixes the following issues:

- CVE-2021-3520: Fixed memory corruption due to an integer overflow bug caused by memmove argument (bsc#1185438).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1654-1
Released:    Wed May 19 16:43:36 2021
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1185408,1185409,1185410,1185698,CVE-2021-3516,CVE-2021-3517,CVE-2021-3518,CVE-2021-3537
This update for libxml2 fixes the following issues:

- CVE-2021-3537: NULL pointer dereference in valid.c:xmlValidBuildAContentModel (bsc#1185698)
- CVE-2021-3518: Fixed a use after free in xinclude.c:xmlXIncludeDoProcess (bsc#1185408).
- CVE-2021-3517: Fixed a heap based buffer overflow in entities.c:xmlEncodeEntitiesInternal (bsc#1185410).
- CVE-2021-3516: Fixed a use after free in entities.c:xmlEncodeEntitiesInternal (bsc#1185409).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1669-1
Released:    Thu May 20 11:10:44 2021
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    moderate
References:  1181540,1181651,1183194,1185170
This update for nfs-utils fixes the following issues:

- The '/var/run' is long deprecated - switch all relevant paths to '/run'. (bsc#1185170)
- Improve logging of authentication (bsc#1181540)
- Add man page of the 'nconnect mount'. (bsc#1181651)
- Fixed an issue when HANA crashed due to inaccessible/hanging NFS mount. (bsc#1183194)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1672-1
Released:    Thu May 20 13:44:41 2021
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1021918,1089870,1168894,1169122,1169348,1170092,1170094,1170858,1176370,1178491,1180478,1181351,1181610,1181679,1181911,1182904,1182950,1183732,1183826,1184829,1184912
This update for supportutils fixes the following issues:

- Collects rotated logs with different compression types (bsc#1180478)
- Captures now IBM Power bootlist (jsc#SLE-15557)
- Fixed some errors with supportutils in combination with the btrfs filesystem (bsc#1168894)
- Fixed an issue with ntp.txt, when it contains large binary data (bsc#1169122)
- Checks package signatures in rpm.txt (bsc#1021918)
- Optimize find (bsc#1184912)
- Using zypper --xmlout (bsc#1181351)
- Error fix for sysfs.txt (bsc#1089870)
- Added list-timers to systemd.txt (bsc#1169348)
- Including nfs4 in search (bsc#1184829)
- [powerpc] Collect dynamic_debug log files for ibmvNIC #98 (bsc#1183826)
- Fixed mismatched taint flags (bsc#1178491)
- Removed redundant fdisk code that can cause timeout issues (bsc#1181679)
- Supportconfig processes -f without hanging (bsc#1182904)
- Collect logs for power specific components (using iprconfig) pr#94 (bsc#1182950)
- [powerpc] Collect logs for power specific components (HNV) pr#88 (bsc#1181911)
- Includes NVMe information with OPTION_NVME=1 in nvme.txt (bsc#1176370, SLE-15932)
- No longer truncates boot log (bsc#1181610)
- Collects rotated logs with different compression types (bsc#1180478)
- Capture IBM Power bootlist (SLE-15557)
- [powerpc] Collect logs for power specific components #72 (bscn#1176895)
- Fixed btrfs errors (bsc#1168894)
- Large ntp.txt with binary data (bsc#1169122)
- Only include hostinfo details in /etc/motd (bsc#1170092)
- Fixed CPU load average calculation (bsc#1170094)
- Understands 3rd party packages on SLES or OpenSUSE (bsc#1170858)
- Implement persistens host information across reboots (bsc#1183732)    

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1675-1
Released:    Thu May 20 15:00:23 2021
Summary:     Recommended update for snappy
Type:        recommended
Severity:    moderate
References:  1080040,1184507
This update for snappy fixes the following issues:

Update from version 1.1.3 to 1.1.8

- Small performance improvements.
- Removed `snappy::string` alias for `std::string`.
- Improved `CMake` configuration.
- Improved packages descriptions.
- Fix RPM groups.
- Aarch64 fixes
- PPC speedups
- PIE improvements
- Fix license install. (bsc#1080040)
- Fix a 1% performance regression when snappy is used in PIE executable.
- Improve compression performance by 5%.
- Improve decompression performance by 20%.
- Use better download URL.
- Fix a build issue for tensorflow2. (bsc#1184507)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1700-1
Released:    Mon May 24 16:39:35 2021
Summary:     Recommended update for google-guest-agent, google-guest-oslogin, google-osconfig-agent
Type:        recommended
Severity:    moderate
References:  1185848,1185849
This update for google-guest-agent, google-guest-oslogin, google-osconfig-agent contains the following fixes:

- Update to version 20210414.00 (bsc#1185848, bsc#1185849)
  * start sshd (#106)
  * Add systemd-networkd.service restart dependency. (#104)
  * Update error message for handleHealthCheckRequest. (#105)

- Update to version 20210429.00 (bsc#1185848, bsc#1185849)
  * correct pagetoken in groupsforuser (#59)
  * resolve self groups last (#58)
  * support empty groups (#57)
  * no paginating to find groups (#56)
  * clear users vector (#55)
  * correct usage of pagetoken (#54)

- Update to version 20210506.00 (bsc#1185848, bsc#1185849)
  * Add more os policy assignment examples (#348)
  * e2e_tests: enable stable tests for OSPolicies (#347)
  * Align start and end task logs (#346)
  * ConfigTask: add additional info logs (#345)
  * e2e_tests: add validation tests (#344)
  * Config Task: make sure agent respects policy mode (#343)
  * update
  * e2e_tests: readd retries to OSPolicies
  * Set minWaitDuration as a string instead of object (#341)
  * e2e_tests: Fix a few SUSE tests (#339)
  * Remove pre-release flag from config (#340)
  * e2e_tests: fixup OSPolicy tests (#338)
  * e2e_tests: unlock mutex for CreatePolicies as soon as create finishes (#337)
  * e2e_tests: Don't retry failed OSPolicy tests, fix msi test (#336)
  * Examples for os policy assignments (#334)
  * e2e_tests: increase the deadline for OSPolicy tests and only start after a zone has been secured (#335)
  * Fix panic when installing MSI (#332)
  * e2e_tests: Add test cases of installing dbe, rpm and msi packages (#333)
  * e2e_tests: add more logging
  * e2e_tests: (#330)
  * e2e_test: Add timouts to OSPolicy tests so we don't wait forever (#329)
  * Create top level directories for gcloud and console for os policy assignment examples (#328)
  * e2e_tests: Move api from an internal directory (#327)
  * Make sure we use the same test name for reruns (#326)
  * Add CONFIG_V1 capability (#325)
  * e2e_tests: reduce size of instances, use pd-balanced, rerun failed tests once (#324)
  * Only report installed packages for dpkg (#322)
  * e2e_tests: fix windows package and repository tests (#323)
  * Add top level directories for os policy examples (#321)
  * e2e_tests: move to using inventory api for inventory reporting (#320)
  * e2e_tests: add ExecResource tests (#319)
  * ExecResource: make sure we set permissions correctly for downloaded files (#318)
  * Config task: only run post check on resources that have already been evaluated (#317)
  * e2e_test: reorganize OSPolicy tests to be per Resource type (#316)
  * Set custom user agent (#299)
  * e2e_tests: check InstanceOSPoliciesCompliance for each test case, add LocalPath FileResource test (#314)
  * PackageResource: make sure to run AptUpdate prior to package install (#315)
  * Fix bugs/add more logging for OSPolicies (#313)
  * Change metadata http client to ignore http proxies (#312)
  * e2e_test: add tests for FileResource (#311)
  * Add task_type context logging (#310)
  * Fix e2e_test typo (#309)
  * Fix e2e_tests (#308)
  * Disable OSPolicies by default since it is an unreleased feature (#307)
  * e2e_tests: Add more OSPolicies package and repo tests (#306)
  * Do not enforce repo_gpgcheck in guestpolicies (#305)
  * Gather inventory 3-5min after agent start (#303)
  * e2e_tests: add OSPolicies tests for package install (#302)
  * Add helpful error log if a service account is missing (#304)
  * OSPolicies: correct apt repo extension, remove yum/zypper gpgcheck override (#301)
  * Update cos library to parse new version of packages file (#300)
  * config_task: Rework config step logic (#296)
  * e2e_test: enable serial logs in cos to support ReportInventory test (#297)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1702-1
Released:    Tue May 25 09:53:56 2021
Summary:     Recommended update for shim
Type:        recommended
Severity:    moderate
References:  1185464,1185961
This update for shim fixes the following issues:

- shim-install: instead of assuming 'removable' for Azure, remove fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
  to make \EFI\Boot bootable and keep the boot option created by efibootmgr (bsc#1185464, bsc#1185961)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1773-1
Released:    Wed May 26 17:22:21 2021
Summary:     Recommended update for python3
Type:        recommended
Severity:    low
References:  
This update for python3 fixes the following issues:

- Make sure to close the import_failed.map file after the exception
  has been raised in order to avoid ResourceWarnings when the
  failing import is part of a try...except block.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1809-1
Released:    Mon May 31 16:24:59 2021
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1177976,1183933,1186114,CVE-2021-22876,CVE-2021-22898
This update for curl fixes the following issues:

- CVE-2021-22876: Fixed an issue where the automatic referer was leaking credentials (bsc#1183933).
- CVE-2021-22898: Fixed curl TELNET stack contents disclosure (bsc#1186114).
- Fix for SFTP uploads when it results in empty uploaded files (bsc#1177976).
- Allow partial chain verification (jsc#SLE-17956).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1846-1
Released:    Fri Jun  4 08:46:37 2021
Summary:     Recommended update for mozilla-nss
Type:        recommended
Severity:    moderate
References:  1185910
This update for mozilla-nss fixes the following issue:

- Provide some missing binaries from `mozilla-nss` not added in `SLE-Module-Basesystem_15-SP3`. (bsc#1185910)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1861-1
Released:    Fri Jun  4 09:59:40 2021
Summary:     Recommended update for gcc10
Type:        recommended
Severity:    moderate
References:  1029961,1106014,1178577,1178624,1178675,1182016
This update for gcc10 fixes the following issues:

- Disable nvptx offloading for aarch64 again since it doesn't work
- Fixed a build failure issue. (bsc#1182016)
- Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
- Fix 32bit 'libgnat.so' link. (bsc#1178675)
- prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
- Build complete set of multilibs for arm-none target. (bsc#1106014)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1882-1
Released:    Tue Jun  8 13:25:36 2021
Summary:     Recommended update for shim
Type:        recommended
Severity:    moderate
References:  1185464,1185961
This update for shim fixes the following issues:

- shim-install: remove the unexpected residual 'removable' label
  for Azure (bsc#1185464, bsc#1185961)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1912-1
Released:    Wed Jun  9 13:54:20 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1181161,1183405,1183738,1183947,1184611,1184675,1185642,1185680,1185725,1185859,1185860,1185862,1185863,1185898,1185899,1185901,1185938,1185950,1185987,1186060,1186061,1186062,1186111,1186285,1186390,1186484,1186498,CVE-2020-24586,CVE-2020-24587,CVE-2020-26139,CVE-2020-26141,CVE-2020-26145,CVE-2020-26147,CVE-2021-23133,CVE-2021-23134,CVE-2021-32399,CVE-2021-33034,CVE-2021-33200,CVE-2021-3491
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2021-33200: Enforcing incorrect limits for pointer arithmetic operations by the BPF verifier could be abused to perform out-of-bounds reads and writes in kernel memory (bsc#1186484).
- CVE-2021-33034: Fixed a use-after-free when destroying an hci_chan. This could lead to writing an arbitrary values. (bsc#1186111)
- CVE-2020-26139: Fixed a denial-of-service when an Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. (bnc#1186062)
- CVE-2021-23134: A Use After Free vulnerability in nfc sockets allowed local attackers to elevate their privileges. (bnc#1186060)
- CVE-2021-23133: Fixed a race condition in SCTP sockets, which could lead to privilege escalation from the context of a network service or an unprivileged process. (bnc#1184675)
- CVE-2021-3491: Fixed a potential heap overflow in mem_rw(). This vulnerability is related to the PROVIDE_BUFFERS operation, which allowed the MAX_RW_COUNT limit to be bypassed (bsc#1185642).
- CVE-2021-32399: Fixed a race condition when removing the HCI controller (bnc#1184611).
- CVE-2020-24586: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances this can be abused to inject arbitrary network packets and/or exfiltrate user data (bnc#1185859).
- CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed (bnc#1185859 bnc#1185862).
- CVE-2020-26147: The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments, even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used (bnc#1185859).
- CVE-2020-26145: An issue was discovered with Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. (bnc#1185860)
- CVE-2020-26141: An issue was discovered in the ALFA driver for AWUS036H, where the Message Integrity Check (authenticity) of fragmented TKIP frames was not verified. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. (bnc#1185987)


The following non-security bugs were fixed:

- Drivers: hv: vmbus: Increase wait time for VMbus unload (bsc#1185725).
- Drivers: hv: vmbus: Initialize unload_event statically (bsc#1185725).
- dm: fix redundant IO accounting for bios that need splitting (bsc#1183738).
- ibmvfc: Avoid move login if fast fail is enabled (bsc#1185938 ltc#192043).
- ibmvfc: Handle move login failure (bsc#1185938 ltc#192043).
- ibmvfc: Reinit target retries (bsc#1185938 ltc#192043).
- kabi: Fix breakage in NVMe driver (bsc#1181161).
- kabi: Fix nvmet error log definitions (bsc#1181161).
- kabi: nvme: fix fast_io_fail_tmo (bsc#1181161).
- md/raid1: properly indicate failure when ending a failed write request (bsc#1185680).
- net: sched: disable TCQ_F_NOLOCK for pfifo_fast (bsc#1183405)
- netfilter: conntrack: add new sysctl to disable RST check (bsc#1183947 bsc#1185950).
- netfilter: conntrack: avoid misleading 'invalid' in log message (bsc#1183947 bsc#1185950).
- netfilter: conntrack: improve RST handling when tuple is re-used (bsc#1183947 bsc#1185950).
- netfilter: conntrack: tcp: only close if RST matches exact sequence (bsc#1183947 bsc#1185950).
- nvme-fabrics: allow to queue requests for live queues (bsc#1181161).
- nvme-fabrics: do not check state NVME_CTRL_NEW for request acceptance (bsc#1181161).
- nvme-fabrics: reject I/O to offline device (bsc#1181161).
- nvme-pci: Sync queues on reset (bsc#1181161).
- nvme-rdma: avoid race between time out and tear down (bsc#1181161).
- nvme-rdma: avoid repeated request completion (bsc#1181161).
- nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout (bsc#1181161).
- nvme-rdma: fix controller reset hang during traffic (bsc#1181161).
- nvme-rdma: fix possible hang when failing to set io queues (bsc#1181161).
- nvme-rdma: fix timeout handler (bsc#1181161).
- nvme-rdma: serialize controller teardown sequences (bsc#1181161).
- nvme-tcp: avoid race between time out and tear down (bsc#1181161).
- nvme-tcp: avoid repeated request completion (bsc#1181161).
- nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout (bsc#1181161).
- nvme-tcp: fix controller reset hang during traffic (bsc#1181161).
- nvme-tcp: fix possible hang when failing to set io queues (bsc#1181161).
- nvme-tcp: fix timeout handler (bsc#1181161).
- nvme-tcp: serialize controller teardown sequences (bsc#1181161).
- nvme: Restart request timers in resetting state (bsc#1181161).
- nvme: add error log page slot definition (bsc#1181161).
- nvme: include admin_q sync with nvme_sync_queues (bsc#1181161).
- nvme: introduce 'Command Aborted By host' status code (bsc#1181161).
- nvme: introduce nvme_is_fabrics to check fabrics cmd (bsc#1181161).
- nvme: introduce nvme_sync_io_queues (bsc#1181161).
- nvme: make fabrics command run on a separate request queue (bsc#1181161).
- nvme: prevent warning triggered by nvme_stop_keep_alive (bsc#1181161).
- nvme: unlink head after removing last namespace (bsc#1181161).
- nvmet: add error log support for fabrics-cmd (bsc#1181161).
- nvmet: add error-log definitions (bsc#1181161).
- video: hyperv_fb: Add ratelimit on error message (bsc#1185725).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1917-1
Released:    Wed Jun  9 14:48:05 2021
Summary:     Security update for libxml2
Type:        security
Severity:    moderate
References:  1186015,CVE-2021-3541
This update for libxml2 fixes the following issues:

- CVE-2021-3541: Fixed exponential entity expansion attack bypasses all existing protection mechanisms. (bsc#1186015)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1918-1
Released:    Wed Jun  9 15:20:01 2021
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1149813,1163019,1172380,1175534,1178683,1178935,1179477,1179484,1182846,1182975,CVE-2019-15890,CVE-2020-10756,CVE-2020-14364,CVE-2020-25707,CVE-2020-25723,CVE-2020-29129,CVE-2020-29130,CVE-2020-8608,CVE-2021-20257,CVE-2021-3419
This update for qemu fixes the following issues:

- CVE-2020-10756: Fix out-of-bounds read information disclosure in icmp6_send_echoreply (bsc#1172380)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1923-1
Released:    Thu Jun 10 08:37:00 2021
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    important
References:  1183194
This update for nfs-utils fixes the following issues:

- Ensured thread safety when opening files over NFS to prevent a
  use-after-free issue (bsc#1183194)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1953-1
Released:    Thu Jun 10 16:18:50 2021
Summary:     Recommended update for gpg2
Type:        recommended
Severity:    moderate
References:  1161268,1172308
This update for gpg2 fixes the following issues:

- Fixed an issue where the gpg-agent's ssh-agent does not handle flags 
  in signing requests properly (bsc#1161268 and bsc#1172308).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:1954-1
Released:    Fri Jun 11 10:45:09 2021
Summary:     Security update for containerd, docker, runc
Type:        security
Severity:    important
References:  1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183855,1184768,1184962,1185405,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334,CVE-2021-30465
This update for containerd, docker, runc fixes the following issues:

Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)

* Switch version to use -ce suffix rather than _ce to avoid confusing other
  tools (bsc#1182476).
* CVE-2021-21284: Fixed a potential privilege escalation when the root user in 
  the remapped namespace has access to the host filesystem (bsc#1181732)
* CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest 
  crashes the dockerd daemon (bsc#1181730). 
* btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)

runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962).

* Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
* Fixed /dev/null is not available (bsc#1168481).
* CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).

containerd was updated to v1.4.4

* CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
* Handle a requirement from docker (bsc#1181594).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:1987-1
Released:    Wed Jun 16 12:11:50 2021
Summary:     Recommended update for samba
Type:        recommended
Severity:    important
References:  1185089
This update for samba fixes the following issues:

- Fixes a regression changing the computer account password when using net ads(bsc#1185089)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2091-1
Released:    Mon Jun 21 10:45:13 2021
Summary:     Recommended update for wget
Type:        recommended
Severity:    moderate
References:  1181173
This update for wget fixes the following issue:

- When running recursively, wget will verify the length of the whole
  URL when saving the files. This will make it overwrite files with
  truncated names, throwing the following message: 
  'The name is too long,... trying to shorten'. (bsc#1181173)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2116-1
Released:    Mon Jun 21 19:39:31 2021
Summary:     Recommended update for google-guest-configs
Type:        recommended
Severity:    moderate
References:  
 This update for google-guest-configs contains the following fix:
- Sync package in Public Cloud 15-SP3.
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2143-1
Released:    Wed Jun 23 16:27:04 2021
Summary:     Security update for libnettle
Type:        security
Severity:    important
References:  1187060,CVE-2021-3580
This update for libnettle fixes the following issues:

- CVE-2021-3580: Fixed a remote denial of service in the RSA decryption via manipulated ciphertext (bsc#1187060).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2157-1
Released:    Thu Jun 24 15:40:14 2021
Summary:     Security update for libgcrypt
Type:        security
Severity:    important
References:  1187212,CVE-2021-33560
This update for libgcrypt fixes the following issues:

- CVE-2021-33560: Fixed a side-channel against ElGamal encryption, caused by missing exponent blinding (bsc#1187212).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2171-1
Released:    Mon Jun 28 14:06:45 2021
Summary:     Recommended update for btrfsmaintenance
Type:        recommended
Severity:    moderate
References:  1178874
This update for btrfsmaintenance fixes the following issues:

- Remove [Install] section from btrfsmaintenance. (bsc#1178874)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2173-1
Released:    Mon Jun 28 14:59:45 2021
Summary:     Recommended update for automake
Type:        recommended
Severity:    moderate
References:  1040589,1047218,1182604,1185540,1186049
This update for automake fixes the following issues:

- Implement generated autoconf makefiles reproducible (bsc#1182604)
- Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
- Avoid bashisms in test-driver script. (bsc#1185540)

This update for pcre fixes the following issues:

- Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

This update for brp-check-suse fixes the following issues:

- Add fixes to support reproducible builds. (bsc#1186049) 


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2178-1
Released:    Mon Jun 28 15:56:15 2021
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    moderate
References:  1186561
This update for systemd-presets-common-SUSE fixes the following issues:

When installing the systemd-presets-common-SUSE package for the
first time in a new system, it might happen that some services
are installed before systemd so the %systemd_pre/post macros
would not work. This is handled by enabling all preset services
in this package's %posttrans section but it wasn't enabling
user services, just system services. Now it enables also the
user services installed before this package (bsc#1186561)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2179-1
Released:    Mon Jun 28 17:36:37 2021
Summary:     Recommended update for thin-provisioning-tools
Type:        recommended
Severity:    moderate
References:  1184124
This update for thin-provisioning-tools fixes the following issues:

- Link as position-independent executable (bsc#1184124)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2191-1
Released:    Mon Jun 28 18:38:12 2021
Summary:     Recommended update for patterns-microos
Type:        recommended
Severity:    moderate
References:  1186791
This update for patterns-microos provides the following fix:

- Add zypper-migration-plugin to the default pattern. (bsc#1186791)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2193-1
Released:    Mon Jun 28 18:38:43 2021
Summary:     Recommended update for tar
Type:        recommended
Severity:    moderate
References:  1184124
This update for tar fixes the following issues:

- Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2196-1
Released:    Tue Jun 29 09:41:39 2021
Summary:     Security update for lua53
Type:        security
Severity:    moderate
References:  1175448,1175449,CVE-2020-24370,CVE-2020-24371
This update for lua53 fixes the following issues:

Update to version 5.3.6:

- CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
- CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
- Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2205-1
Released:    Wed Jun 30 09:17:41 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    important
References:  1187210
This update for openldap2 fixes the following issues:

- Resolve issues in the idle / connection 'TTL' timeout implementation in OpenLDAP. (bsc#1187210)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2222-1
Released:    Thu Jul  1 11:51:43 2021
Summary:     Recommended update for multipath-tools
Type:        recommended
Severity:    moderate
References:  1174026,1177081,1177371,1178377,1178379,1182072,1182917,1184260
This update for multipath-tools fixes the following issues:

- Update from version 0.7.9+195+suse.16740c5 to version 0.7.9+207+suse.58b7a57:

  * Improve handling of changed WWIDs and temporary failure to obtain WWID. 
    Option 'disable_changed_wwids' is now ignored. (bsc#1184260)
  * enable negated regular expression syntax in conf file (bsc#1182917)
  * change default devnode blacklist to `'!^(sd[a-z]|dasd[a-z]|nvme[0-9])'`
  * Avoid 'illegal request' errors on non-RDAC storage (bsc#1182072, bsc#1177371)
  * fixes for SAS expanders (bsc#1178377, bsc#1178379, bsc#1177081)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2223-1
Released:    Thu Jul  1 12:15:26 2021
Summary:     Recommended update for chrony
Type:        recommended
Severity:    moderate
References:  1173760
This update for chrony fixes the following issues:

- Fixed an issue when chrony aborts in FIPS mode due to MD5. (bsc#1173760) 

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2246-1
Released:    Mon Jul  5 15:17:49 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1154935,1167471,1178561,1184761,1184967,1185046,1185331,1185807,1185958,1187292,1187400
This update for systemd fixes the following issues:

  cgroup: Parse infinity properly for memory protections. (bsc#1167471)
  cgroup: Make empty assignments reset to default. (bsc#1167471)
  cgroup: Support 0-value for memory protection directives. (bsc#1167471)
  core/cgroup: Fixed an issue with ignored parameter of 'MemorySwapMax=0'. (bsc#1154935)
  bus-unit-util: Add proper 'MemorySwapMax' serialization.
  core: Accept MemorySwapMax= properties that are scaled.
  execute: Make sure to call into PAM after initializing resource limits. (bsc#1184967)
  core: Rename 'ShutdownWatchdogSec' to 'RebootWatchdogSec'. (bsc#1185331)
  Return -EAGAIN instead of -EALREADY from unit_reload. (bsc#1185046)
  rules: Don't ignore Xen virtual interfaces anymore. (bsc#1178561)
  write_net_rules: Set execute bits. (bsc#1178561)
  udev: Rework network device renaming.
  Revert 'Revert 'udev: Network device renaming - immediately give up if the target name isn't available''
    
  mount-util: tape over name_to_handle_at() flakiness (#7517) (bsc#1184761)
  core: fix output (logging) for mount units (#7603) (bsc#1187400)
  udev requires systemd in its %post (bsc#1185958)
  cgroup: Parse infinity properly for memory protections (bsc#1167471)
  cgroup: Make empty assignments reset to default (bsc#1167471)
  cgroup: Support 0-value for memory protection directives (bsc#1167471)
  Create /run/lock/subsys again (bsc#1187292)
  The creation of this directory was mistakenly dropped when
  'filesystem' package took the initialization of the generic paths
  over.
  Expect 644 permissions for /usr/lib/udev/compat-symlink-generation (bsc#1185807)
  
  

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2286-1
Released:    Fri Jul  9 17:38:53 2021
Summary:     Recommended update for dosfstools
Type:        recommended
Severity:    moderate
References:  1172863
This update for dosfstools fixes the following issue:

- Fixed a bug that was causing an installation issue when trying to create 
  an EFI partition on an NVMe-over-Fabrics device (bsc#1172863)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2292-1
Released:    Mon Jul 12 08:25:20 2021
Summary:     Security update for dbus-1
Type:        security
Severity:    important
References:  1187105,CVE-2020-35512
This update for dbus-1 fixes the following issues:

- CVE-2020-35512: Fixed a use-after-free or potential undefined behaviour caused by shared UID's (bsc#1187105)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2320-1
Released:    Wed Jul 14 17:01:06 2021
Summary:     Security update for sqlite3
Type:        security
Severity:    important
References:  1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327
This update for sqlite3 fixes the following issues:

- Update to version 3.36.0
- CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener
  optimization (bsc#1173641)
- CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in
  isAuxiliaryVtabOperator (bsc#1164719)
- CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439)
- CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438)
- CVE-2019-19923: improper handling  of  certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer
  dereference (bsc#1160309)
- CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850)
- CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847)
- CVE-2019-19926: improper handling  of certain errors during parsing  multiSelect in select.c (bsc#1159715)
- CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
  (bsc#1159491)
- CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with
  a shadow table name (bsc#1158960)
- CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated
  columns (bsc#1158959)
- CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views
  in conjunction with ALTER TABLE statements (bsc#1158958)
- CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column,
  which allows attackers to cause a denial of service (bsc#1158812)
- CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a
  sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818)
- CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701)
- CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700)
- CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115)
- CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow
- CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236)
- CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240)
- CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2395-1
Released:    Mon Jul 19 12:08:34 2021
Summary:     Recommended update for efivar
Type:        recommended
Severity:    moderate
References:  1187386
This update for efivar provides the following fix:

- Fix the eMMC sysfs parsing. (bsc#1187386)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2404-1
Released:    Tue Jul 20 14:21:30 2021
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1184994,1188063,CVE-2021-33910
This update for systemd fixes the following issues:

- CVE-2021-33910: Fixed a denial of service in systemd via unit_name_path_escape() (bsc#1188063)
- Skip udev rules if 'elevator=' is used (bsc#1184994)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2412-1
Released:    Tue Jul 20 15:25:21 2021
Summary:     Security update for containerd
Type:        security
Severity:    moderate
References:  1188282,CVE-2021-32760
This update for containerd fixes the following issues:

- CVE-2021-32760: Fixed a bug which allows untrusted container images to change permissions in the host's filesystem. (bsc#1188282)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2427-1
Released:    Wed Jul 21 11:28:37 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1153720,1174978,1179610,1181193,1185428,1185701,1185861,1186463,1186484,1187038,1187050,1187215,1187452,1187554,1187595,1187601,1188062,1188116,CVE-2020-24588,CVE-2020-26558,CVE-2020-36385,CVE-2020-36386,CVE-2021-0129,CVE-2021-0512,CVE-2021-0605,CVE-2021-22555,CVE-2021-33200,CVE-2021-33624,CVE-2021-33909,CVE-2021-34693,CVE-2021-3609
The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116)
- CVE-2021-33624: Fixed a bug which allows unprivileged BPF program to leak the contents of arbitrary kernel memory (and therefore, of all physical memory) via a side-channel. (bsc#1187554)
- CVE-2021-0605: Fixed an out-of-bounds read which could lead to local information disclosure in the kernel with System execution privileges needed. (bsc#1187601)
- CVE-2021-0512: Fixed a possible out-of-bounds write which could lead to local escalation of privilege with no additional execution privileges needed. (bsc#1187595)
- CVE-2020-26558: Fixed a flaw in the Bluetooth LE and BR/EDR secure pairing that could permit a nearby man-in-the-middle attacker to identify the Passkey used during pairing. (bnc#1179610)
- CVE-2021-34693: Fixed a bug in net/can/bcm.c which could allow local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized. (bsc#1187452)
- CVE-2021-0129: Fixed an improper access control in BlueZ that may have allowed an authenticated user to potentially enable information disclosure via adjacent access. (bnc#1186463)
- CVE-2020-36386: Fixed an out-of-bounds read in hci_extended_inquiry_result_evt. (bsc#1187038)
- CVE-2020-24588: Fixed a bug that could allow an adversary to abuse devices that support receiving non-SSP A-MSDU frames to inject arbitrary network packets. (bsc#1185861 bsc#1185863)
- CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062)
- CVE-2021-3609: Fixed a race condition in the CAN BCM networking protocol which allows for local privilege escalation. (bsc#1187215)
- CVE-2020-36385: Fixed a use-after-free flaw in ucma.c which allows for local privilege escalation. (bsc#1187050)
- CVE-2021-33200: Fix leakage of uninitialized bpf stack under speculation. (bsc#1186484)

The following non-security bugs were fixed:

- af_packet: fix the tx skb protocol in raw sockets with ETH_P_ALL (bsc#1176081).
- kabi: preserve struct header_ops after bsc#1176081 fix (bsc#1176081).
- net: Do not set transport offset to invalid value (bsc#1176081).
- net: Introduce parse_protocol header_ops callback (bsc#1176081).
- net/ethernet: Add parse_protocol header_ops support (bsc#1176081).
- net/mlx5e: Remove the wrong assumption about transport offset (bsc#1176081).
- net/mlx5e: Trust kernel regarding transport offset (bsc#1176081).
- net/packet: Ask driver for protocol if not provided by user (bsc#1176081).
- net/packet: Remove redundant skb->protocol set (bsc#1176081).
- resource: Fix find_next_iomem_res() iteration issue (bsc#1181193).
- scsi: scsi_dh_alua: Retry RTPG on a different path after failure (bsc#1174978 bsc#1185701).
- SUNRPC in case of backlog, hand free slots directly to waiting task (bsc#1185428).
- SUNRPC: More fixes for backlog congestion (bsc#1185428).
- x86/crash: Add e820 reserved ranges to kdump kernel's e820 table (bsc#1181193).
- x86/debug: Extend the lower bound of crash kernel low reservations (bsc#1153720).
- x86/e820, ioport: Add a new I/O resource descriptor IORES_DESC_RESERVED (bsc#1181193).
- x86/mm: Rework ioremap resource mapping determination (bsc#1181193).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2440-1
Released:    Wed Jul 21 13:48:24 2021
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1188217,1188218,1188219,1188220,CVE-2021-22922,CVE-2021-22923,CVE-2021-22924,CVE-2021-22925
This update for curl fixes the following issues:

- CVE-2021-22925: TELNET stack contents disclosure again. (bsc#1188220)
- CVE-2021-22924: Bad connection reuse due to flawed path name checks. (bsc#1188219)
- CVE-2021-22923: Insufficiently Protected Credentials. (bsc#1188218)
- CVE-2021-22922: Wrong content via metalink not discarded. (bsc#1188217)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2465-1
Released:    Fri Jul 23 14:56:48 2021
Summary:     Recommended update for shim
Type:        recommended
Severity:    moderate
References:  1185232,1185261,1185441,1185621,1187071,1187260,1187696
This update for shim fixes the following issues:

Update to shim to 15.4-4.7.1, Version: 15.4, 'Thu Jul 15 2021'
Update the SLE signatures

Includes fixes for various bugs in MOK handling and booting
(bsc#1187696, bsc#1185261, bsc#1185441, bsc#1187071, bsc#1185621,
bsc#1185261, bsc#1185232, bsc#1185261, bsc#1187260, bsc#1185232)

Remove shim-install because the shim-install is updated in the RPM.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2477-1
Released:    Tue Jul 27 13:32:50 2021
Summary:     Recommended update for growpart-rootgrow
Type:        recommended
Severity:    important
References:  1165198,1188179
This update for growpart-rootgrow fixes the following issues:

- Change the logic to determine the partition ID of the root filesystem
  (bsc#1188179)
  + Previously the algorithm depended on the order of the output
  from lsblk using an index to keep track of the known partitions.
  The new implementation is order independent, it depends on the
  partition ID being numerical in nature and at the end of the device
  string.

- Add coverage config.
  Omit version module from coverage check.

- Fix string formatting for flake8 formatting.

- Replace travis testing with GitHub actions.
  Add ci testing workflow action.

- Switch implementation to use Popen for Python 3.4 compatibility (bsc#1165198)

- Bump version: 1.0.2 → 1.0.3

- Fixed unit tests and style
  This clobbers several fixes into one. Sorry about it but I
  started on already made changes done by other people.
  This commit includes several pep8 style fixes mostly on
  the indentation level. In addition it fixes the unit
  tests to really cover all code and to make the exception
  tests really effective.

- Switch to use Popen instead of run
  The run() fuction in the subprocess module was implemented after
  Python 3.4. However, we need to support Python 3.4 for SLES 12

- Bump version: 1.0.1 → 1.0.2

- Package LICENSE file
  The LICENSE file is part of the source repo but was not
  packaged with the rpm package

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2573-1
Released:    Thu Jul 29 14:21:52 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1188127
This update for timezone fixes the following issue:
- From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by
the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are
now correctly supported. This update adds the 'tzdata.zi' file (bsc#1188127).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2591-1
Released:    Mon Aug  2 12:56:12 2021
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1176681,1185591,1186290,1187364,1187365,1187366,1187367,1187499,1187529,1187538,1187539,CVE-2020-25085,CVE-2021-3582,CVE-2021-3592,CVE-2021-3593,CVE-2021-3594,CVE-2021-3595,CVE-2021-3607,CVE-2021-3608,CVE-2021-3611
This update for qemu fixes the following issues:

Security issues fixed:

- CVE-2021-3595: Fixed slirp: invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366)
- CVE-2021-3592: Fix for slirp: invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364)
- CVE-2021-3594: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367)
- CVE-2021-3593: Fix for slirp: invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365)
- CVE-2021-3582: Fix possible mremap overflow in the pvrdma (bsc#1187499)
- CVE-2021-3607: Ensure correct input on ring init (bsc#1187539)
- CVE-2021-3608: Fix the ring init error flow (bsc#1187538)
- CVE-2021-3611: Fix intel-hda segmentation fault due to stack overflow (bsc#1187529)
- CVE-2020-25085: Fix out-of-bounds access issue while doing multi block SDMA (bsc#1176681)

Other issues fixed:

- QEMU BIOS fails to read stage2 loader (on s390x)(bsc#1186290)
- Fix qemu hang while cancelling migrating hugepage vm (bsc#1185591)


-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2603-1
Released:    Wed Aug  4 10:09:08 2021
Summary:     Recommended update for sca-appliance-common, supportutils
Type:        recommended
Severity:    moderate
References:  1185991,1185993,1186347,1186397,1186687
This update for sca-appliance-common, supportutils fixes the following issues:

- Adding ethtool options to the supportconfigt. (jsc#SLE-18239, jsc#SLE-18344)
- Fixed and issue when 'lsof' causes performance problems. (bsc#1186687)
- Exclude 'rhn.conf' from 'etc.txt' to prevent supportconfig capturing passwords in clear text. (bsc#1186347)
- Fix 'analyzevmcore' to supports local directories. (bsc#1186397)
- Fix for 'getappcore' checking for valid compression binary. (bsc#1185991)
- Fixed 'getappcore' to prevent triggering errors with help message. (bsc#1185993)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2681-1
Released:    Thu Aug 12 14:59:06 2021
Summary:     Recommended update for growpart-rootgrow
Type:        recommended
Severity:    important
References:  1188868,1188904
This update for growpart-rootgrow fixes the following issues:

- Fix root partition ID lookup. Only consider trailing digits to be part of the paritition ID. (bsc#1188868) (bsc#1188904)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2689-1
Released:    Mon Aug 16 10:54:52 2021
Summary:     Security update for cpio
Type:        security
Severity:    important
References:  1189206,CVE-2021-38185
This update for cpio fixes the following issues:

It was possible to trigger Remote code execution due to a integer overflow (CVE-2021-38185, bsc#1189206)


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2760-1
Released:    Tue Aug 17 17:11:14 2021
Summary:     Security update for c-ares
Type:        security
Severity:    important
References:  1188881,CVE-2021-3672
This update for c-ares fixes the following issues:

Version update to git snapshot 1.17.1+20200724:

- CVE-2021-3672: fixed missing input validation on hostnames returned by DNS servers (bsc#1188881)
- If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause crash
- Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS response
- Expand number of escaped characters in DNS replies as per RFC1035 5.1 to prevent spoofing
- Use unbuffered /dev/urandom for random data to prevent early startup performance issues

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2763-1
Released:    Tue Aug 17 17:16:22 2021
Summary:     Recommended update for cpio
Type:        recommended
Severity:    critical
References:  1189465
This update for cpio fixes the following issues:

- A regression in last update would cause builds to hang on various architectures(bsc#1189465)
  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2780-1
Released:    Thu Aug 19 16:09:15 2021
Summary:     Recommended update for cpio
Type:        recommended
Severity:    critical
References:  1189465,CVE-2021-38185
This update for cpio fixes the following issues:

- A regression in the previous update could lead to crashes (bsc#1189465)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2800-1
Released:    Fri Aug 20 10:43:04 2021
Summary:     Security update for krb5
Type:        security
Severity:    important
References:  1188571,CVE-2021-36222
This update for krb5 fixes the following issues:

- CVE-2021-36222: Fixed KDC null deref on bad encrypted challenge. (bsc#1188571)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2810-1
Released:    Mon Aug 23 12:14:30 2021
Summary:     Security update for dbus-1
Type:        security
Severity:    moderate
References:  1172505,CVE-2020-12049
This update for dbus-1 fixes the following issues:

- CVE-2020-12049: truncated messages lead to resource exhaustion. (bsc#1172505)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2831-1
Released:    Tue Aug 24 16:20:45 2021
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1189521,CVE-2021-3712
This update for openssl-1_1 fixes the following security issue:

- CVE-2021-3712: a bug in the code for printing certificate details could
  lead to a buffer overrun that a malicious actor could exploit to crash
  the application, causing a denial-of-service attack. [bsc#1189521]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2871-1
Released:    Mon Aug 30 15:46:25 2021
Summary:     Recommended update for bind
Type:        recommended
Severity:    moderate
References:  1187921,1188763
This update for bind fixes the following issues:
    
- Fix an assertion failure in the 'rehash()' function (bsc#1188763)
  When calculating the new hashtable bitsize, there was an off-by-one error
  that would allow the new bitsize to be larger than maximum allowed.
- tsig-keygen is now used to generate DDNS keys (bsc#1187921)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2937-1
Released:    Fri Sep  3 09:18:45 2021
Summary:     Security update for libesmtp
Type:        security
Severity:    important
References:  1160462,1189097,CVE-2019-19977
This update for libesmtp fixes the following issues:

- CVE-2019-19977: Fixed stack-based buffer over-read in ntlm/ntlmstruct.c (bsc#1160462).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2938-1
Released:    Fri Sep  3 09:19:36 2021
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1184614

This update for openldap2 fixes the following issue:

- openldap2-contrib is shipped to the Legacy Module. (bsc#1184614)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2950-1
Released:    Fri Sep  3 11:59:19 2021
Summary:     Recommended update for pcre2
Type:        recommended
Severity:    moderate
References:  1187937
This update for pcre2 fixes the following issue:

- Equalizes the result of a function that may have different output on s390x if compared to older (bsc#1187937)
PHP versions.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2962-1
Released:    Mon Sep  6 18:23:01 2021
Summary:     Recommended update for runc
Type:        recommended
Severity:    critical
References:  1189743
This update for runc fixes the following issues:

- Fixed an issue when toolbox container fails to start. (bsc#1189743)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:2968-1
Released:    Tue Sep  7 09:53:00 2021
Summary:     Security update for openssl-1_1
Type:        security
Severity:    low
References:  1189521,CVE-2021-3712
This update for openssl-1_1 fixes the following issues:

- CVE-2021-3712: This is an update for the incomplete fix for CVE-2021-3712. 
  Read buffer overruns processing ASN.1 strings (bsc#1189521).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:2979-1
Released:    Wed Sep  8 11:54:54 2021
Summary:     Recommended update for SUSEConnect
Type:        recommended
Severity:    moderate
References:  1185611
This update for SUSEConnect fixes the following issues:

- Disallow registering via SUSEConnect if the system is managed by SUSE Manager.
- Add subscription name to output of 'SUSEConnect --status'.
- send payload of GET requests as part of the url, not in the body (see bsc#1185611)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3001-1
Released:    Thu Sep  9 15:08:13 2021
Summary:     Recommended update for netcfg
Type:        recommended
Severity:    moderate
References:  1189683
This update for netcfg fixes the following issues:

- add submissions port/protocol to services file for message submission over TLS protocol [bsc#1189683]

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3022-1
Released:    Mon Sep 13 10:48:16 2021
Summary:     Recommended update for c-ares
Type:        recommended
Severity:    important
References:  1190225
This update for c-ares fixes the following issue:

- Allow '_' as part of DNS response. (bsc#1190225)
  - 'c-ares' 1.17.2 introduced response validation to prevent a security issue, however it was not listing '_' as a 
    valid character for domain name responses which caused issues when a 'CNAME' referenced a 'SRV' record which 
    contained underscores.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3115-1
Released:    Thu Sep 16 14:04:26 2021
Summary:     Recommended update for mozilla-nspr, mozilla-nss
Type:        recommended
Severity:    moderate
References:  1029961,1174697,1176206,1176934,1179382,1188891,CVE-2020-12400,CVE-2020-12401,CVE-2020-12403,CVE-2020-25648,CVE-2020-6829
This update for mozilla-nspr fixes the following issues:

mozilla-nspr was updated to version 4.32:

* implement new socket option PR_SockOpt_DontFrag
* support larger DNS records by increasing the default buffer
  size for DNS queries 
* Lock access to PRCallOnceType members in PR_CallOnce* for
  thread safety bmo#1686138
* PR_GetSystemInfo supports a new flag PR_SI_RELEASE_BUILD to get
  information about the operating system build version.


Mozilla NSS was updated to version 3.68:

* bmo#1713562 - Fix test leak.
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
* bmo#1712883 - DTLS 1.3 draft-43.
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
* bmo#1713562 - Validate ECH public names.
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.

update to NSS 3.67

* bmo#1683710 - Add a means to disable ALPN.
* bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66).
* bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja.
* bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c.
* bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte.

update to NSS 3.66

* bmo#1710716 - Remove Expired Sonera Class2 CA from NSS.
* bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority.
* bmo#1708307 - Remove Trustis FPS Root CA from NSS.
* bmo#1707097 - Add Certum Trusted Root CA to NSS.
* bmo#1707097 - Add Certum EC-384 CA to NSS.
* bmo#1703942 - Add ANF Secure Server Root CA to NSS.
* bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS.
* bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database.
* bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler.
* bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h.
* bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators.
* bmo#1709291 - Add VerifyCodeSigningCertificateChain.

update to NSS 3.65

* bmo#1709654 - Update for NetBSD configuration.
* bmo#1709750 - Disable HPKE test when fuzzing.
* bmo#1566124 - Optimize AES-GCM for ppc64le.
* bmo#1699021 - Add AES-256-GCM to HPKE.
* bmo#1698419 - ECH -10 updates.
* bmo#1692930 - Update HPKE to final version.
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
* bmo#1703936 - New coverity/cpp scanner errors.
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.

update to NSS 3.64

* bmo#1705286 - Properly detect mips64.
* bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and
		disable_crypto_vsx.
* bmo#1698320 - replace __builtin_cpu_supports('vsx') with
		ppc_crypto_support() for clang.
* bmo#1613235 - Add POWER ChaCha20 stream cipher vector
		acceleration.

Fixed in 3.63

* bmo#1697380 - Make a clang-format run on top of helpful contributions.
* bmo#1683520 - ECCKiila P384, change syntax of nested structs
		initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual
		scalar multiplication.
* bmo#1683520 - ECCKiila P521, change syntax of nested structs
		initialization to prevent build isses with GCC 4.8.
* bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual
		scalar multiplication.
* bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683.
* bmo#1694214 - tstclnt can't enable middlebox compat mode.
* bmo#1694392 - NSS does not work with PKCS #11 modules not supporting
		profiles.
* bmo#1685880 - Minor fix to prevent unused variable on early return.
* bmo#1685880 - Fix for the gcc compiler version 7 to support setenv
		with nss build.
* bmo#1693217 - Increase nssckbi.h version number for March 2021 batch
		of root CA changes, CA list version 2.48.
* bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's
		'Chambers of Commerce' and 'Global Chambersign' roots.
* bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER.
* bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS.
* bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS.
* bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs
		from NSS.
* bmo#1687822 - Turn off Websites trust bit for the “Staat der
		Nederlanden Root CA - G3” root cert in NSS.
* bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce
		Root - 2008' and 'Global Chambersign Root - 2008’.
* bmo#1694291 - Tracing fixes for ECH.

update to NSS 3.62

* bmo#1688374 - Fix parallel build NSS-3.61 with make
* bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add()
		can corrupt 'cachedCertTable'
* bmo#1690583 - Fix CH padding extension size calculation
* bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail
* bmo#1690421 - Install packaged libabigail in docker-builds image
* bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing
* bmo#1674819 - Fixup a51fae403328, enum type may be signed
* bmo#1681585 - Add ECH support to selfserv
* bmo#1681585 - Update ECH to Draft-09
* bmo#1678398 - Add Export/Import functions for HPKE context
* bmo#1678398 - Update HPKE to draft-07

update to NSS 3.61

* bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key
		values under certain conditions.
* bmo#1684300 - Fix default PBE iteration count when NSS is compiled
		with NSS_DISABLE_DBM.
* bmo#1651411 - Improve constant-timeness in RSA operations.
* bmo#1677207 - Upgrade Google Test version to latest release.
* bmo#1654332 - Add aarch64-make target to nss-try.

Update to NSS 3.60.1:

Notable changes in NSS 3.60:
* TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support
  has been added, replacing the previous ESNI (draft-ietf-tls-esni-01)
  implementation. See bmo#1654332 for more information.
* December 2020 batch of Root CA changes, builtins library updated
  to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769
  for more information.

Update to NSS 3.59.1:

* bmo#1679290 - Fix potential deadlock with certain third-party
		PKCS11 modules

Update to NSS 3.59:

Notable changes:

* Exported two existing functions from libnss:
  CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData

Bugfixes

* bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race
* bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* bmo#1670835 - Support enabling and disabling signatures via Crypto Policy
* bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed
		root certs when SHA1 signatures are disabled.
* bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to
		solve some test intermittents
* bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in
		our CVE-2020-25648 fix that broke purple-discord
		(boo#1179382)
* bmo#1666891 - Support key wrap/unwrap with RSA-OAEP
* bmo#1667989 - Fix gyp linking on Solaris
* bmo#1668123 - Export CERT_AddCertToListHeadWithData and
		CERT_AddCertToListTailWithData from libnss
* bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* bmo#1663091 - Remove unnecessary assertions in the streaming
		ASN.1 decoder that affected decoding certain PKCS8
		private keys when using NSS debug builds
*  bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.

update to NSS 3.58

Bugs fixed:

* bmo#1641480 (CVE-2020-25648)
  Tighten CCS handling for middlebox compatibility mode.
* bmo#1631890 - Add support for Hybrid Public Key Encryption
  (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello
  (draft-ietf-tls-esni).
* bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto
  extensions.
* bmo#1668328 - Handle spaces in the Python path name when using
  gyp on Windows.
* bmo#1667153 - Add PK11_ImportDataKey for data object import.
* bmo#1665715 - Pass the embedded SCT list extension (if present)
  to TrustDomain::CheckRevocation instead of the notBefore value.

update to NSS 3.57

* The following CA certificates were Added:
  bmo#1663049 - CN=Trustwave Global Certification Authority
      SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
  bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
      SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
  bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
      SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
  bmo#1651211 - CN=EE Certification Centre Root CA
      SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
  bmo#1656077 - O=Government Root Certification Authority; C=TW
      SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
  bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
      Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes

update to NSS 3.56

Notable changes

* bmo#1650702 - Support SHA-1 HW acceleration on ARMv8
* bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS.
* bmo#1654142 - Add CPU feature detection for Intel SHA extension.
* bmo#1648822 - Add stricter validation of DH keys in FIPS mode.
* bmo#1656986 - Properly detect arm64 during GYP build architecture
		detection.
* bmo#1652729 - Add build flag to disable RC2 and relocate to
		lib/freebl/deprecated.
* bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay.
* bmo#1588941 - Send empty certificate message when scheme selection
		fails.
* bmo#1652032 - Fix failure to build in Windows arm64 makefile
		cross-compilation.
* bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent.
* bmo#1653975 - Fix 3.53 regression by setting 'all' as the default
		makefile target.
* bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert.
* bmo#1659814 - Fix interop.sh failures with newer tls-interop
		commit and dependencies.
* bmo#1656519 - NSPR dependency updated to 4.28

update to NSS 3.55

Notable changes
* P384 and P521 elliptic curve implementations are replaced with
  verifiable implementations from Fiat-Crypto [0] and ECCKiila [1].
* PK11_FindCertInSlot is added. With this function, a given slot
  can be queried with a DER-Encoded certificate, providing performance
  and usability improvements over other mechanisms. (bmo#1649633)
* DTLS 1.3 implementation is updated to draft-38. (bmo#1647752)

Relevant Bugfixes

* bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and
  P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila.
* bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature.
* bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding.
* bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part
  ChaCha20 (which was not functioning correctly) and more strictly
  enforce tag length.
* bmo#1649648 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649316 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1649322 - Don't memcpy zero bytes (sanitizer fix).
* bmo#1653202 - Fix initialization bug in blapitest when compiled
  with NSS_DISABLE_DEPRECATED_SEED.
* bmo#1646594 - Fix AVX2 detection in makefile builds.
* bmo#1649633 - Add PK11_FindCertInSlot to search a given slot
  for a DER-encoded certificate.
* bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo.
* bmo#1647752 - Update DTLS 1.3 implementation to draft-38.
* bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI.
* bmo#1649226 - Add Wycheproof ECDSA tests.
* bmo#1637222 - Consistently enforce IV requirements for DES and 3DES.
* bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in
  RSA_CheckSignRecover.
* bmo#1646324 - Advertise PKCS#1 schemes for certificates in the
  signature_algorithms extension.

update to NSS 3.54

Notable changes

* Support for TLS 1.3 external pre-shared keys (bmo#1603042).
* Use ARM Cryptography Extension for SHA256, when available
  (bmo#1528113)
* The following CA certificates were Added:
  bmo#1645186 - certSIGN Root CA G2.
  bmo#1645174 - e-Szigno Root CA 2017.
  bmo#1641716 - Microsoft ECC Root Certificate Authority 2017.
  bmo#1641716 - Microsoft RSA Root Certificate Authority 2017.
* The following CA certificates were Removed:
  bmo#1645199 - AddTrust Class 1 CA Root.
  bmo#1645199 - AddTrust External CA Root.
  bmo#1641718 - LuxTrust Global Root 2.
  bmo#1639987 - Staat der Nederlanden Root CA - G2.
  bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4.
  bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4.
  bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3.

* A number of certificates had their Email trust bit disabled.
  See bmo#1618402 for a complete list.

Bugs fixed

* bmo#1528113 - Use ARM Cryptography Extension for SHA256.
* bmo#1603042 - Add TLS 1.3 external PSK support.
* bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows.
* bmo#1645186 - Add 'certSIGN Root CA G2' root certificate.
* bmo#1645174 - Add Microsec's 'e-Szigno Root CA 2017' root certificate.
* bmo#1641716 - Add Microsoft's non-EV root certificates.
* bmo1621151 - Disable email trust bit for 'O=Government
	       Root Certification Authority; C=TW' root.
* bmo#1645199 - Remove AddTrust root certificates.
* bmo#1641718 - Remove 'LuxTrust Global Root 2' root certificate.
* bmo#1639987 - Remove 'Staat der Nederlanden Root CA - G2' root
		certificate.
* bmo#1618402 - Remove Symantec root certificates and disable email trust
		bit.
* bmo#1640516 - NSS 3.54 should depend on NSPR 4.26.
* bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c.
* bmo#1642153 - Fix infinite recursion building NSS.
* bmo#1642638 - Fix fuzzing assertion crash.
* bmo#1642871 - Enable SSL_SendSessionTicket after resumption.
* bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs.
* bmo#1643557 - Fix numerous compile warnings in NSS.
* bmo#1644774 - SSL gtests to use ClearServerCache when resetting
		self-encrypt keys.
* bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c.
* bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3132-1
Released:    Fri Sep 17 16:37:37 2021
Summary:     Recommended update for google-guest-oslogin
Type:        recommended
Severity:    moderate
References:  1188992,1189041
This update for google-guest-oslogin contains the following fixes:

- Update to version 20210728.00 (bsc#1188992, bsc#1189041)
  * JSON object cleanup (#65)

- Update to version 20210707.00
  * throw exceptions in cache_refresh (#64)

- from version 20210702.00
  * Use IP address for calling the metadata server. (#63)

- Update to version 20210618.00
  * flush each group member write (#62)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3133-1
Released:    Fri Sep 17 16:37:56 2021
Summary:     Recommended update for grub2, efibootmgr
Type:        recommended
Severity:    moderate
References:  1186565,1186975,1187565
This update for grub2, efibootmgr provides the following fixes:

- Ship package grub2-arm64-efi and the required efibootmgr also to ppc64le, s390x and x86_64 (bsc#1186565)
- Fix error gfxterm isn't found with multiple terminals (bsc#1187565)
- Fix ocasional boot failure after kdump procedure when using XFS (bsc#1186975)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3182-1
Released:    Tue Sep 21 17:04:26 2021
Summary:     Recommended update for file
Type:        recommended
Severity:    moderate
References:  1189996
This update for file fixes the following issues:

- Fixes exception thrown by memory allocation problem (bsc#1189996)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3224-1
Released:    Fri Sep 24 11:34:33 2021
Summary:     Recommended update for shim-susesigned
Type:        recommended
Severity:    moderate
References:  1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696
This update for shim-susesigned fixes the following issues:

Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021.

This update addresses the 'susesigned' shim component.

shim was updated to 15.4 (bsc#1182057)

- console: Move the countdown function to console.c 
- fallback: show a countdown menu before reset 
- MOK: Fix the missing vendor cert in MokListRT  
- mok: fix the mirroring of RT variables
- Add the license change statement for errlog.c and mok.c
- Remove a couple of incorrect license claims.
- MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid
- Make EFI variable copying fatal only on secureboot enabled systems
- Remove call to TPM2 get_event_log
- tpm: Fix off-by-one error when calculating event size
- tpm: Define EFI_VARIABLE_DATA_TREE as packed
- tpm: Don't log duplicate identical events
- VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
- OpenSSL: always provide OBJ_create() with name strings.
- translate_slashes(): don't write to string literals
- Fix a use of strlen() instead of Strlen()
- shim: Update EFI_LOADED_IMAGE with the second stage loader file path
- tpm: Include information about PE/COFF images in the TPM Event Log
- Fix a broken tpm type
- All newly released openSUSE kernels enable kernel lockdown
  and signature verification, so there is no need to add the
  prompt anymore.
- Fix the NULL pointer dereference in AuthenticodeVerify()
- Remove the build ID to make the binary reproducible when building with AArch64 container
- Prevent the build id being added to the binary. That can cause issues with the signature
- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
- Handle ignore_db and user_insecure_mode correctly (bsc#1185441)
- Relax the maximum variable size check for u-boot
- Relax the check for import_mok_state() when Secure Boot is off
- Relax the check for the LoadOptions length
- Fix the size of rela* sections for AArch64
- Disable exporting vendor-dbx to MokListXRT
- Don't call QueryVariableInfo() on EFI 1.10 machines
- Avoid buffer overflow when copying the MOK config table
- Avoid deleting the mirrored RT variables
- Update to 15.3 for SBAT support (bsc#1182057)
- Generate vender-specific SBAT metadata
- Rename the SBAT variable and fix the self-check of SBAT
- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
  vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
  the size of MokListXRT (bsc#1185261)
- shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist
- shim-install: instead of assuming 'removable' for Azure, remove
  fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
  to make \EFI\Boot bootable and keep the boot option created by
  efibootmgr (bsc#1185464, bsc#1185961)
- shim-install: always assume 'removable' for Azure to avoid the endless reset loop (bsc#1185464)
- shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315)
- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys:
  + SLES-UEFI-SIGN-Certificate-2020-07.crt
  + openSUSE-UEFI-SIGN-Certificate-2020-07.crt

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3233-1
Released:    Mon Sep 27 15:02:21 2021
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    moderate
References:  1085917,1181299,1181306,1181309,1181535,1181536,1188651,1189552
This update for xfsprogs fixes the following issues:

- Fixes an issue when 'fstests' with 'xfs' fail. (bsc#1181309, bsc#1181299)
- xfsprogs: Split 'libhandle1' into a separate package, since nothing within xfsprogs dynamically links against it. The shared library is still required by xfsdump as a runtime dependency.
- mkfs.xfs: Fix 'ASSERT' on too-small device with stripe geometry. (bsc#1181536)
- mkfs.xfs: If either 'sunit' or 'swidth' is not zero, the other must be as well. (bsc#1085917, bsc#1181535)
- xfs_growfs: Refactor geometry reporting. (bsc#1181306)
- xfs_growfs: Allow mounted device node as argument. (bsc#1181299)
- xfs_repair: Rebuild directory when non-root leafn blocks claim block 0. (bsc#1181309)
- xfs_repair: Check plausibility of root dir pointer before trashing it. (bsc#1188651)
- xfs_bmap: Remove '-c' from manpage. (bsc#1189552)
- xfs_bmap: Do not reject '-e'. (bsc#1189552)
- Implement 'libhandle1' through ECO. (jsc#SLE-20360)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3245-1
Released:    Tue Sep 28 13:54:31 2021
Summary:     Recommended update for docker
Type:        recommended
Severity:    important
References:  1190670
This update for docker fixes the following issues:

- Return ENOSYS for clone3 in the seccomp profile to avoid breaking containers using glibc 2.34.
- Add shell requires for the *-completion subpackages.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3278-1
Released:    Mon Oct  4 09:30:10 2021
Summary:     Recommended update for ca-certificates-mozilla
Type:        recommended
Severity:    important
References:  1190858
This update for ca-certificates-mozilla fixes the following issues:

- remove one of the Letsencrypt CAs DST_Root_CA_X3.pem, as it expires
  September 30th 2021 and openssl certificate chain handling does not handle
  this correctly in openssl 1.0.2 and older. (bsc#1190858)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3297-1
Released:    Wed Oct  6 16:53:29 2021
Summary:     Security update for curl
Type:        security
Severity:    moderate
References:  1190373,1190374,CVE-2021-22946,CVE-2021-22947
This update for curl fixes the following issues:

- CVE-2021-22947: Fixed STARTTLS protocol injection via MITM (bsc#1190374).
- CVE-2021-22946: Fixed protocol downgrade required TLS bypassed (bsc#1190373).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3318-1
Released:    Wed Oct  6 19:31:19 2021
Summary:     Recommended update for sudo
Type:        recommended
Severity:    moderate
References:  1176473,1181371
This update for sudo fixes the following issues:

- Update to sudo 1.8.27 (jsc#SLE-17083).
- Fixed special handling of ipa_hostname (bsc#1181371).
- Restore sudo ldap behavior to ignore expire dates when SUDOERS_TIMED option is not set in /etc/ldap.conf (bsc#1176473).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3348-1
Released:    Tue Oct 12 13:08:06 2021
Summary:     Security update for systemd
Type:        security
Severity:    moderate
References:  1134353,1171962,1184994,1188018,1188063,1188291,1188713,1189480,1190234,CVE-2021-33910
This update for systemd fixes the following issues:

- CVE-2021-33910: Fixed use of strdupa() on a path (bsc#1188063).

- logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018).
- Adopting BFQ to control I/O (jsc#SLE-21032, bsc#1134353).
- Rules weren't applied to dm devices (multipath) (bsc#1188713).
- Ignore obsolete 'elevator' kernel parameter (bsc#1184994, bsc#1190234).
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480).
- Avoid error message when udev is updated due to udev being already active when the sockets are started again (bsc#1188291).
- Allow the systemd sysusers config files to be overriden during system installation (bsc#1171962).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3385-1
Released:    Tue Oct 12 15:54:31 2021
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1186489,1187911,CVE-2021-33574,CVE-2021-35942
This update for glibc fixes the following issues:

- CVE-2021-35942: wordexp: handle overflow in positional parameter number (bsc#1187911)
- CVE-2021-33574: Use __pthread_attr_copy in mq_notify (bsc#1186489)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3404-1
Released:    Wed Oct 13 10:40:17 2021
Summary:     Recommended update for kdump
Type:        recommended
Severity:    moderate
References:  1154837,1164713,1172670,1182309,1183070,1184616,1186037,1188090
This update for kdump fixes the following issues:

- Make sure that the udev runtime directory exists (bsc#1164713).
- Add 'bootdev=' to dracut command line (bsc#1182309).
- Query systemd network.service to find out if wicked is used (bsc#1182309).
- Install /etc/resolv.conf using its resolved path (bsc#1183070).
- Avoid an endless loop when resolving a hostname fails with EAI_AGAIN (bsc#1183070).    
- Do not add network-related dracut options if ip= is set explicitly (bsc#1182309, bsc#1188090).    
- Fix incorrect exit code checking after 'local' with assignment (bsc#1184616).
- Do not iterate past end of string (bsc#1186037).
- Activate udev rules late during boot (bsc#1154837).
- Make sure that initrd.target.wants directory exists (bsc#1172670).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3410-1
Released:    Wed Oct 13 10:41:36 2021
Summary:     Recommended update for xkeyboard-config
Type:        recommended
Severity:    moderate
References:  1191242
This update for xkeyboard-config fixes the following issue:

- Wrong keyboard mapping causing input delays with ABNT2 keyboards. (bsc#1191242)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3447-1
Released:    Fri Oct 15 09:05:15 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1065729,1148868,1152489,1154353,1159886,1167773,1170774,1173746,1176940,1184439,1184804,1185302,1185677,1185726,1185762,1187167,1188067,1188651,1188986,1189297,1189841,1189884,1190023,1190062,1190115,1190159,1190358,1190406,1190432,1190467,1190523,1190534,1190543,1190576,1190595,1190596,1190598,1190620,1190626,1190679,1190705,1190717,1190746,1190758,1190784,1190785,1191172,1191193,1191240,1191292,CVE-2020-3702,CVE-2021-3669,CVE-2021-3744,CVE-2021-3752,CVE-2021-3764,CVE-2021-40490


The SUSE Linux Enterprise 15 SP2 kernel was updated.


The following security bugs were fixed:

- CVE-2020-3702: Fixed a bug which could be triggered with specifically timed and handcrafted traffic and cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure. (bnc#1191193)
- CVE-2021-3752: Fixed a use after free vulnerability in the Linux kernel's bluetooth module. (bsc#1190023)
- CVE-2021-40490: Fixed a race condition discovered in the ext4 subsystem that could leat to local priviledge escalation. (bnc#1190159)
- CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
- CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
- CVE-2021-3669: Fixed a bug that doesn't allow /proc/sysvipc/shm to scale with large shared memory segment counts which could lead to resource exhaustion and DoS. (bsc#1188986)

The following non-security bugs were fixed:

- ALSA: firewire-motu: fix truncated bytes in message tracepoints (git-fixes).
- apparmor: remove duplicate macro list_entry_is_head() (git-fixes).
- ASoC: fsl_micfil: register platform component before registering cpu dai (git-fixes).
- ASoC: mediatek: common: handle NULL case in suspend/resume function (git-fixes).
- ASoC: rockchip: i2s: Fix regmap_ops hang (git-fixes).
- ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B (git-fixes).
- ASoC: SOF: Fix DSP oops stack dump output contents (git-fixes).
- ath9k: fix OOB read ar9300_eeprom_restore_internal (git-fixes).
- ath9k: fix sleeping in atomic context (git-fixes).
- blk-mq: do not deactivate hctx if managed irq isn't used (bsc#1185762).
- blk-mq: kABI fixes for blk_mq_queue_map (bsc#1185762).
- blk-mq: mark if one queue map uses managed irq (bsc#1185762).
- Bluetooth: skip invalid hci_sync_conn_complete_evt (git-fixes).
- bnx2x: fix an error code in bnx2x_nic_load() (git-fixes).
- bnxt_en: Add missing DMA memory barriers (git-fixes).
- bnxt_en: Disable aRFS if running on 212 firmware (git-fixes).
- bnxt_en: Do not enable legacy TX push on older firmware (git-fixes).
- bnxt_en: Store the running firmware version code (git-fixes).
- bnxt: count Tx drops (git-fixes).
- bnxt: disable napi before canceling DIM (git-fixes).
- bnxt: do not lock the tx queue from napi poll (git-fixes).
- bnxt: make sure xmit_more + errors does not miss doorbells (git-fixes).
- btrfs: prevent rename2 from exchanging a subvol with a directory from different parents (bsc#1190626).
- clk: at91: clk-generated: Limit the requested rate to our range (git-fixes).
- clk: at91: clk-generated: pass the id of changeable parent at registration (git-fixes).
- console: consume APC, DM, DCS (git-fixes).
- cuse: fix broken release (bsc#1190596).
- cxgb4: dont touch blocked freelist bitmap after free (git-fixes).
- debugfs: Return error during {full/open}_proxy_open() on rmmod (bsc#1173746).
- devlink: Break parameter notification sequence to be before/after unload/load driver (bsc#1154353).
- dmaengine: ioat: depends on !UML (git-fixes).
- dmaengine: sprd: Add missing MODULE_DEVICE_TABLE (git-fixes).
- dmaengine: xilinx_dma: Set DMA mask for coherent APIs (git-fixes).
- docs: Fix infiniband uverbs minor number (git-fixes).
- drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps (git-fixes).
- drm: avoid blocking in drm_clients_info's rcu section (git-fixes).
- drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex (git-fixes).
- drm/amd/display: Fix timer_per_pixel unit error (git-fixes).
- drm/amdgpu: Fix BUG_ON assert (git-fixes).
- drm/gma500: Fix end of loop tests for list_for_each_entry (git-fixes).
- drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV (git-fixes).
- drm/panfrost: Clamp lock region to Bifrost minimum (git-fixes).
- e1000e: Do not take care about recovery NVM checksum (jsc#SLE-8100).
- e1000e: Fix the max snoop/no-snoop latency for 10M (git-fixes).
- EDAC/i10nm: Fix NVDIMM detection (bsc#1152489).
- EDAC/synopsys: Fix wrong value type assignment for edac_mode (bsc#1152489).
- erofs: fix up erofs_lookup tracepoint (git-fixes).
- fbmem: do not allow too huge resolutions (git-fixes).
- fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() (git-fixes).
- fpga: machxo2-spi: Return an error on failure (git-fixes).
- fuse: flush extending writes (bsc#1190595).
- fuse: truncate pagecache on atomic_o_trunc (bsc#1190705).
- genirq: add device_has_managed_msi_irq (bsc#1185762).
- gpio: uniphier: Fix void functions to remove return value (git-fixes).
- gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() (git-fixes).
- gve: fix the wrong AdminQ buffer overflow check (bsc#1176940).
- hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
- hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs (git-fixes).
- hwmon: (tmp421) fix rounding for negative values (git-fixes).
- hwmon: (tmp421) report /PVLD condition as fault (git-fixes).
- i40e: Add additional info to PHY type error (git-fixes).
- i40e: Fix firmware LLDP agent related warning (git-fixes).
- i40e: Fix log TC creation failure when max num of queues is exceeded (git-fixes).
- i40e: Fix logic of disabling queues (git-fixes).
- i40e: Fix queue-to-TC mapping on Tx (git-fixes).
- iavf: Fix ping is lost after untrusted VF had tried to change MAC (jsc#SLE-7940).
- iavf: Set RSS LUT and key in reset handle path (git-fixes).
- ibmvnic: check failover_pending in login response (bsc#1190523 ltc#194510).
- ibmvnic: Consolidate code in replenish_rx_pool() (bsc#1190758 ltc#191943).
- ibmvnic: Fix up some comments and messages (bsc#1190758 ltc#191943).
- ibmvnic: init_tx_pools move loop-invariant code (bsc#1190758 ltc#191943).
- ibmvnic: Reuse LTB when possible (bsc#1190758 ltc#191943).
- ibmvnic: Reuse rx pools when possible (bsc#1190758 ltc#191943).
- ibmvnic: Reuse tx pools when possible (bsc#1190758 ltc#191943).
- ibmvnic: Use bitmap for LTB map_ids (bsc#1190758 ltc#191943).
- ibmvnic: Use/rename local vars in init_rx_pools (bsc#1190758 ltc#191943).
- ibmvnic: Use/rename local vars in init_tx_pools (bsc#1190758 ltc#191943).
- ice: Prevent probing virtual functions (git-fixes).
- iio: dac: ad5624r: Fix incorrect handling of an optional regulator (git-fixes).
- include/linux/list.h: add a macro to test if entry is pointing to the head (git-fixes).
- iomap: Fix negative assignment to unsigned sis->pages in iomap_swapfile_activate (bsc#1190784).
- ionic: cleanly release devlink instance (bsc#1167773).
- ionic: count csum_none when offload enabled (bsc#1167773).
- ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
- ipc/util.c: use binary search for max_idx (bsc#1159886).
- ipvs: allow connection reuse for unconfirmed conntrack (bsc#1190467).
- ipvs: avoid expiring many connections from timer (bsc#1190467).
- ipvs: Fix up kabi for expire_nodest_conn_work addition (bsc#1190467).
- ipvs: queue delayed work to expire no destination connections if expire_nodest_conn=1 (bsc#1190467).
- iwlwifi: mvm: fix a memory leak in iwl_mvm_mac_ctxt_beacon_changed (git-fixes).
- kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable.
- kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs.
- kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167 bsc#1191240 ltc#194716).
- kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358). The script part for base package case is completely separate from the part for subpackages. Remove the part for subpackages from the base package script and use the KMP scripts for subpackages instead.
- libata: fix ata_host_start() (git-fixes).
- mac80211-hwsim: fix late beacon hrtimer handling (git-fixes).
- mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug (git-fixes).
- mac80211: fix use-after-free in CCMP/GCMP RX (git-fixes).
- mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap (git-fixes).
- mac80211: mesh: fix potentially unaligned access (git-fixes).
- media: cedrus: Fix SUNXI tile size calculation (git-fixes).
- media: coda: fix frame_mem_ctrl for YUV420 and YVU420 formats (git-fixes).
- media: dib8000: rewrite the init prbs logic (git-fixes).
- media: imx258: Limit the max analogue gain to 480 (git-fixes).
- media: imx258: Rectify mismatch of VTS value (git-fixes).
- media: rc-loopback: return number of emitters rather than error (git-fixes).
- media: TDA1997x: fix tda1997x_query_dv_timings() return value (git-fixes).
- media: uvc: do not do DMA on stack (git-fixes).
- media: v4l2-dv-timings.c: fix wrong condition in two for-loops (git-fixes).
- mfd: Do not use irq_create_mapping() to resolve a mapping (git-fixes).
- mlx4: Fix missing error code in mlx4_load_one() (git-fixes).
- mm: always have io_remap_pfn_range() set pgprot_decrypted() (git-fixes).
- mm/swap: consider max pages in iomap_swapfile_add_extent (bsc#1190785).
- mmc: core: Return correct emmc response in case of ioctl error (git-fixes).
- mmc: rtsx_pci: Fix long reads when clock is prescaled (git-fixes).
- mmc: sdhci-of-arasan: Check return value of non-void funtions (git-fixes).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
- net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
- net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
- net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 (git-fixes).
- net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
- net/mlx5: E-Switch, handle devcom events only for ports on the same device (git-fixes).
- net/mlx5: Fix flow table chaining (git-fixes).
- net/mlx5: Fix return value from tracer initialization (git-fixes).
- net/mlx5: Unload device upon firmware fatal error (git-fixes).
- net/mlx5e: Avoid creating tunnel headers for local route (git-fixes).
- net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() (git-fixes).
- net/mlx5e: Prohibit inner indir TIRs in IPoIB (git-fixes).
- netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state (bsc#1190062).
- nfp: update ethtool reporting of pauseframe control (git-fixes).
- NFS: change nfs_access_get_cached to only report the mask (bsc#1190746).
- NFS: do not store 'struct cred *' in struct nfs_access_entry (bsc#1190746).
- NFS: pass cred explicitly for access tests (bsc#1190746).
- nvme: avoid race in shutdown namespace removal (bsc#1188067).
- nvme: fix refcounting imbalance when all paths are down (bsc#1188067).
- parport: remove non-zero check on count (git-fixes).
- PCI: aardvark: Fix checking for PIO status (git-fixes).
- PCI: aardvark: Fix masking and unmasking legacy INTx interrupts (git-fixes).
- PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response (git-fixes).
- PCI: Add ACS quirks for Cavium multi-function devices (git-fixes).
- PCI: Add ACS quirks for NXP LX2xx0 and LX2xx2 platforms (git-fixes).
- PCI: Add AMD GPU multi-function power dependencies (git-fixes).
- PCI: ibmphp: Fix double unmap of io_mem (git-fixes).
- PCI: pci-bridge-emul: Add PCIe Root Capabilities Register (git-fixes).
- PCI: pci-bridge-emul: Fix array overruns, improve safety (git-fixes).
- PCI: pci-bridge-emul: Fix big-endian support (git-fixes).
- PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported (git-fixes).
- PCI: Use pci_update_current_state() in pci_enable_device_flags() (git-fixes).
- PM: base: power: do not try to use non-existing RTC for storing data (git-fixes).
- PM: EM: Increase energy calculation precision (git-fixes).
- power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors (git-fixes).
- power: supply: max17042_battery: fix typo in MAx17042_TOFF (git-fixes).
- powercap: intel_rapl: add support for Sapphire Rapids (jsc#SLE-15289).
- powerpc: fix function annotations to avoid section mismatch warnings with gcc-10 (bsc#1148868).
- powerpc/drmem: Make LMB walk a bit more flexible (bsc#1190543 ltc#194523).
- powerpc/perf: Drop the case of returning 0 as instruction pointer (bsc#1065729).
- powerpc/perf: Fix crash in perf_instruction_pointer() when ppmu is not set (bsc#1065729).
- powerpc/perf: Fix the check for SIAR value (bsc#1065729).
- powerpc/perf: Use regs->nip when SIAR is zero (bsc#1065729).
- powerpc/perf: Use stack siar instead of mfspr (bsc#1065729).
- powerpc/perf: Use the address from SIAR register to set cpumode flags (bsc#1065729).
- powerpc/perf/hv-gpci: Fix counter value parsing (bsc#1065729).
- powerpc/powernv: Fix machine check reporting of async store errors (bsc#1065729).
- powerpc/pseries: Prevent free CPU ids being reused on another node (bsc#1190620 ltc#194498).
- powerpc/pseries/dlpar: use rtas_get_sensor() (bsc#1065729).
- pseries/drmem: update LMBs after LPM (bsc#1190543 ltc#194523).
- pwm: img: Do not modify HW state in .remove() callback (git-fixes).
- pwm: rockchip: Do not modify HW state in .remove() callback (git-fixes).
- pwm: stm32-lp: Do not modify HW state in .remove() callback (git-fixes).
- qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom (git-fixes).
- RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init() (bsc#1170774).
- Re-enable UAS for LaCie Rugged USB3-FW with fk quirk (git-fixes).
- regmap: fix page selection for noinc reads (git-fixes).
- regmap: fix page selection for noinc writes (git-fixes).
- regmap: fix the offset of register error log (git-fixes).
- Restore kabi after NFS: pass cred explicitly for access tests (bsc#1190746).
- rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. This allows fixing bugs in the scriptlets as well as defining initrd regeneration policy independent of the kernel packages.
- rpm/kernel-binary.spec: Use only non-empty certificates.
- rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804).
- rtc: rx8010: select REGMAP_I2C (git-fixes).
- rtc: tps65910: Correct driver module alias (git-fixes).
- s390/unwind: use current_frame_address() to unwind current task (bsc#1185677).
- sched/fair: Add ancestors of unthrottled undecayed cfs_rq (bsc#1191292).
- scsi: core: Add helper to return number of logical blocks in a request (bsc#1190576).
- scsi: core: Introduce the scsi_cmd_to_rq() function (bsc#1190576).
- scsi: fc: Add EDC ELS definition (bsc#1190576).
- scsi: fc: Update formal FPIN descriptor definitions (bsc#1190576).
- scsi: lpfc: Add bsg support for retrieving adapter cmf data (bsc#1190576).
- scsi: lpfc: Add cm statistics buffer support (bsc#1190576).
- scsi: lpfc: Add cmf_info sysfs entry (bsc#1190576).
- scsi: lpfc: Add cmfsync WQE support (bsc#1190576).
- scsi: lpfc: Add debugfs support for cm framework buffers (bsc#1190576).
- scsi: lpfc: Add EDC ELS support (bsc#1190576).
- scsi: lpfc: Add MIB feature enablement support (bsc#1190576).
- scsi: lpfc: Add rx monitoring statistics (bsc#1190576).
- scsi: lpfc: Add SET_HOST_DATA mbox cmd to pass date/time info to firmware (bsc#1190576).
- scsi: lpfc: Add support for cm enablement buffer (bsc#1190576).
- scsi: lpfc: Add support for maintaining the cm statistics buffer (bsc#1190576).
- scsi: lpfc: Add support for the CM framework (bsc#1190576).
- scsi: lpfc: Adjust bytes received vales during cmf timer interval (bsc#1190576).
- scsi: lpfc: Copyright updates for 14.0.0.1 patches (bsc#1190576).
- scsi: lpfc: Do not release final kref on Fport node while ABTS outstanding (bsc#1190576).
- scsi: lpfc: Do not remove ndlp on PRLI errors in P2P mode (bsc#1190576).
- scsi: lpfc: Expand FPIN and RDF receive logging (bsc#1190576).
- scsi: lpfc: Fix compilation errors on kernels with no CONFIG_DEBUG_FS (bsc#1190576).
- scsi: lpfc: Fix CPU to/from endian warnings introduced by ELS processing (bsc#1190576).
- scsi: lpfc: Fix EEH support for NVMe I/O (bsc#1190576).
- scsi: lpfc: Fix FCP I/O flush functionality for TMF routines (bsc#1190576).
- scsi: lpfc: Fix gcc -Wstringop-overread warning, again (bsc#1190576).
- scsi: lpfc: Fix hang on unload due to stuck fport node (bsc#1190576).
- scsi: lpfc: Fix I/O block after enabling managed congestion mode (bsc#1190576).
- scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() (bsc#1190576).
- scsi: lpfc: Fix NVMe I/O failover to non-optimized path (bsc#1190576).
- scsi: lpfc: Fix premature rpi release for unsolicited TPLS and LS_RJT (bsc#1190576).
- scsi: lpfc: Fix rediscovery of tape device after LIP (bsc#1190576).
- scsi: lpfc: Fix sprintf() overflow in lpfc_display_fpin_wwpn() (bsc#1190576).
- scsi: lpfc: Improve PBDE checks during SGL processing (bsc#1190576).
- scsi: lpfc: Remove unneeded variable (bsc#1190576).
- scsi: lpfc: Update lpfc version to 14.0.0.1 (bsc#1190576).
- scsi: lpfc: Update lpfc version to 14.0.0.2 (bsc#1190576).
- scsi: lpfc: Use correct scnprintf() limit (bsc#1190576).
- scsi: lpfc: Use scsi_cmd_to_rq() instead of scsi_cmnd.request (bsc#1190576).
- scsi: lpfc: Use the proper SCSI midlayer interfaces for PI (bsc#1190576).
- scsi: lpfc: Zero CGN stats only during initial driver load and stat reset (bsc#1190576).
- scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V (bsc#1189297).
- serial: 8250_pci: make setup_port() parameters explicitly unsigned (git-fixes).
- serial: 8250: Define RX trigger levels for OxSemi 950 devices (git-fixes).
- serial: mvebu-uart: fix driver's tx_empty callback (git-fixes).
- serial: sh-sci: fix break handling for sysrq (git-fixes).
- spi: Fix tegra20 build with CONFIG_PM=n (git-fixes).
- staging: board: Fix uninitialized spinlock when attaching genpd (git-fixes).
- staging: ks7010: Fix the initialization of the 'sleep_status' structure (git-fixes).
- staging: rts5208: Fix get_ms_information() heap buffer size (git-fixes).
- thermal/core: Potential buffer overflow in thermal_build_list_of_policies() (git-fixes).
- time: Handle negative seconds correctly in timespec64_to_ns() (git-fixes).
- tty: Fix data race between tiocsti() and flush_to_ldisc() (git-fixes).
- tty: serial: jsm: hold port lock when reporting modem line changes (git-fixes).
- tty: synclink_gt, drop unneeded forward declarations (git-fixes).
- usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c (git-fixes).
- usb: core: hcd: Add support for deferring roothub registration (git-fixes).
- usb: dwc2: Add missing cleanups when usb_add_gadget_udc() fails (git-fixes).
- usb: dwc2: Avoid leaving the error_debugfs label unused (git-fixes).
- usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave (git-fixes).
- usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA (git-fixes).
- usb: EHCI: ehci-mv: improve error handling in mv_ehci_enable() (git-fixes).
- usb: gadget: r8a66597: fix a loop in set_feature() (git-fixes).
- usb: gadget: u_ether: fix a potential null pointer dereference (git-fixes).
- usb: host: fotg210: fix the actual_length of an iso packet (git-fixes).
- usb: host: fotg210: fix the endpoint's transactional opportunities calculation (git-fixes).
- usb: musb: musb_dsps: request_irq() after initializing musb (git-fixes).
- usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() (git-fixes).
- usb: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter (git-fixes).
- usb: serial: option: add device id for Foxconn T99W265 (git-fixes).
- usb: serial: option: add Telit LN920 compositions (git-fixes).
- usb: serial: option: remove duplicate USB device ID (git-fixes).
- usbip: give back URBs for unsent unlink requests during cleanup (git-fixes).
- usbip:vhci_hcd USB port can get stuck in the disabled state (git-fixes).
- video: fbdev: asiliantfb: Error out if 'pixclock' equals zero (git-fixes).
- video: fbdev: kyro: Error out if 'pixclock' equals zero (git-fixes).
- video: fbdev: kyro: fix a DoS bug by restricting user input (git-fixes).
- video: fbdev: riva: Error out if 'pixclock' equals zero (git-fixes).
- vmxnet3: add support for 32 Tx/Rx queues (bsc#1190406).
- vmxnet3: add support for ESP IPv6 RSS (bsc#1190406).
- vmxnet3: increase maximum configurable mtu to 9190 (bsc#1190406).
- vmxnet3: prepare for version 6 changes (bsc#1190406).
- vmxnet3: remove power of 2 limitation on the queues (bsc#1190406).
- vmxnet3: set correct hash type based on rss information (bsc#1190406).
- vmxnet3: update to version 6 (bsc#1190406).
- watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST (git-fixes).
- x86/alternatives: Teach text_poke_bp() to emulate instructions (bsc#1185302).
- x86/apic/msi: Plug non-maskable MSI affinity race (bsc#1184439).
- x86/cpu: Fix core name for Sapphire Rapids (jsc#SLE-15289).
- x86/mm: Fix kern_addr_valid() to cope with existing but not present entries (bsc#1152489).
- x86/resctrl: Fix a maybe-uninitialized build warning treated as error (bsc#1152489).
- x86/resctrl: Fix default monitoring groups reporting (bsc#1152489).
- xfs: allow mount/remount when stripe width alignment is zero (bsc#1188651).
- xfs: sync lazy sb accounting on quiesce of read-only mounts (bsc#1190679).
- xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' (git-fixes).
- xhci: Set HCD flag to defer primary roothub registration (git-fixes).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3454-1
Released:    Mon Oct 18 09:29:26 2021
Summary:     Security update for krb5
Type:        security
Severity:    moderate
References:  1189929,CVE-2021-37750
This update for krb5 fixes the following issues:

- CVE-2021-37750: Fixed KDC null pointer dereference via a FAST inner body that lacks a server field (bsc#1189929).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3480-1
Released:    Wed Oct 20 11:24:08 2021
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1185016,1185524,1186910,1187270,1187512,1188344,1190645,1190739,1190915,1190933
This update for yast2-network fixes the following issues:

- Don't crash when the interfaces table contains a not configured one (bnc#1190645, bsc#1190915).
- Fix the shown description using the interface friendly name when it is empty (bsc#1190933).
- Consider aliases sections as case insensitive (bsc#1190739).
- Display user defined device name in the devices overview (bnc#1190645).
- Don't crash when defined aliases in AutoYaST profile are not defined as a map (bsc#1188344).
- Support 'boot' and 'on' as aliases for the 'auto' startmode (bsc#1186910).
- Fix desktop file so the control center tooltip is translated (bsc#1187270).
- Use the linuxrc proxy settings for the HTTPS and FTP proxies (bsc#1185016).
- Don't crash at the end of installation when storing wifi configuration for NetworkManager (bsc#1185524, bsc#1187512).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3490-1
Released:    Wed Oct 20 16:31:55 2021
Summary:     Security update for ncurses
Type:        security
Severity:    moderate
References:  1190793,CVE-2021-39537
This update for ncurses fixes the following issues:

- CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3494-1
Released:    Wed Oct 20 16:48:46 2021
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1190052
This update for pam fixes the following issues:

- Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
- Added new file macros.pam on request of systemd. (bsc#1190052)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3506-1
Released:    Mon Oct 25 10:20:22 2021
Summary:     Security update for containerd, docker, runc
Type:        security
Severity:    important
References:  1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434,CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
This update for containerd, docker, runc fixes the following issues:

Docker was updated to 20.10.9-ce. (bsc#1191355)

See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. 

  CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103

container was updated to v1.4.11, to fix CVE-2021-41103. bsc#1191355

- CVE-2021-32760: Fixed that a archive package allows chmod of file outside of unpack target directory (bsc#1188282)

- Install systemd service file as well (bsc#1190826)

Update to runc v1.0.2. Upstream changelog is available from

  https://github.com/opencontainers/runc/releases/tag/v1.0.2

* Fixed a failure to set CPU quota period in some cases on cgroup v1.
* Fixed the inability to start a container with the 'adding seccomp filter
  rule for syscall ...' error, caused by redundant seccomp rules (i.e. those
  that has action equal to the default one). Such redundant rules are now
  skipped.
* Made release builds reproducible from now on.
* Fixed a rare debug log race in runc init, which can result in occasional
  harmful 'failed to decode ...' errors from runc run or exec.
* Fixed the check in cgroup v1 systemd manager if a container needs to be
  frozen before Set, and add a setting to skip such freeze unconditionally.
  The previous fix for that issue, done in runc 1.0.1, was not working.

Update to runc v1.0.1. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.1

* Fixed occasional runc exec/run failure ('interrupted system call') on an
  Azure volume.
* Fixed 'unable to find groups ... token too long' error with /etc/group
  containing lines longer than 64K characters.
* cgroup/systemd/v1: fix leaving cgroup frozen after Set if a parent cgroup is
  frozen. This is a regression in 1.0.0, not affecting runc itself but some
  of libcontainer users (e.g Kubernetes).
* cgroupv2: bpf: Ignore inaccessible existing programs in case of
  permission error when handling replacement of existing bpf cgroup
  programs. This fixes a regression in 1.0.0, where some SELinux
  policies would block runc from being able to run entirely.
* cgroup/systemd/v2: don't freeze cgroup on Set.
* cgroup/systemd/v1: avoid unnecessary freeze on Set.
- fix issues with runc under openSUSE MicroOS's SELinux policy. bsc#1187704

Update to runc v1.0.0. Upstream changelog is available from

https://github.com/opencontainers/runc/releases/tag/v1.0.0

! The usage of relative paths for mountpoints will now produce a warning
  (such configurations are outside of the spec, and in future runc will
  produce an error when given such configurations).
* cgroupv2: devices: rework the filter generation to produce consistent
  results with cgroupv1, and always clobber any existing eBPF
  program(s) to fix runc update and avoid leaking eBPF programs
  (resulting in errors when managing containers).
* cgroupv2: correctly convert 'number of IOs' statistics in a
  cgroupv1-compatible way.
* cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
* cgroupv2: wait for freeze to finish before returning from the freezing
  code, optimize the method for checking whether a cgroup is frozen.
* cgroups/systemd: fixed 'retry on dbus disconnect' logic introduced in rc94
* cgroups/systemd: fixed returning 'unit already exists' error from a systemd
  cgroup manager (regression in rc94)
+ cgroupv2: support SkipDevices with systemd driver
+ cgroup/systemd: return, not ignore, stop unit error from Destroy
+ Make 'runc --version' output sane even when built with go get or
  otherwise outside of our build scripts.
+ cgroups: set SkipDevices during runc update (so we don't modify
  cgroups at all during runc update).
+ cgroup1: blkio: support BFQ weights.
+ cgroupv2: set per-device io weights if BFQ IO scheduler is available.

Update to runc v1.0.0~rc95. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc95

This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users). (bsc#1185405)

Update to runc v1.0.0~rc94. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc94

Breaking Changes:
* cgroupv1: kernel memory limits are now always ignored, as kmemcg has
  been effectively deprecated by the kernel. Users should make use of regular
  memory cgroup controls.

Regression Fixes:

* seccomp: fix 32-bit compilation errors
* runc init: fix a hang caused by deadlock in seccomp/ebpf loading code
* runc start: fix 'chdir to cwd: permission denied' for some setups

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3510-1
Released:    Tue Oct 26 11:22:15 2021
Summary:     Recommended update for pam
Type:        recommended
Severity:    important
References:  1191987
This update for pam fixes the following issues:

- Fixed a bad directive file which resulted in
  the 'securetty' file to be installed as 'macros.pam'.
  (bsc#1191987)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3523-1
Released:    Tue Oct 26 15:40:13 2021
Summary:     Security update for util-linux
Type:        security
Severity:    moderate
References:  1122417,1125886,1178236,1188921,CVE-2021-37600
This update for util-linux fixes the following issues:

Update to version 2.33.2 to provide seamless update from SLE12 SP5 to SLE15 SP2:

- CVE-2021-37600: Fixed an integer overflow which could lead to a buffer overflow in get_sem_elements() in sys-utils/ipcutils.c (bsc#1188921).
- agetty: Fix 8-bit processing in get_logname() (bsc#1125886).
- mount: Fix 'mount' output for net file systems (bsc#1122417).
- ipcs: Avoid overflows (bsc#1178236)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3529-1
Released:    Wed Oct 27 09:23:32 2021
Summary:     Security update for pcre
Type:        security
Severity:    moderate
References:  1172973,1172974,CVE-2019-20838,CVE-2020-14155
This update for pcre fixes the following issues:

Update pcre to version 8.45:

- CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
- CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3545-1
Released:    Wed Oct 27 14:46:39 2021
Summary:     Recommended update for less
Type:        recommended
Severity:    low
References:  1190552
This update for less fixes the following issues:

- Add missing runtime dependency on package 'which', that is used by
  lessopen.sh (bsc#1190552)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3614-1
Released:    Thu Nov  4 12:27:09 2021
Summary:     Security update for qemu
Type:        security
Severity:    important
References:  1180432,1180433,1180434,1180435,1182651,1186012,1189145,1189702,1189938,CVE-2020-35503,CVE-2020-35504,CVE-2020-35505,CVE-2020-35506,CVE-2021-20255,CVE-2021-3527,CVE-2021-3682,CVE-2021-3713,CVE-2021-3748
This update for qemu fixes the following issues:

Security issues fixed:

- Fix out-of-bounds write in UAS (USB Attached SCSI) device emulation (bsc#1189702, CVE-2021-3713)
- Fix heap use-after-free in virtio_net_receive_rcu (bsc#1189938, CVE-2021-3748)
- usbredir: free call on invalid pointer in bufp_alloc (bsc#1189145, CVE-2021-3682)
- NULL pointer dereference in ESP (bsc#1180433, CVE-2020-35504) (bsc#1180434, CVE-2020-35505) (bsc#1180435, CVE-2020-35506)
- NULL pointer dereference issue in megasas-gen2 host bus adapter (bsc#1180432, CVE-2020-35503)
- eepro100: stack overflow via infinite recursion (bsc#1182651, CVE-2021-20255)
- usb: unbounded stack allocation in usbredir (bsc#1186012, CVE-2021-3527)

Non-security issues fixed:

- Use max host physical address if -cpu max is used (bsc#1188299)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3626-1
Released:    Mon Nov  8 15:46:57 2021
Summary:     Recommended update for SUSEConnect
Type:        recommended
Severity:    important
References:  
This update for SUSEConnect contains the following fix:

- Update to 0.3.32:
  - Allow --regcode and --instance-data attributes at the same time. (jsc#PCT-164)
  - Document that 'debug' can also get set in the config file.
  - --status will also print the subscription name.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3674-1
Released:    Tue Nov 16 15:15:33 2021
Summary:     Security update for samba
Type:        security
Severity:    important
References:  1014440,1192284,CVE-2016-2124,CVE-2020-25717
This update for samba fixes the following issues:

- CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440).
- CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3773-1
Released:    Tue Nov 23 15:49:30 2021
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1192146,CVE-2021-25219
This update for bind fixes the following issues:

- CVE-2021-25219: Fixed lame cache that could have been abused to severely degrade resolver performance (bsc#1192146).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3781-1
Released:    Tue Nov 23 23:48:43 2021
Summary:     This update for libzypp, zypper and libsolv fixes the following issues:
Type:        recommended
Severity:    moderate
References:  1153687,1182372,1183268,1183589,1184326,1184399,1184997,1185325,1186447,1186503,1186602,1187224,1187425,1187466,1187738,1187760,1188156,1188435,1189031,1190059,1190199,1190356,1190465,1190712,1190815,1191286,1191324,1191370,1191609,1192337,1192436
This update for zypper fixes the following issues:

- Manpage: Recommend the needs-rebooting command to test whether a system reboot is suggested.
- Let a patch's reboot-needed flag overrule included packages. (bsc#1183268)
- Quickfix setting 'openSUSE_Tumbleweed' as default platform for 'MicroOS'. (bsc#1153687)
- Protect against strict/relaxed user umask via sudo. (bsc#1183589)
- xml summary: Add solvables repository alias. (bsc#1182372)
- Allow trusted repos to add additional signing keys. (bsc#1184326)
- MediaCurl: Fix logging of redirects.
- Let negative values wait forever for the zypp lock. (bsc#1184399)
- Fix 'purge-kernels' is broken in Leap 15.3. (bsc#1185325)
- Fix service detection with cgroupv2. (bsc#1184997)
- Add hints to 'trust GPG key' prompt.
- Enhance XML output of repo GPG options
- Add optional attributes showing the raw values actually present in the '.repo' file.
- Link all executables with -pie (bsc#1186447)
- Ship an empty '/etc/zypp/needreboot' per default. (jsc#PM-2645)
- Fix solver jobs for PTFs. (bsc#1186503)
- choice rules: treat orphaned packages as newest. (bc#1190465)
- Add need reboot/restart hint to XML install summary. (bsc#1188435)
- Fix kernel-*-livepatch removal in purge-kernels. (bsc#1190815)
- Fix obs:// platform guessing for Leap. (bsc#1187425)
- Fix purge-kernels fails. (bsc#1187738)
- Do not download full files even if the checkExistsOnly flag is set. (bsc#1190712)
- Prompt: choose exact match if prompt options are not prefix free. (bsc#1188156)
- Do not check of signatures and keys two times(redundant). (bsc#1190059)
- Rephrase vendor conflict message in case 2 packages are involved. (bsc#1187760)
- Show key fpr from signature when signature check fails. (bsc#1187224)
- Make sure to keep states alives while transitioning. (bsc#1190199)
- Fix crashes in logging code when shutting down. (bsc#1189031)
- Manpage: Improve description about patch updates. (bsc#1187466)
- Avoid calling 'su' to detect a too restrictive sudo user umask. (bsc#1186602)
- Consolidate reboot-recommendations across tools and stop using /etc/zypp/needreboot (jsc#-SLE-18858)
- Disable logger in the child after fork (bsc#1192436)
- Check log writer before accessing it (bsc#1192337)
- Allow uname-r format in purge kernels keepspec
- zypper should keep cached files if transaction is aborted (bsc#1190356)
- Require a minimum number of mirrors for multicurl (bsc#1191609)
- Use procfs to detect nr of open fd's if rlimit is too high (bsc#1191324)
- Fix translations (bsc#1191370)
- RepoManager: Don't probe for plaindir repo if URL schema is plugin (bsc#1191286)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3787-1
Released:    Wed Nov 24 06:00:10 2021
Summary:     Recommended update for xfsprogs
Type:        recommended
Severity:    moderate
References:  1189983,1189984,1191500,1191566,1191675
This update for xfsprogs fixes the following issues:

- Make libhandle1 an explicit dependency in the xfsprogs-devel package (bsc#1191566)
- Remove deprecated barrier/nobarrier mount options from manual pages section 5 (bsc#1191675)
- xfs_io: include support for label command (bsc#1191500)
- xfs_quota: state command to report all three (-ugp) grace times separately (bsc#1189983)
- xfs_admin: add support for external log devices (bsc#1189984)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3799-1
Released:    Wed Nov 24 18:07:54 2021
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1187153,1187273,1188623
This update for gcc11 fixes the following issues:

The additional GNU compiler collection GCC 11 is provided:

To select these compilers install the packages:

- gcc11
- gcc-c++11
- and others with 11 prefix.

to select them for building:

- CC='gcc-11'
- CXX='g++-11'

The compiler baselibraries (libgcc_s1, libstdc++6 and others) are being replaced by the GCC 11 variants.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3809-1
Released:    Fri Nov 26 00:31:59 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1189803,1190325,1190440,1190984,1191252,1192161
This update for systemd fixes the following issues:

- Add timestamp to D-Bus events to improve traceability (jsc#SLE-21862, jsc#SLE-18102, jsc#SLE-18103)
- Fix IO scheduler udev rules to address performance issues (jsc#SLE-21032, bsc#1192161)
- shutdown: Reduce log level of unmounts (bsc#1191252)
- pid1: make use of new 'prohibit_ipc' logging flag in PID 1 (bsc#1189803)
- core: rework how we connect to the bus (bsc#1190325)
- mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
- virt: detect Amazon EC2 Nitro instance (bsc#1190440)
- Several fixes for umount
- busctl: use usec granularity for the timestamp printed by the busctl monitor command
- fix unitialized fields in MountPoint in dm_list_get()
- shutdown: explicitly set a log target
- mount-util: add mount_option_mangle()
- dissect: automatically mark partitions read-only that have a read-only file system
- build-sys: require proper libmount version
- systemd-shutdown: use log_set_prohibit_ipc(true)
- rationalize interface for opening/closing logging
- pid1: when we can't log to journal, remember our fallback log target
- log: remove LOG_TARGET_SAFE pseudo log target
- log: add brief comment for log_set_open_when_needed() and log_set_always_reopen_console()
- log: add new 'prohibit_ipc' flag to logging system
- log: make log_set_upgrade_syslog_to_journal() take effect immediately
- dbus: split up bus_done() into seperate functions
- machine-id-setup: generate machine-id from DMI product ID on Amazon EC2
- virt: if we detect Xen by DMI, trust that over CPUID

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3825-1
Released:    Wed Dec  1 13:39:52 2021
Summary:     Recommended update for grub2
Type:        recommended
Severity:    moderate
References:  1167756,1186975
This update for grub2 fixes the following issues:

- Fix boot failure as journaled data not get drained due to abrupt power off after grub-install (bsc#1167756)
- Fix boot failure after kdump due to the content of grub.cfg to pending modificaton in xfs journal (bsc#1186975)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3830-1
Released:    Wed Dec  1 13:45:46 2021
Summary:     Security update for glibc
Type:        security
Severity:    moderate
References:  1027496,1183085,CVE-2016-10228

This update for glibc fixes the following issues:


- libio: do not attempt to free wide buffers of legacy streams (bsc#1183085) 
- CVE-2016-10228: Rewrite iconv option parsing to fix security issue (bsc#1027496)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3838-1
Released:    Wed Dec  1 16:07:54 2021
Summary:     Security update for ruby2.5
Type:        security
Severity:    important
References:  1188160,1188161,1190375,CVE-2021-31799,CVE-2021-31810,CVE-2021-32066
This update for ruby2.5 fixes the following issues:

- CVE-2021-31799: Fixed Command injection vulnerability in RDoc (bsc#1190375).
- CVE-2021-31810: Fixed trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
- CVE-2021-32066: Fixed StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3869-1
Released:    Thu Dec  2 07:10:09 2021
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1189841,1189879,1190598,1191200,1191260,1191480,1191804,1191922
This update for suse-module-tools fixes the following issues:

- rpm-script: fix bad exit status in OpenQA (bsc#1191922)
- cert-script: Deal with existing $cert.delete file (bsc#1191804)
- cert-script: Ignore kernel keyring for kernel certificates (bsc#1191480)
- cert-script: Only print mokutil output in verbose mode
- inkmp-script(postun): don't pass  existing files to weak-modules2 (bsc#1191200)
- kernel-scriptlets: skip cert scriptlet on non-UEFI systems (bsc#1191260)
- rpm-script: link config also into /boot (bsc#1189879)
- Import kernel scriptlets from kernel-source (bsc#1189841, bsc#1190598)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3876-1
Released:    Thu Dec  2 08:19:20 2021
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1100416,1108488,1129735,1129898,1133374,1136513,1171420,1176724,1177666,1181158,1184673,1184804,1185377,1185726,1185758,1185973,1186078,1186109,1186390,1186482,1186672,1188062,1188063,1188172,1188563,1188601,1188616,1188838,1188876,1188983,1188985,1189057,1189262,1189291,1189399,1189400,1189706,1189846,1189884,1190023,1190025,1190067,1190115,1190117,1190159,1190276,1190349,1190351,1190479,1190534,1190601,1190717,1191193,1191315,1191317,1191349,1191457,1191628,1191790,1191800,1191888,1191961,1192045,1192267,1192379,1192400,1192775,1192781,1192802,CVE-2018-13405,CVE-2018-9517,CVE-2019-3874,CVE-2019-3900,CVE-2020-0429,CVE-2020-12770,CVE-2020-3702,CVE-2020-4788,CVE-2021-0941,CVE-2021-20322,CVE-2021-22543,CVE-2021-31916,CVE-2021-33033,CVE-2021-33909,CVE-2021-34556,CVE-2021-34981,CVE-2021-3542,CVE-2021-35477,CVE-2021-3640,CVE-2021-3653,CVE-2021-3655,CVE-2021-3656,CVE-2021-3659,CVE-2021-3679,CVE-2021-3715,CVE-2021-37159,CVE-2021-3732,CVE-2021-3744,CVE-2021-3752,CVE-2021-3753,CV
 E-2021-37576,CVE-2021-3759,CVE-2021-3760,CVE-2021-3764,CVE-2021-3772,CVE-2021-38160,CVE-2021-38198,CVE-2021-38204,CVE-2021-40490,CVE-2021-41864,CVE-2021-42008,CVE-2021-42252,CVE-2021-42739


The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- Unprivileged BPF has been disabled by default to reduce attack surface as too many security issues have happened in the past (jsc#SLE-22573)

  You can reenable via systemctl setting /proc/sys/kernel/unprivileged_bpf_disabled to 0. (kernel.unprivileged_bpf_disabled = 0)

- CVE-2021-0941: In bpf_skb_change_head of filter.c, there is a possible out of bounds read due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192045).
- CVE-2021-31916: An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel A bound check failure allowed an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability (bnc#1192781).
- CVE-2021-20322: Make the ipv4 and ipv6 ICMP exception caches less predictive to avoid information leaks about UDP ports in use. (bsc#1191790)
- CVE-2021-34981: Fixed file refcounting in cmtp when cmtp_attach_device fails  (bsc#1191961).
- CVE-2021-37159: hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel calls unregister_netdev without checking for the NETREG_REGISTERED state, leading to a use-after-free and a double free (bnc#1188601).
- CVE-2021-3772: Fixed sctp vtag check in sctp_sf_ootb (bsc#1190351).
- CVE-2021-3655: Missing size validations on inbound SCTP packets may have allowed the kernel to read uninitialized memory (bnc#1188563).
- CVE-2021-33033: The Linux kernel has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value (bnc#1186109 bnc#1186390 bnc#1188876).
- CVE-2021-3760: Fixed a use-after-free vulnerability with the ndev->rf_conn_info object (bsc#1190067).
- CVE-2021-42739: The firewire subsystem in the Linux kernel has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandled bounds checking (bnc#1184673).
- CVE-2021-3542: Fixed heap buffer overflow in firedtv driver (bsc#1186063).
- CVE-2018-13405: The inode_init_owner function in fs/inode.c in the Linux kernel allowed local users to create files with an unintended group ownership, in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of that group. Here, the non-member can trigger creation of a plain file whose group ownership is that group. The intended behavior was that the non-member can trigger creation of a directory (but not a plain file) whose group ownership is that group. The non-member can escalate privileges by making the plain file executable and SGID (bnc#1100416 bnc#1129735).
- CVE-2021-3715: Fixed a use-after-free in route4_change() in net/sched/cls_route.c (bsc#1190349).
- CVE-2021-34556: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because the protection mechanism neglects the possibility of uninitialized memory locations on the BPF stack (bnc#1188983).
- CVE-2021-35477: An unprivileged BPF program can obtain sensitive information from kernel memory via a Speculative Store Bypass side-channel attack because a certain preempting store operation did not necessarily occur before a store operation that has an attacker-controlled value (bnc#1188985).
- CVE-2021-42252: An issue was discovered in aspeed_lpc_ctrl_mmap in drivers/soc/aspeed/aspeed-lpc-ctrl.c in the Linux kernel Local attackers able to access the Aspeed LPC control interface could overwrite memory in the kernel and potentially execute privileges, aka CID-b49a0e69a7b1. This occurs because a certain comparison uses values that are not memory sizes (bnc#1190479).
- CVE-2021-41864: prealloc_elems_and_freelist in kernel/bpf/stackmap.c in the Linux kernel allowed unprivileged users to trigger an eBPF multiplication integer overflow with a resultant out-of-bounds write (bnc#1191317).
- CVE-2021-42008: The decode_data function in drivers/net/hamradio/6pack.c in the Linux kernel has a slab out-of-bounds write. Input from a process that has the CAP_NET_ADMIN capability can lead to root access (bnc#1191315).
- CVE-2021-3759: Unaccounted ipc objects could have lead to breaking memcg limits and DoS attacks (bsc#1190115).
- CVE-2020-3702: Specifically timed and handcrafted traffic can cause internal errors in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic (bnc#1191193).
- CVE-2021-3752: Fixed a use after free vulnerability in the bluetooth module. (bsc#1190023)
- CVE-2021-40490: A race condition was discovered in ext4_write_inline_data_end in fs/ext4/inline.c in the ext4 subsystem in the Linux kernel (bnc#1190159 bnc#1192775)
- CVE-2021-3744: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1189884)
- CVE-2021-3764: Fixed a bug which could allows attackers to cause a denial of service. (bsc#1190534)
- CVE-2020-12770: An issue was discovered in the Linux kernel sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040 (bnc#1171420).
- CVE-2021-3640: Fixed a Use-After-Free vulnerability in function sco_sock_sendmsg() in the bluetooth stack (bsc#1188172).
- CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module, while handling incoming packets in handle_rx(). It could occur if one end sends packets faster than the other end can process them. A guest user, maybe remote one, could use this flaw to stall the vhost_net kernel thread, resulting in a DoS scenario (bnc#1133374).
- CVE-2019-3874: The SCTP socket buffer used by a userspace application is not accounted by the cgroups subsystem. An attacker can use this flaw to cause a denial of service attack. (bnc#1129898).
- CVE-2018-9517: In pppol2tp_connect, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (bnc#1108488).
- CVE-2021-38160: Data corruption or loss could be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size in drivers/char/virtio_console.c (bsc#1190117)
- CVE-2021-3753: Fixed race out-of-bounds in virtual terminal handling (bsc#1190025).
- CVE-2021-3732: Mounting overlayfs inside an unprivileged user namespace can reveal files (bsc#1189706).
- CVE-2021-3653: A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the 'int_ctl' field, this issue could allow a malicious L1 to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape. This flaw affects Linux kernel versions prior to 5.14-rc7 (bnc#1189399).
- CVE-2021-3656: Missing validation of the the `virt_ext` VMCB field and allows a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS for the L2 guest (bsc#1189400).
- CVE-2021-38204: drivers/usb/host/max3421-hcd.c allowed physically proximate attackers to cause a denial of service (use-after-free and panic) by removing a MAX-3421 USB device in certain situations (bnc#1189291).
- CVE-2021-3679: A lack of CPU resource in the tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service (bnc#1189057).
- CVE-2020-4788: IBM Power9 (AIX 7.1, 7.2, and VIOS 3.1) processors could allow a local user to obtain sensitive information from the data in the L1 cache under extenuating circumstances. IBM X-Force ID: 189296 (bnc#0 bnc#1177666 bnc#1181158).
- CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
- CVE-2020-0429: In l2tp_session_delete and related functions of l2tp_core.c, there is possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1176724).
- CVE-2021-37576: arch/powerpc/kvm/book3s_rtas.c on the powerpc platform allowed KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e (bnc#1188838 bnc#1190276).
- CVE-2021-22543: KVM through Improper handling of VM_IO|VM_PFNMAP vmas in KVM can bypass RO checks and can lead to pages being freed while still accessible by the VMM and guest. This allowed users with the ability to start and control a VM to read/write random pages of memory and can result in local privilege escalation (bnc#1186482 bnc#1190276).
- CVE-2021-33909: fs/seq_file.c did not properly restrict seq buffer allocations, leading to an integer overflow, an Out-of-bounds Write, and escalation to root by an unprivileged user, aka CID-8cae8cd89f05 (bnc#1188062 bnc#1188063).

The following non-security bugs were fixed:

- Add arch-dependent support markers in supported.conf (bsc#1186672) 
- Add the support for kernel-FLAVOR-optional subpackage (jsc#SLE-11796)
- bpf: Add kconfig knob for disabling unpriv bpf by default (jsc#SLE-22913)
- bpf: Disallow unprivileged bpf by default (jsc#SLE-22913).
- ceph: take snap_empty_lock atomically with snaprealm refcount change (bsc#1191888).
- config: disable unprivileged BPF by default (jsc#SLE-22913)
- cpufreq: intel_pstate: Add Icelake servers support in no-HWP mode (bsc#1185758,bsc#1192400).
- drm: fix spectre issue in vmw_execbuf_ioctl (bsc#1192802).
- ftrace: Fix scripts/recordmcount.pl due to new binutils (bsc#1192267).
- gigaset: fix spectre issue in do_data_b3_req (bsc#1192802).
- hisax: fix spectre issues (bsc#1192802).
- hv: mana: adjust mana_select_queue to old API (jsc#SLE-18779, bsc#1185726).
- hv: mana: remove netdev_lockdep_set_classes usage (jsc#SLE-18779, bsc#1185726).
- hv_netvsc: Make netvsc/VF binding check both MAC and serial number (jsc#SLE-18779, bsc#1185726).
- hysdn: fix spectre issue in hycapi_send_message (bsc#1192802).
- infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802).
- infiniband: fix spectre issue in ib_uverbs_write (bsc#1192802).
- ipc: remove memcg accounting for sops objects in do_semtimedop() (bsc#1190115).
- iwlwifi: fix spectre issue in iwl_dbgfs_update_pm (bsc#1192802).
- kernel-binary.spec: Exctract s390 decompression code (jsc#SLE-17042).
- kernel-binary.spec: Fix up usrmerge for non-modular kernels.
- kernel-binary.spec.in: build-id check requires elfutils.
- kernel-binary.spec.in: Regenerate makefile when not using mkmakefile.
- kernel-binary.spec: Only use mkmakefile when it exists Linux 5.13 no longer had a mkmakefile script
- kernel-binary.spec: Remove obsolete and wrong comment mkmakefile is repleced by echo on newer kernel
- kernel-docs.spec.in: Build using an utf-8 locale. Sphinx cannot handle UTF-8 input in non-UTF-8 locale.
- media: dvb_ca_en50221: prevent using slot_info for Spectre attacs (bsc#1192802).
- media: dvb_ca_en50221: sanity check slot number from userspace (bsc#1192802).
- media: wl128x: get rid of a potential spectre issue (bsc#1192802).
- memcg: enable accounting for file lock caches (bsc#1190115).
- mm/memory.c: do_fault: avoid usage of stale vm_area_struct (bsc#1136513).
- mpt3sas: fix spectre issues (bsc#1192802).
- net: mana: Add a driver for Microsoft Azure Network Adapter (MANA) (jsc#SLE-18779, bsc#1185726).
- net: mana: Add support for EQ sharing (jsc#SLE-18779, bsc#1185726).
- net: mana: Add WARN_ON_ONCE in case of CQE read overflow (jsc#SLE-18779, bsc#1185726).
- net: mana: Fix a memory leak in an error handling path in (jsc#SLE-18779, bsc#1185726).
- net: mana: Fix error handling in mana_create_rxq() (git-fixes, bsc#1191800).
- net: mana: fix PCI_HYPERV dependency (jsc#SLE-18779, bsc#1185726).
- net: mana: Move NAPI from EQ to CQ (jsc#SLE-18779, bsc#1185726).
- net: mana: Prefer struct_size over open coded arithmetic (jsc#SLE-18779, bsc#1185726).
- net: mana: remove redundant initialization of variable err (jsc#SLE-18779, bsc#1185726).
- net: mana: Use int to check the return value of mana_gd_poll_cq() (jsc#SLE-18779, bsc#1185726).
- net: mana: Use struct_size() in kzalloc() (jsc#SLE-18779, bsc#1185726).
- net_sched: cls_route: remove the right filter from hashtable (networking-stable-20_03_28).
- net: sched: sch_teql: fix null-pointer dereference (bsc#1190717).
- net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() (bsc#1192802).
- NFS: Do uncached readdir when we're seeking a cookie in an empty page cache (bsc#1191628).
- objtool: Do not fail on missing symbol table (bsc#1192379).
- osst: fix spectre issue in osst_verify_frame (bsc#1192802).
- ovl: check whiteout in ovl_create_over_whiteout() (bsc#1189846).
- ovl: filter of trusted xattr results in audit (bsc#1189846).
- ovl: fix dentry leak in ovl_get_redirect (bsc#1189846).
- ovl: initialize error in ovl_copy_xattr (bsc#1189846).
- ovl: relax WARN_ON() on rename to self (bsc#1189846).
- PCI: hv: Use expected affinity when unmasking IRQ (bsc#1185973).
- Revert 'memcg: enable accounting for file lock caches (bsc#1190115).' This reverts commit 912b4421a3e9bb9f0ef1aadc64a436666259bd4d. It's effectively upstream commit 3754707bcc3e190e5dadc978d172b61e809cb3bd applied to kernel-source (to avoid proliferation of patches). Make a note in blacklist.conf too.
- s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant (bsc#1190601).
- s390/bpf: Fix branch shortening during codegen pass (bsc#1190601).
- s390/bpf: Fix optimizing out zero-extensions (bsc#1190601).
- s390: bpf: implement jitting of BPF_ALU | BPF_ARSH | BPF_* (bsc#1190601).
- s390/bpf: Wrap JIT macro parameter usages in parentheses (bsc#1190601).
- scripts/git_sort/git_sort.py: add bpf git repo
- scripts/git_sort/git_sort.py: Update nvme repositories
- scsi: libfc: Fix array index out of bound exception (bsc#1188616).
- scsi: lpfc: Fix FLOGI failure due to accessing a freed node (bsc#1191349).
- scsi: lpfc: Fix memory overwrite during FC-GS I/O abort handling (bsc#1191349 bsc#1191457).
- scsi: lpfc: Keep NDLP reference until after freeing the IOCB after ELS handling (bsc#1191349 bsc#1191457).
- scsi: target: avoid using lun_tg_pt_gp after unlock (bsc#1186078).
- sctp: check asoc peer.asconf_capable before processing asconf (bsc#1190351).
- sctp: fully initialize v4 addr in some functions (bsc#1188563).
- sysvipc/sem: mitigate semnum index against spectre v1 (bsc#1192802).
- target: core: Fix sense key for invalid XCOPY request (bsc#1186078).
- Update config files: Add CONFIG_BPF_UNPRIV_DEFAULT_OFF is not set
- Use /usr/lib/modules as module dir when usermerge is active in the target distro.
- UsrMerge the kernel (boo#1184804)
- x86/CPU: Add more Icelake model numbers (bsc#1185758,bsc#1192400).
- xfrm: xfrm_state_mtu should return at least 1280 for ipv6 (bsc#1185377).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3883-1
Released:    Thu Dec  2 11:47:07 2021
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

Update timezone to 2021e (bsc#1177460)

- Palestine will fall back 10-29 (not 10-30) at 01:00
- Fiji suspends DST for the 2021/2022 season
- 'zic -r' marks unspecified timestamps with '-00'
- Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
- Refresh timezone info for china

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3891-1
Released:    Fri Dec  3 10:21:49 2021
Summary:     Recommended update for keyutils
Type:        recommended
Severity:    moderate
References:  1029961,1113013,1187654
This update for keyutils fixes the following issues:

- Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

keyutils was updated to 1.6.3 (jsc#SLE-20016):

* Revert the change notifications that were using /dev/watch_queue.
* Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
* Allow 'keyctl supports' to retrieve raw capability data.
* Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
* Allow 'keyctl new_session' to name the keyring.
* Allow 'keyctl add/padd/etc.' to take hex-encoded data.
* Add 'keyctl watch*' to expose kernel change notifications on keys.
* Add caps for namespacing and notifications.
* Set a default TTL on keys that upcall for name resolution.
* Explicitly clear memory after it's held sensitive information.
* Various manual page fixes.
* Fix C++-related errors.
* Add support for keyctl_move().
* Add support for keyctl_capabilities().
* Make key=val list optional for various public-key ops.
* Fix system call signature for KEYCTL_PKEY_QUERY.
* Fix 'keyctl pkey_query' argument passing.
* Use keyctl_read_alloc() in dump_key_tree_aux().
* Various manual page fixes. 

Updated to 1.6:

* Apply various specfile cleanups from Fedora.
* request-key: Provide a command line option to suppress helper execution.
* request-key: Find least-wildcard match rather than first match.
* Remove the dependency on MIT Kerberos.
* Fix some error messages
* keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
* Fix doc and comment typos.
* Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
* Add pkg-config support for finding libkeyutils.
* upstream isn't offering PGP signatures for the source tarballs anymore

Updated to 1.5.11 (bsc#1113013)

* Add keyring restriction support.
* Add KDF support to the Diffie-Helman function.
* DNS: Add support for AFS config files and SRV records
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3899-1
Released:    Fri Dec  3 11:27:41 2021
Summary:     Security update for aaa_base
Type:        security
Severity:    moderate
References:  1162581,1174504,1191563,1192248
This update for aaa_base fixes the following issues:

- Allowed ping and ICMP commands without CAP_NET_RAW (bsc#1174504).
- Add $HOME/.local/bin to PATH, if it exists (bsc#1192248).
- Fixed get_kernel_version.c to work also for recent kernels on the s390/X platform (bsc#1191563).
- Support xz compressed kernel (bsc#1162581)   

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3930-1
Released:    Mon Dec  6 11:16:10 2021
Summary:     Recommended update for curl
Type:        recommended
Severity:    moderate
References:  1192790
This update for curl fixes the following issues:

- Fix sftp via proxy failure in curl, by preventing libssh from creating socket (bsc#1192790)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3934-1
Released:    Mon Dec  6 13:22:27 2021
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1193170,CVE-2021-43527
This update for mozilla-nss fixes the following issues:

Update to version 3.68.1:

- CVE-2021-43527: Fixed a Heap overflow in NSS when verifying DER-encoded DSA or RSA-PSS signatures (bsc#1193170).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3946-1
Released:    Mon Dec  6 14:57:42 2021
Summary:     Security update for gmp
Type:        security
Severity:    moderate
References:  1192717,CVE-2021-43618
This update for gmp fixes the following issues:
    
- CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:3947-1
Released:    Mon Dec  6 14:58:06 2021
Summary:     Security update for openssh
Type:        security
Severity:    important
References:  1190975,CVE-2021-41617
This update for openssh fixes the following issues:

- CVE-2021-41617: Fixed privilege escalation when AuthorizedKeysCommand/AuthorizedPrincipalsCommand are configured (bsc#1190975).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:3987-1
Released:    Fri Dec 10 06:09:40 2021
Summary:     Recommended update for suse-module-tools
Type:        recommended
Severity:    moderate
References:  1187196
This update for suse-module-tools fixes the following issues:

-  Blacklist isst_if_mbox_msr driver because uses hardware information based on 
   CPU family and model, which is too unspecific. On large systems, this causes
   a lot of failing loading attempts for this driver, leading to slow or even 
   stalled boot (bsc#1187196)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4015-1
Released:    Mon Dec 13 17:16:00 2021
Summary:     Security update for python3
Type:        security
Severity:    moderate
References:  1180125,1183374,1183858,1185588,1187338,1187668,1189241,1189287,CVE-2021-3426,CVE-2021-3733,CVE-2021-3737
This update for python3 fixes the following issues:


- CVE-2021-3737: Fixed http client infinite line reading (DoS) after a http 100. (bsc#1189241)
- CVE-2021-3733: Fixed ReDoS in urllib.request. (bsc#1189287)
- CVE-2021-3426: Fixed an information disclosure via pydoc. (bsc#1183374)

- Rebuild to get new headers, avoid building in support for stropts.h (bsc#1187338).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4017-1
Released:    Tue Dec 14 07:26:55 2021
Summary:     Recommended update for openssl-1_1
Type:        recommended
Severity:    moderate
References:  1180995
This update for openssl-1_1 fixes the following issues:

- Add RFC3526 and RFC7919 groups to 'openssl genpkey' so that it can output FIPS-appropriate parameters 
  consistently with our other codestreams (bsc#1180995)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4117-1
Released:    Mon Dec 20 09:13:26 2021
Summary:     Recommended update for samba
Type:        recommended
Severity:    important
References:  1192849,CVE-2020-25717
This update for samba fixes the following issues:

The username map advice from the CVE-2020-25717 advisory
note has undesired side effects for the local nt token. Fallback
to a SID/UID based mapping if the name based lookup fails (bsc#1192849).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4139-1
Released:    Tue Dec 21 17:02:44 2021
Summary:     Recommended update for systemd
Type:        recommended
Severity:    critical
References:  1193481,1193521
This update for systemd fixes the following issues:

- Revert 'core: rework how we connect to the bus' (bsc#1193521 bsc#1193481)
  sleep-config: partitions can't be deleted, only files can
  shared/sleep-config: exclude zram devices from hibernation candidates

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4154-1
Released:    Wed Dec 22 11:02:38 2021
Summary:     Security update for p11-kit
Type:        security
Severity:    important
References:  1180064,1187993,CVE-2020-29361
This update for p11-kit fixes the following issues:

- CVE-2020-29361: Fixed multiple integer overflows in rpc code (bsc#1180064)
- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2021:4171-1
Released:    Thu Dec 23 09:55:13 2021
Summary:     Security update for runc
Type:        security
Severity:    moderate
References:  1193436,CVE-2021-43784
This update for runc fixes the following issues:

Update to runc v1.0.3. 
    
* CVE-2021-43784: Fixed a potential vulnerability related to the internal usage
  of netlink, which is believed to not be exploitable with any released versions of runc (bsc#1193436)
* Fixed inability to start a container with read-write bind mount of a read-only fuse host mount.
* Fixed inability to start when read-only /dev in set in spec.
* Fixed not removing sub-cgroups upon container delete, when rootless cgroup
  v2 is used with older systemd.
* Fixed returning error from GetStats when hugetlb is unsupported (which
  causes excessive logging for kubernetes).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2021:4182-1
Released:    Thu Dec 23 11:51:51 2021
Summary:     Recommended update for zlib
Type:        recommended
Severity:    moderate
References:  1192688
This update for zlib fixes the following issues:

- Fix hardware compression incorrect result on z15 hardware (bsc#1192688)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:4-1
Released:    Mon Jan  3 08:28:54 2022
Summary:     Recommended update for libgcrypt
Type:        recommended
Severity:    moderate
References:  1193480
This update for libgcrypt fixes the following issues:

- Fix function gcry_mpi_sub_ui subtracting from negative value (bsc#1193480)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:49-1
Released:    Tue Jan 11 09:19:15 2022
Summary:     Recommended update for apparmor
Type:        recommended
Severity:    moderate
References:  1191690
This update for apparmor fixes the following issues:

- Fixed an issue when apparmor provides python2 and python3 libraries with the same name. (bsc#1191690)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:57-1
Released:    Wed Jan 12 07:10:42 2022
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    moderate
References:  1193488,954813
This update for libzypp fixes the following issues:
    
- Use the default zypp.conf settings if no zypp.conf exists (bsc#1193488)
- Fix wrong encoding of URI compontents of ISO images (bsc#954813)
- When invoking 32bit mode in userland of an aarch64 kernel, handle armv8l as armv7hl compatible
- Introduce zypp-curl as a sublibrary for CURL related code
- zypp-rpm: Increase rpm loglevel if ZYPP_RPM_DEBUG is set
- Save all signatures associated with a public key in its PublicKeyData

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:72-1
Released:    Thu Jan 13 16:13:36 2022
Summary:     Recommended update for mozilla-nss and MozillaFirefox
Type:        recommended
Severity:    important
References:  1193845
This update for mozilla-nss and MozillaFirefox fix the following issues:

mozilla-nss: 
    
- Update from version 3.68.1 to 3.68.2 (bsc#1193845)
- Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol 
  implementation
    
MozillaFirefox:

- Firefox Extended Support Release 91.4.1 ESR (bsc#1193845)
- Add SHA-2 support to mozilla::pkix's Online Certificate Status Protocol 
  implementation to fix frequent MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING 
  error messages when trying to connect to various microsoft.com domains

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:84-1
Released:    Mon Jan 17 04:40:30 2022
Summary:     Recommended update for dosfstools
Type:        recommended
Severity:    moderate
References:  1172863,1188401
This update for dosfstools fixes the following issues:

- To be able to create filesystems compatible with previous
  version, add -g command line option to mkfs (bsc#1188401)
- BREAKING CHANGES:
  After fixing of bsc#1172863 in the last update, mkfs started to
  create different images than before. Applications that depend on
  exact FAT file format (e. g. embedded systems) may be broken in
  two ways:
  * The introduction of the alignment may create smaller images
    than before, with a different positions of important image
    elements. It can break existing software that expect images in
    doststools <= 4.1 style.
    To work around these problems, use '-a' command line argument.
  * The new image may contain a different geometry values. Geometry
    sensitive applications expecting doststools <= 4.1 style images
    can fails to accept different geometry values.
    There is no direct work around for this problem. But you can
    take the old image, use 'file -s $IMAGE', check its
    'sectors/track' and 'heads', and use them in the newly
    introduced '-g' command line argument.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:167-1
Released:    Mon Jan 24 18:16:24 2022
Summary:     Recommended update for cloud-netconfig
Type:        recommended
Severity:    moderate
References:  1187939
This update for cloud-netconfig fixes the following issues:

- Update to version 1.6:
  + Ignore proxy when accessing metadata (bsc#1187939)
  + Print warning in case metadata is not accessible
  + Documentation update

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:178-1
Released:    Tue Jan 25 14:16:23 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1194251,1194362,1194474,1194476,1194477,1194478,1194479,1194480,CVE-2021-45960,CVE-2021-46143,CVE-2022-22822,CVE-2022-22823,CVE-2022-22824,CVE-2022-22825,CVE-2022-22826,CVE-2022-22827
This update for expat fixes the following issues:
  
- CVE-2021-45960: Fixed left shift in the storeAtts function in xmlparse.c that can lead to realloc misbehavior (bsc#1194251).
- CVE-2021-46143: Fixed integer overflow in m_groupSize in doProlog (bsc#1194362).
- CVE-2022-22822: Fixed integer overflow in addBinding in xmlparse.c (bsc#1194474).
- CVE-2022-22823: Fixed integer overflow in build_model in xmlparse.c (bsc#1194476).
- CVE-2022-22824: Fixed integer overflow in defineAttribute in xmlparse.c (bsc#1194477).
- CVE-2022-22825: Fixed integer overflow in lookup in xmlparse.c (bsc#1194478).
- CVE-2022-22826: Fixed integer overflow in nextScaffoldPart in xmlparse.c (bsc#1194479).
- CVE-2022-22827: Fixed integer overflow in storeAtts in xmlparse.c (bsc#1194480).  

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:184-1
Released:    Tue Jan 25 18:20:56 2022
Summary:     Security update for json-c
Type:        security
Severity:    important
References:  1171479,CVE-2020-12762
This update for json-c fixes the following issues:

- CVE-2020-12762: Fixed integer overflow and out-of-bounds write. (bsc#1171479)


The following package changes have been done:

- SUSEConnect-0.3.32-7.25.1 updated
- aaa_base-84.87+git20180409.04c9dae-3.52.1 updated
- apparmor-parser-2.12.3-7.25.3 updated
- bash-4.4-9.14.1 updated
- bind-utils-9.16.6-12.57.1 updated
- btrfsmaintenance-0.4.2-3.3.1 updated
- ca-certificates-mozilla-2.44-4.32.1 updated
- chrony-pool-suse-3.2-9.24.2 updated
- chrony-3.2-9.24.2 updated
- cifs-utils-6.9-5.12.1 updated
- cloud-netconfig-gce-1.6-25.5.1 updated
- containerd-ctr-1.4.11-56.1 updated
- containerd-1.4.11-56.1 updated
- cpio-2.12-3.9.1 updated
- cups-config-2.2.7-3.26.1 updated
- curl-7.60.0-28.1 updated
- dbus-1-1.12.2-8.11.2 updated
- docker-20.10.9_ce-156.1 updated
- dosfstools-4.1-3.6.1 updated
- e2fsprogs-1.43.8-4.26.1 updated
- efibootmgr-14-4.3.2 updated
- file-magic-5.32-7.14.1 updated
- filesystem-15.0-11.3.2 updated
- file-5.32-7.14.1 updated
- glibc-locale-base-2.26-13.62.1 updated
- glibc-locale-2.26-13.62.1 updated
- glibc-2.26-13.62.1 updated
- google-guest-agent-20210414.00-1.20.1 updated
- google-guest-configs-20210317.00-1.13.1 updated
- google-guest-oslogin-20210728.00-1.21.1 updated
- google-osconfig-agent-20210506.00-1.11.1 updated
- gpg2-2.2.5-4.19.8 updated
- growpart-rootgrow-1.0.5-1.9.1 updated
- grub2-i386-pc-2.02-123.7.17 updated
- grub2-x86_64-efi-2.02-123.7.17 updated
- grub2-2.02-123.7.17 updated
- kdump-0.9.0-4.9.1 updated
- kernel-default-4.12.14-197.102.2 updated
- keyutils-1.6.3-5.6.1 updated
- kmod-compat-25-6.10.1 updated
- kmod-25-6.10.1 updated
- kpartx-0.7.9+207+suse.58b7a57-3.15.1 updated
- krb5-1.16.3-3.24.1 updated
- less-530-3.3.2 updated
- libapparmor1-2.12.3-7.25.2 updated
- libaugeas0-1.10.1-3.3.1 updated
- libavahi-client3-0.7-3.9.1 updated
- libavahi-common3-0.7-3.9.1 updated
- libbind9-1600-9.16.6-12.57.1 updated
- libblkid1-2.33.2-4.16.1 updated
- libbz2-1-1.0.6-5.11.1 updated
- libcap2-2.26-4.6.1 updated
- libcares2-1.17.1+20200724-3.17.1 updated
- libcom_err2-1.43.8-4.26.1 updated
- libcups2-2.2.7-3.26.1 updated
- libcurl4-7.60.0-28.1 updated
- libdbus-1-3-1.12.2-8.11.2 updated
- libdcerpc-binding0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libdcerpc0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libdns1605-9.16.6-12.57.1 updated
- libefivar1-37-6.12.1 updated
- libesmtp-1.0.6-150.4.1 updated
- libexpat1-2.2.5-3.9.1 updated
- libext2fs2-1.43.8-4.26.1 updated
- libfdisk1-2.33.2-4.16.1 updated
- libfreebl3-3.68.2-3.64.2 updated
- libgcc_s1-11.2.1+git610-1.3.9 updated
- libgcrypt20-1.8.2-8.42.1 updated
- libglib-2_0-0-2.54.3-4.24.1 updated
- libgmodule-2_0-0-2.54.3-4.24.1 updated
- libgmp10-6.1.2-4.9.1 updated
- libgnutls30-3.6.7-6.40.2 updated
- libhogweed4-3.4.1-4.18.1 updated
- libirs1601-9.16.6-12.57.1 updated
- libisc1606-9.16.6-12.57.1 updated
- libisccc1600-9.16.6-12.57.1 updated
- libisccfg1600-9.16.6-12.57.1 updated
- libjson-c3-0.13-3.3.1 updated
- libkeyutils1-1.6.3-5.6.1 updated
- libkmod2-25-6.10.1 updated
- libldap-2_4-2-2.4.46-9.58.1 updated
- libldap-data-2.4.46-9.58.1 updated
- libldb1-1.4.6-3.8.1 updated
- liblldp_clif1-1.0.1+65.f3b70663b55e-3.9.1 updated
- liblua5_3-5-5.3.6-3.6.1 updated
- liblz4-1-1.8.0-3.8.1 updated
- libmagic1-5.32-7.14.1 updated
- libmount1-2.33.2-4.16.1 updated
- libncurses6-6.1-5.9.1 updated
- libndr-krb5pac0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libndr-nbt0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libndr-standard0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libndr0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libnetapi0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libnettle6-3.4.1-4.18.1 updated
- libnghttp2-14-1.40.0-3.11.1 updated
- libns1604-9.16.6-12.57.1 updated
- libopeniscsiusr0_2_0-2.0.876-13.42.1 updated
- libopenssl1_1-1.1.0i-14.24.3 updated
- libp11-kit0-0.23.2-4.13.1 updated
- libpcap1-1.8.1-4.5.1 updated
- libpcre1-8.45-20.10.1 updated
- libpcre2-8-0-10.31-3.3.1 updated
- libprocps7-3.3.15-7.19.1 updated
- libprotobuf-lite15-3.5.0-5.2.1 added
- libpython3_6m1_0-3.6.15-3.91.3 updated
- libreadline7-7.0-9.14.1 updated
- libruby2_5-2_5-2.5.9-4.20.1 updated
- libsamba-credentials0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamba-errors0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamba-hostconfig0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamba-passdb0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamba-util0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsamdb0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsigc-2_0-0-2.10.0-3.7.1 updated
- libsmartcols1-2.33.2-4.16.1 updated
- libsmbconf0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsmbldap2-4.9.5+git.477.8163dd03413-3.61.1 updated
- libsnappy1-1.1.8-3.3.1 updated
- libsolv-tools-0.7.20-4.3.1 updated
- libsqlite3-0-3.36.0-3.12.1 updated
- libstdc++6-11.2.1+git610-1.3.9 updated
- libsystemd0-234-24.102.1 updated
- libtevent-util0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libudev1-234-24.102.1 updated
- libuuid1-2.33.2-4.16.1 updated
- libwbclient0-4.9.5+git.477.8163dd03413-3.61.1 updated
- libxml2-2-2.9.7-3.37.1 updated
- libz1-1.2.11-3.24.1 updated
- libzstd1-1.4.4-1.6.1 updated
- libzypp-17.29.0-3.64.1 updated
- multipath-tools-0.7.9+207+suse.58b7a57-3.15.1 updated
- ncurses-utils-6.1-5.9.1 updated
- netcfg-11.6-3.3.1 updated
- nfs-client-2.1.1-10.18.1 updated
- open-iscsi-2.0.876-13.42.1 updated
- open-lldp-1.0.1+65.f3b70663b55e-3.9.1 updated
- openssh-7.9p1-6.28.1 updated
- openssl-1_1-1.1.0i-14.24.3 updated
- p11-kit-tools-0.23.2-4.13.1 updated
- p11-kit-0.23.2-4.13.1 updated
- pam-1.3.0-6.50.1 updated
- procps-3.3.15-7.19.1 updated
- python3-base-3.6.15-3.91.3 updated
- python3-bind-9.16.6-12.57.1 updated
- python3-six-1.14.0-7.3.1 updated
- python3-3.6.15-3.91.4 updated
- qemu-tools-3.1.1.1-80.40.1 updated
- rsyslog-8.33.1-3.34.2 updated
- ruby2.5-stdlib-2.5.9-4.20.1 updated
- ruby2.5-2.5.9-4.20.1 updated
- runc-1.0.3-27.1 added
- samba-libs-python3-4.9.5+git.477.8163dd03413-3.61.1 updated
- samba-libs-4.9.5+git.477.8163dd03413-3.61.1 updated
- sed-4.4-4.3.1 updated
- shim-15.4-3.32.1 updated
- sudo-1.8.27-4.21.4 updated
- supportutils-3.1.17-5.34.1 updated
- suse-build-key-12.0-8.16.1 updated
- suse-module-tools-15.1.24-3.22.1 updated
- systemd-presets-branding-SLE-15.1-20.8.1 updated
- systemd-presets-common-SUSE-15-8.9.1 updated
- systemd-sysvinit-234-24.102.1 updated
- systemd-234-24.102.1 updated
- tar-1.30-3.9.1 updated
- tcpdump-4.9.2-3.15.1 updated
- terminfo-base-6.1-5.9.1 updated
- terminfo-6.1-5.9.1 updated
- thin-provisioning-tools-0.7.5-3.3.1 updated
- timezone-2021e-75.4.1 updated
- udev-234-24.102.1 updated
- util-linux-systemd-2.33.2-4.16.1 updated
- util-linux-2.33.2-4.16.1 updated
- vim-data-common-8.0.1568-5.14.1 updated
- vim-8.0.1568-5.14.1 updated
- wget-1.20.3-3.12.1 updated
- xfsprogs-4.15.0-4.52.1 updated
- xkeyboard-config-2.23.1-3.9.1 updated
- zypper-migration-plugin-0.12.1590748670.86b0749-6.9.1 updated
- zypper-1.14.50-3.46.1 updated
- docker-libnetwork-0.7.0.1+gitr2902_153d0769a118-4.21.2 removed
- docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.38.2 removed
- python-rpm-macros-20200207.5feb6c1-3.11.1 removed