SUSE: 2022:814-1 suse-sles-15-sp1-chost-byos-v20220715-hvm-ssd-x86_...
SUSE Image Update Advisory: suse-sles-15-sp1-chost-byos-v20220715-hvm-ssd-x86_64
-----------------------------------------------------------------
Image Advisory ID : SUSE-IU-2022:814-1
Image Tags        : suse-sles-15-sp1-chost-byos-v20220715-hvm-ssd-x86_64:20220715
Image Release     : 
Severity          : critical
Type              : security
References        : 1003872 1028340 1029961 1029961 1040589 1055710 1057592 1065729
                        1070955 1071995 1071995 1082318 1084513 1087082 1099272 1114648
                        1115529 1120610 1121227 1121230 1122004 1122021 1124431 1128846
                        1130496 1134046 1156920 1158266 1160654 1162964 1167162 1169514
                        1172073 1172113 1172427 1172456 1173277 1174075 1174911 1175102
                        1177047 1177215 1177282 1177460 1178219 1178357 1179060 1179599
                        1180065 1180689 1180713 1181131 1181163 1181186 1181703 1181812
                        1181826 1182171 1182227 1182959 1183407 1183495 1183723 1184501
                        1184804 1185377 1185637 1185973 1186207 1186222 1186571 1186819
                        1186823 1187055 1187167 1187512 1187906 1188019 1188160 1188161
                        1188867 1189028 1189152 1189305 1189517 1189560 1189562 1189841
                        1190315 1190358 1190375 1190428 1190447 1190533 1190566 1190570
                        1190926 1190943 1191015 1191096 1191121 1191157 1191184 1191185
                        1191186 1191229 1191241 1191334 1191384 1191434 1191580 1191647
                        1191731 1191770 1191794 1191893 1191958 1192032 1192051 1192164
                        1192167 1192249 1192267 1192311 1192343 1192353 1192478 1192481
                        1192740 1192845 1192847 1192877 1192902 1192903 1192904 1192946
                        1192951 1193007 1193035 1193179 1193204 1193273 1193282 1193294
                        1193298 1193306 1193440 1193442 1193466 1193489 1193531 1193575
                        1193625 1193659 1193669 1193727 1193731 1193732 1193738 1193759
                        1193767 1193805 1193841 1193861 1193864 1193867 1193868 1193905
                        1193927 1193930 1194001 1194013 1194048 1194087 1194093 1194216
                        1194216 1194217 1194227 1194229 1194302 1194388 1194392 1194516
                        1194516 1194529 1194556 1194561 1194576 1194581 1194588 1194597
                        1194640 1194642 1194661 1194768 1194770 1194845 1194848 1194859
                        1194872 1194880 1194883 1194885 1194888 1194898 1194943 1194985
                        1195004 1195004 1195051 1195054 1195065 1195066 1195095 1195096
                        1195115 1195126 1195149 1195166 1195202 1195203 1195217 1195251
                        1195254 1195254 1195258 1195283 1195326 1195332 1195353 1195354
                        1195356 1195468 1195536 1195543 1195560 1195612 1195614 1195628
                        1195651 1195654 1195784 1195792 1195797 1195825 1195840 1195856
                        1195897 1195899 1195908 1195949 1195987 1195999 1196018 1196018
                        1196025 1196025 1196026 1196036 1196061 1196079 1196093 1196107
                        1196114 1196155 1196168 1196169 1196171 1196275 1196282 1196317
                        1196361 1196367 1196368 1196406 1196426 1196433 1196441 1196441
                        1196468 1196488 1196490 1196494 1196495 1196514 1196514 1196584
                        1196612 1196639 1196761 1196784 1196830 1196836 1196861 1196877
                        1196901 1196915 1196925 1196939 1196942 1196973 1196999 1197004
                        1197004 1197024 1197065 1197134 1197135 1197216 1197219 1197227
                        1197284 1197293 1197297 1197331 1197343 1197366 1197391 1197423
                        1197425 1197426 1197443 1197459 1197517 1197663 1197771 1197788
                        1197794 1197903 1198031 1198032 1198033 1198062 1198062 1198400
                        1198441 1198446 1198460 1198493 1198496 1198504 1198511 1198516
                        1198577 1198581 1198596 1198657 1198660 1198687 1198742 1198748
                        1198777 1198825 1199012 1199061 1199063 1199132 1199166 1199232
                        1199232 1199240 1199314 1199331 1199333 1199334 1199399 1199426
                        1199453 1199460 1199474 1199487 1199505 1199507 1199565 1199605
                        1199650 1199651 1199655 1199657 1199693 1199745 1199747 1199756
                        1199936 1199965 1199966 1200010 1200011 1200012 1200088 1200143
                        1200144 1200145 1200249 1200550 1200571 1200599 1200604 1200605
                        1200608 1200619 1200692 1200762 1201050 1201080 1201099 1201251
                        954329 CVE-2015-20107 CVE-2015-8985 CVE-2017-13695 CVE-2017-17087
                        CVE-2018-16301 CVE-2018-20482 CVE-2018-20573 CVE-2018-20574 CVE-2018-25020
                        CVE-2018-25032 CVE-2018-7755 CVE-2019-15126 CVE-2019-19377 CVE-2019-20811
                        CVE-2019-6285 CVE-2019-6292 CVE-2019-9923 CVE-2020-14367 CVE-2020-26541
                        CVE-2020-27820 CVE-2020-29362 CVE-2021-0920 CVE-2021-0935 CVE-2021-20193
                        CVE-2021-20292 CVE-2021-20321 CVE-2021-22570 CVE-2021-25220 CVE-2021-26341
                        CVE-2021-26401 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2021-28714
                        CVE-2021-28715 CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 CVE-2021-33061
                        CVE-2021-33098 CVE-2021-3564 CVE-2021-3572 CVE-2021-3695 CVE-2021-3696
                        CVE-2021-3697 CVE-2021-3778 CVE-2021-3778 CVE-2021-3796 CVE-2021-3796
                        CVE-2021-38208 CVE-2021-3872 CVE-2021-3872 CVE-2021-3875 CVE-2021-3903
                        CVE-2021-3927 CVE-2021-3927 CVE-2021-3928 CVE-2021-3928 CVE-2021-39648
                        CVE-2021-39657 CVE-2021-3968 CVE-2021-39711 CVE-2021-39713 CVE-2021-3973
                        CVE-2021-3974 CVE-2021-3984 CVE-2021-3984 CVE-2021-3999 CVE-2021-4002
                        CVE-2021-4019 CVE-2021-4019 CVE-2021-4069 CVE-2021-4083 CVE-2021-41089
                        CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 CVE-2021-41190 CVE-2021-4135
                        CVE-2021-4136 CVE-2021-4149 CVE-2021-4157 CVE-2021-4166 CVE-2021-41817
                        CVE-2021-4192 CVE-2021-4193 CVE-2021-4193 CVE-2021-4197 CVE-2021-4202
                        CVE-2021-43389 CVE-2021-43565 CVE-2021-43975 CVE-2021-43976 CVE-2021-44142
                        CVE-2021-44733 CVE-2021-44879 CVE-2021-45095 CVE-2021-45486 CVE-2021-45868
                        CVE-2021-46059 CVE-2021-46059 CVE-2022-0001 CVE-2022-0001 CVE-2022-0002
                        CVE-2022-0002 CVE-2022-0128 CVE-2022-0213 CVE-2022-0261 CVE-2022-0318
                        CVE-2022-0318 CVE-2022-0319 CVE-2022-0319 CVE-2022-0322 CVE-2022-0330
                        CVE-2022-0351 CVE-2022-0351 CVE-2022-0359 CVE-2022-0361 CVE-2022-0361
                        CVE-2022-0392 CVE-2022-0407 CVE-2022-0413 CVE-2022-0413 CVE-2022-0487
                        CVE-2022-0492 CVE-2022-0617 CVE-2022-0644 CVE-2022-0696 CVE-2022-0778
                        CVE-2022-0812 CVE-2022-0850 CVE-2022-1011 CVE-2022-1016 CVE-2022-1048
                        CVE-2022-1097 CVE-2022-1184 CVE-2022-1271 CVE-2022-1271 CVE-2022-1271
                        CVE-2022-1292 CVE-2022-1304 CVE-2022-1353 CVE-2022-1381 CVE-2022-1419
                        CVE-2022-1420 CVE-2022-1516 CVE-2022-1586 CVE-2022-1586 CVE-2022-1616
                        CVE-2022-1619 CVE-2022-1620 CVE-2022-1652 CVE-2022-1679 CVE-2022-1729
                        CVE-2022-1733 CVE-2022-1734 CVE-2022-1735 CVE-2022-1771 CVE-2022-1785
                        CVE-2022-1796 CVE-2022-1851 CVE-2022-1897 CVE-2022-1898 CVE-2022-1927
                        CVE-2022-1974 CVE-2022-1975 CVE-2022-20132 CVE-2022-20141 CVE-2022-20154
                        CVE-2022-2068 CVE-2022-2097 CVE-2022-21123 CVE-2022-21125 CVE-2022-21127
                        CVE-2022-21166 CVE-2022-21180 CVE-2022-21499 CVE-2022-22942 CVE-2022-23033
                        CVE-2022-23034 CVE-2022-23035 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038
                        CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 CVE-2022-2318
                        CVE-2022-23218 CVE-2022-23219 CVE-2022-23308 CVE-2022-23648 CVE-2022-23648
                        CVE-2022-23852 CVE-2022-23990 CVE-2022-24407 CVE-2022-24448 CVE-2022-24769
                        CVE-2022-24903 CVE-2022-24959 CVE-2022-25235 CVE-2022-25236 CVE-2022-25236
                        CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-26356 CVE-2022-26357
                        CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361 CVE-2022-26362
                        CVE-2022-26363 CVE-2022-26364 CVE-2022-26365 CVE-2022-26490 CVE-2022-26691
                        CVE-2022-26966 CVE-2022-27191 CVE-2022-27239 CVE-2022-28356 CVE-2022-28388
                        CVE-2022-28389 CVE-2022-28390 CVE-2022-28733 CVE-2022-28734 CVE-2022-28736
                        CVE-2022-28739 CVE-2022-28748 CVE-2022-29155 CVE-2022-29162 CVE-2022-29217
                        CVE-2022-29824 CVE-2022-29900 CVE-2022-29901 CVE-2022-30594 CVE-2022-31030
                        CVE-2022-33740 CVE-2022-33741 CVE-2022-33742 CVE-2022-33981 
-----------------------------------------------------------------

The container suse-sles-15-sp1-chost-byos-v20220715-hvm-ssd-x86_64 was updated. The following patches have been included in this update:

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:284-1
Released:    Tue Feb  1 17:15:23 2022
Summary:     Security update for samba
Type:        security
Severity:    critical
References:  1194859,CVE-2021-44142
This update for samba fixes the following issues:
	  
- CVE-2021-44142: Fixed out-of-Bound Read/Write on Samba vfs_fruit module. (bsc#1194859)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:334-1
Released:    Fri Feb  4 09:30:58 2022
Summary:     Security update for containerd, docker
Type:        security
Severity:    moderate
References:  1191015,1191121,1191334,1191434,1193273,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
This update for containerd, docker fixes the following issues:

- CVE-2021-41089: Fixed 'cp' can chmod host files (bsc#1191015).
- CVE-2021-41091: Fixed flaw that could lead to data directory traversal in moby (bsc#1191434).
- CVE-2021-41092: Fixed exposed user credentials with a misconfigured configuration file (bsc#1191334).
- CVE-2021-41103: Fixed file access to local users in containerd (bsc#1191121).
- CVE-2021-41190: Fixed OCI manifest and index parsing confusion (bsc#1193273).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:337-1
Released:    Fri Feb  4 10:24:28 2022
Summary:     Recommended update for libzypp
Type:        recommended
Severity:    important
References:  1193007,1194597,1194898
This update for libzypp fixes the following issues:

- RepoManager: remember execution errors in exception history (bsc#1193007)
- Fix exception handling when reading or writing credentials (bsc#1194898)
- Fix install path for parser (bsc#1194597)
- Fix Legacy include (bsc#1194597)
- Public header files on older distros must use c++11 (bsc#1194597)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:345-1
Released:    Tue Feb  8 05:13:04 2022
Summary:     Recommended update for wicked
Type:        recommended
Severity:    moderate
References:  1029961,1057592,1156920,1160654,1177215,1178357,1181163,1181186,1181812,1182227,1183407,1183495,1188019,1189560,1192164,1192311,1192353,1194392,954329
This update for wicked fixes the following issues:

- Fix device rename issue when done via Yast2 (bsc#1194392)
- Prepare RPM packaging for migration of dbus configuration files from /etc to /usr, however 
  this change does not affect SUSE Linux Enterprise 15 (bsc#1183407,jsc#SLE-9750)
- Prepare RPM packaging for merging of /bin and /usr/bin directories, however this merge
  does not affect SUSE Linux Enterprise 15 (bsc#1029961)
- Parse sysctl files in the correct order (bsc#1181186)
- Fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- Add option for dhcp4 to set route pref-src to dhcp IP (bsc#1192353)
- Cleanup warnings, time calculations and add dhcp fixes to reduce resource usage (bsc#1188019)
- Avoid sysfs attribute read error when the kernel has already deleted the TUN/TAP interface (bsc#1192311)
- Fix warning in `ifstatus` about unexpected interface flag combination (bsc#1192164)
- Fix `ifstatus` not to show link as 'up' when interface is not running
- Make firewalld zone assignment permanent (bsc#1189560)
- Cleanup and improve ifconfig and ifpolicy access utilities
- Initial fixes for dracut integration and improved option handling (bsc#1182227)
- Fix `nanny` to identify node owner exit condition
- Using wicked without nanny is no longer supported and use-nanny=false configuration
  option was removed
- Add `ethtool --get-permanent-address` option in the client
- Fix `ifup` to refresh link state of network interface after being unenslaved from 
  an unconfigured master (bsc#954329)
- Prevent re-trigger Duplicate Address Detection on address updates when is not needed (bsc#1177215)
- Fix Network Information Service configuration (bsc#1181812)
- Reconnect on unexpected wpa_supplicant restart (bsc#1183495)
- Migrate wireless to wpa-supplicant v1 DBus interface (bsc#1156920)
- Support multiple wireless networks configurations per interface
- Show wireless connection status and scan-results (bsc#1160654)
- Fix eap-tls,ttls cetificate handling and fix open vs. shared
  wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
- Updated `man ifcfg-wireless` manual pages

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:366-1
Released:    Thu Feb 10 17:40:06 2022
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    critical
References:  1071995,1124431,1167162,1169514,1172073,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191241,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1193927,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195166,1195254,CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330


The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2022-0435: Fixed remote stack overflow in net/tipc module that validate domain record count on input (bsc#1195254).
- CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).
- CVE-2021-45486: Fixed an information leak because the hash table is very small in net/ipv4/route.c (bnc#1194087).
- CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).
- CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem, that could have occured because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object (bnc#1193767).
- CVE-2021-43976: Fixed a flaw that could allow an attacker (who can connect a crafted USB device) to cause a denial of service. (bnc#1192847)
- CVE-2021-43975: Fixed a flaw in hw_atl_utils_fw_rpc_wait that could allow an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value. (bsc#1192845)
- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194529).
- CVE-2021-4197: Use cgroup open-time credentials for process migraton perm checks (bsc#1194302).
- CVE-2021-4159: Fixed kernel ptr leak vulnerability via BPF in coerce_reg_to_size (bsc#1194227).
- CVE-2021-4149: Fixed btrfs unlock newly allocated extent buffer after error (bsc#1194001).
- CVE-2021-4135: Fixed zero-initialize memory inside netdevsim for new map's value in function nsim_bpf_map_alloc (bsc#1193927).
- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1193727).
- CVE-2021-4002: Fixed incorrect TLBs flush in hugetlbfs after huge_pmd_unshare (bsc#1192946).
- CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).
- CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861). 
- CVE-2021-3564: Fixed double-free memory corruption in the Linux kernel HCI device initialization subsystem that could have been used by attaching malicious HCI TTY Bluetooth devices. A local user could use this flaw to crash the system (bnc#1186207).
- CVE-2021-33098: Fixed a potential denial of service in Intel(R) Ethernet ixgbe driver due to improper input validation. (bsc#1192877)
- CVE-2021-28715: Fixed issue with xen/netback to do not queue unlimited number of packages (XSA-392) (bsc#1193442).
- CVE-2021-28714: Fixed issue with xen/netback to handle rx queue stall detection (XSA-392) (bsc#1193442).
- CVE-2021-28713: Fixed issue with xen/console to harden hvc_xen against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28712: Fixed issue with xen/netfront to harden netfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-28711: Fixed issue with xen/blkfront to harden blkfront against event channel storms (XSA-391) (bsc#1193440).
- CVE-2021-0935: Fixed possible out of bounds write in ip6_xmit of ip6_output.c due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192032).
- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1193731).
- CVE-2020-27820: Fixed a vulnerability where a use-after-frees in nouveau's postclose() handler could happen if removing device (bsc#1179599).
- CVE-2019-15126: Fixed a vulnerability in Broadcom and Cypress Wi-Fi chips, used in RPi family of devices aka 'Kr00k'. (bsc#1167162)
- CVE-2018-25020: Fixed an overflow in the BPF subsystem due to a mishandling of a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. This affects kernel/bpf/core.c and net/core/filter.c (bnc#1193575).

The following non-security bugs were fixed:

- Bluetooth: fix the erroneous flush_work() order (git-fixes).
- Build: Add obsolete_rebuilds_subpackage (boo#1172073 bsc#1191731).
- ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition (bsc#1191241 bsc#1195166).
- IPv6: reply ICMP error if the first fragment do not include all headers (bsc#1191241).
- elfcore: fix building with clang (bsc#1169514).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193506).
- ipv6/netfilter: Discard first fragment not including all headers (bsc#1191241 bsc#1195166).
- kernel-*-subpackage: Add dependency on kernel scriptlets (bsc#1192740).
- kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358).
- kernel-binary.spec.in: add zstd to BuildRequires if used
- kernel-binary.spec.in: make sure zstd is supported by kmod if used
- kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable.
- kernel-binary.spec: Define $image as rpm macro (bsc#1189841).
- kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs.
- kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167).
- kernel-binary.spec: Fix kernel-default-base scriptlets after packaging merge.
- kernel-binary.spec: Require dwarves for kernel-binary-devel when BTF is enabled (jsc#SLE-17288).
- kernel-binary.spec: suse-kernel-rpm-scriptlets required for uninstall as well.
- kernel-cert-subpackage: Fix certificate location in scriptlets (bsc#1189841). 
- kernel-source.spec: install-kernel-tools also required on 15.4
- kernel-spec-macros: Since rpm 4.17 %verbose is unusable (bsc#1191229). The semantic changed in an incompatible way so invoking the macro now causes a build failure.
- kprobes: Limit max data_size of the kretprobe instances (bsc#1193669).
- livepatch: Avoid CPU hogging with cond_resched (bsc#1071995).
- memstick: rtsx_usb_ms: fix UAF (bsc#1194516).
- moxart: fix potential use-after-free on remove path (bsc#1194516).
- net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).
- net, xdp: Introduce xdp_prepare_buff utility routine (bsc#1193506).
- net: Using proper atomic helper (bsc#1186222).
- net: ipv6: Discard next-hop MTU less than minimum link MTU (bsc#1191241).
- net: mana: Add RX fencing (bsc#1193506).
- net: mana: Add XDP support (bsc#1193506).
- net: mana: Allow setting the number of queues while the NIC is down (bsc#1193506).
- net: mana: Fix spelling mistake 'calledd' -> 'called' (bsc#1193506).
- net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (bsc#1193506).
- net: mana: Improve the HWC error handling (bsc#1193506).
- net: mana: Support hibernation and kexec (bsc#1193506).
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193506).
- objtool: Support Clang non-section symbols in ORC generation (bsc#1169514).
- post.sh: detect /usr mountpoint too
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#1192267).
- rpm/kernel-binary.spec.in: Use kmod-zstd provide. This makes it possible to use kmod with ZSTD support on non-Tumbleweed.
- rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804).
- rpm/kernel-binary.spec.in: do not strip vmlinux again (bsc#1193306). 
- rpm/kernel-binary.spec: Use only non-empty certificates.
- rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305).
- rpm/kernel-source.rpmlintrc: ignore new include/config files. 
- rpm/kernel-source.spec.in: do some more for vanilla_only.
- rpm: Abolish image suffix (bsc#1189841).
- rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools. 
- rpm: Define $certs as rpm macro (bsc#1189841). 
- rpm: Fold kernel-devel and kernel-source scriptlets into spec files (bsc#1189841). 
- rpm: fix kmp install path
- rpm: use _rpmmacrodir (boo#1191384)
- tty: hvc: replace BUG_ON() with negative return value.
- vfs: check fd has read access in kernel_read_file_from_fd() (bsc#1194888).
- x86/xen: Mark cpu_bringup_and_idle() as dead_end_function (bsc#1169514).
- xen/blkfront: do not take local copy of a request from the ring page (git-fixes).
- xen/blkfront: do not trust the backend response data blindly (git-fixes).
- xen/blkfront: read response from backend only once (git-fixes).
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- xen/netfront: do not read data from request on the ring page (git-fixes).
- xen/netfront: do not trust the backend response data blindly (git-fixes).
- xen/netfront: read response from backend only once (git-fixes).
- xen: sync include/xen/interface/io/ring.h with Xen's newest version (git-fixes).
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:468-1
Released:    Thu Feb 17 09:52:01 2022
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1194576,1194581,1194588,CVE-2022-23033,CVE-2022-23034,CVE-2022-23035
This update for xen fixes the following issues:

- CVE-2022-23033: Fixed guest_physmap_remove_page not removing the p2m mappings. (XSA-393) (bsc#1194576)
- CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)
- CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:473-1
Released:    Thu Feb 17 10:29:42 2022
Summary:     Recommended update for libzypp, zypper
Type:        recommended
Severity:    moderate
References:  1195326
This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)
  This fixes delays at the end of zypper operations, where
  zypper unintentionally waits for appdata plugin scripts to
  complete.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:476-1
Released:    Thu Feb 17 10:31:35 2022
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    moderate
References:  1194661
This update for nfs-utils fixes the following issues:

- If an error or warning message is produced before closeall() is called, mountd doesn't work. (bsc#1194661)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:498-1
Released:    Fri Feb 18 10:46:56 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1195054,1195217,CVE-2022-23852,CVE-2022-23990
This update for expat fixes the following issues:

- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).
- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:511-1
Released:    Fri Feb 18 12:41:53 2022
Summary:     Recommended update for coreutils
Type:        recommended
Severity:    moderate
References:  1082318,1189152
This update for coreutils fixes the following issues:

- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).
- Properly sort docs and license files (bsc#1082318).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:523-1
Released:    Fri Feb 18 12:49:09 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1193759,1193841
This update for systemd fixes the following issues:

- systemctl: exit with 1 if no unit files found (bsc#1193841).
- add rules for virtual devices (bsc#1193759).
- enforce 'none' for loop devices (bsc#1193759).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:674-1
Released:    Wed Mar  2 13:24:36 2022
Summary:     Recommended update for yast2-network
Type:        recommended
Severity:    moderate
References:  1187512
This update for yast2-network fixes the following issues:
  
- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:682-1
Released:    Thu Mar  3 11:37:03 2022
Summary:     Recommended update for supportutils-plugin-suse-public-cloud
Type:        recommended
Severity:    important
References:  1195095,1195096
This update for supportutils-plugin-suse-public-cloud fixes the following issues:

- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
  - Include cloud-init logs whenever they are present
  - Update the packages we track in AWS, Azure, and Google
  - Include the ecs logs for AWS ECS instances

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:692-1
Released:    Thu Mar  3 15:46:47 2022
Summary:     Recommended update for filesystem
Type:        recommended
Severity:    moderate
References:  1190447
This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:701-1
Released:    Thu Mar  3 17:45:33 2022
Summary:     Recommended update for sudo
Type:        recommended
Severity:    moderate
References:  1181703
This update for sudo fixes the following issues:

- Add support in the LDAP filter for negated users (jsc#SLE-20068)
- Restrict use of sudo -U other -l to people who have permission
  to run commands as that user (bsc#1181703, jsc#SLE-22569)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:702-1
Released:    Thu Mar  3 18:22:59 2022
Summary:     Security update for cyrus-sasl
Type:        security
Severity:    important
References:  1196036,CVE-2022-24407
This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:713-1
Released:    Fri Mar  4 09:34:17 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315
This update for expat fixes the following issues:
  
- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:720-1
Released:    Fri Mar  4 10:20:28 2022
Summary:     Security update for containerd
Type:        security
Severity:    moderate
References:  1196441,CVE-2022-23648
This update for containerd fixes the following issues:

- CVE-2022-23648: A specially-crafted image configuration could gain access to 
  read-only copies of arbitrary files and directories on the host (bsc#1196441).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:736-1
Released:    Fri Mar  4 14:51:57 2022
Summary:     Security update for vim
Type:        security
Severity:    important
References:  1190533,1190570,1191893,1192478,1192481,1193294,1193298,1194216,1194556,1195004,1195066,1195126,1195202,1195356,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3927,CVE-2021-3928,CVE-2021-3984,CVE-2021-4019,CVE-2021-4193,CVE-2021-46059,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0361,CVE-2022-0413
This update for vim fixes the following issues:

- CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004).
- CVE-2021-3796: Fixed use-after-free in nv_replace() in normal.c (bsc#1190570).
- CVE-2021-3872: Fixed heap-based buffer overflow in win_redr_status() drawscreen.c (bsc#1191893).
- CVE-2021-3927: Fixed heap-based buffer overflow (bsc#1192481).
- CVE-2021-3928: Fixed stack-based buffer overflow (bsc#1192478).
- CVE-2021-4019: Fixed heap-based buffer overflow (bsc#1193294).
- CVE-2021-3984: Fixed illegal memory access when C-indenting could have led to heap buffer overflow (bsc#1193298).
- CVE-2021-3778: Fixed heap-based buffer overflow in regexp_nfa.c (bsc#1190533).
- CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216).
- CVE-2021-46059: Fixed pointer dereference vulnerability via the vim_regexec_multi function at regexp.c (bsc#1194556).
- CVE-2022-0319: Fixded out-of-bounds read (bsc#1195066).
- CVE-2022-0351: Fixed uncontrolled recursion in eval7() (bsc#1195126).
- CVE-2022-0361: Fixed buffer overflow (bsc#1195126).
- CVE-2022-0413: Fixed use-after-free in src/ex_cmds.c (bsc#1195356).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:768-1
Released:    Tue Mar  8 19:10:57 2022
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1185973,1191580,1194516,1195536,1195543,1195612,1195840,1195897,1195908,1195949,1195987,1196079,1196155,1196584,1196612,CVE-2021-44879,CVE-2022-0001,CVE-2022-0002,CVE-2022-0487,CVE-2022-0492,CVE-2022-0617,CVE-2022-0644,CVE-2022-24448,CVE-2022-24959
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.


Transient execution side-channel attacks attacking the Branch History Buffer (BHB),
named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.

The following security bugs were fixed:

- CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).
- CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).
- CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)
- CVE-2022-0644: Fixed a denial of service by a local user. A assertion failure could be triggered in kernel_read_file_from_fd() (bsc#1196155).
- CVE-2021-44879: In gc_data_segment() in fs/f2fs/gc.c, special files were not considered, which lead to a move_data_page NULL pointer dereference (bsc#1195987).
- CVE-2022-24959: Fixed a memory leak in yam_siocdevprivate() in drivers/net/hamradio/yam.c (bsc#1195897).
- CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).
- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).
- CVE-2022-24448: Fixed an issue in fs/nfs/dir.c. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).


The following non-security bugs were fixed:

- crypto: af_alg - get_page upon reassignment to TX SGL (bsc#1195840).
- lib/iov_iter: initialize 'flags' in new pipe_buffer (bsc#1196584).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:774-1
Released:    Wed Mar  9 10:52:10 2022
Summary:     Security update for tcpdump
Type:        security
Severity:    moderate
References:  1195825,CVE-2018-16301
This update for tcpdump fixes the following issues:

- CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:787-1
Released:    Thu Mar 10 11:20:13 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  
This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:789-1
Released:    Thu Mar 10 11:22:05 2022
Summary:     Recommended update for update-alternatives
Type:        recommended
Severity:    moderate
References:  1195654
This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:792-1
Released:    Thu Mar 10 11:58:18 2022
Summary:     Recommended update for suse-build-key
Type:        recommended
Severity:    moderate
References:  1194845,1196494,1196495
This update for suse-build-key fixes the following issues:

- The old SUSE PTF key was extended, but also move it to suse_ptf_key_old.asc (as it is a DSA1024 key).
- Added a new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
- Extended the expiry of SUSE Linux Enterprise 11 key (bsc#1194845)
- Added SUSE Container signing key in PEM format for use e.g. by cosign.
- The SUSE security key was replaced with 2022 edition (E-Mail usage only). (bsc#1196495)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:808-1
Released:    Fri Mar 11 06:07:58 2022
Summary:     Recommended update for procps
Type:        recommended
Severity:    moderate
References:  1195468
This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if
  someone sends such signal. Without the signal handler, SIGURG will
  just be ignored. (bsc#1195468)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:823-1
Released:    Mon Mar 14 15:16:37 2022
Summary:     Security update for protobuf
Type:        security
Severity:    moderate
References:  1195258,CVE-2021-22570
This update for protobuf fixes the following issues:

- CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:832-1
Released:    Mon Mar 14 17:27:03 2022
Summary:     Security update for glibc
Type:        security
Severity:    important
References:  1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

glibc was updated to fix the following issues:

Security issues fixed:

- CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)
- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)
- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)
- CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

Also the following bug was fixed:

- Fix pthread_rwlock_try*lock stalls (bsc#1195560)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:844-1
Released:    Tue Mar 15 11:33:57 2022
Summary:     Security update for expat
Type:        security
Severity:    important
References:  1196025,1196784,CVE-2022-25236
This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:845-1
Released:    Tue Mar 15 11:40:50 2022
Summary:     Security update for chrony
Type:        security
Severity:    moderate
References:  1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367
This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

  * Add support for NTS servers specified by IP address (matching
    Subject Alternative Name in server certificate)
  * Add source-specific configuration of trusted certificates
  * Allow multiple files and directories with trusted certificates
  * Allow multiple pairs of server keys and certificates
  * Add copy option to server/pool directive
  * Increase PPS lock limit to 40% of pulse interval
  * Perform source selection immediately after loading dump files
  * Reload dump files for addresses negotiated by NTS-KE server
  * Update seccomp filter and add less restrictive level
  * Restart ongoing name resolution on online command
  * Fix dump files to not include uncorrected offset
  * Fix initstepslew to accept time from own NTP clients
  * Reset NTP address and port when no longer negotiated by NTS-KE
    server

- Ensure the correct pool packages are installed for openSUSE
  and SLE (bsc#1180689).
- Fix pool package dependencies, so that SLE prefers chrony-pool-suse
  over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

  - Enhancements

    - Add support for Network Time Security (NTS) authentication
    - Add support for AES-CMAC keys (AES128, AES256) with Nettle
    - Add authselectmode directive to control selection of
      unauthenticated sources
    - Add binddevice, bindacqdevice, bindcmddevice directives
    - Add confdir directive to better support fragmented
      configuration
    - Add sourcedir directive and 'reload sources' command to
      support dynamic NTP sources specified in files
    - Add clockprecision directive
    - Add dscp directive to set Differentiated Services Code Point
      (DSCP)
    - Add -L option to limit log messages by severity
    - Add -p option to print whole configuration with included
      files
    - Add -U option to allow start under non-root user
    - Allow maxsamples to be set to 1 for faster update with -q/-Q
      option
    - Avoid replacing NTP sources with sources that have
      unreachable address
    - Improve pools to repeat name resolution to get 'maxsources'
      sources
    - Improve source selection with trusted sources
    - Improve NTP loop test to prevent synchronisation to itself
    - Repeat iburst when NTP source is switched from offline state
      to online
    - Update clock synchronisation status and leap status more
      frequently
    - Update seccomp filter
    - Add 'add pool' command
    - Add 'reset sources' command to drop all measurements
    - Add authdata command to print details about NTP
      authentication
    - Add selectdata command to print details about source
      selection
    - Add -N option and sourcename command to print original names
      of sources
    - Add -a option to some commands to print also unresolved
      sources
    - Add -k, -p, -r options to clients command to select, limit,
      reset data

  - Bug fixes

    - Don’t set interface for NTP responses to allow asymmetric
      routing
    - Handle RTCs that don’t support interrupts
    - Respond to command requests with correct address on
      multihomed hosts
  - Removed features
    - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
    - Drop support for long (non-standard) MACs in NTPv4 packets
      (chrony 2.x clients using non-MD5/SHA1 keys need to use
      option 'version 3')
    - Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so
  only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the
  expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

  * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial
  synchronisation (bsc#1172113).




Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems

- Fix location of helper script in [email protected]
  (bsc#1128846).


- Read runtime servers from /var/run/netconfig/chrony.servers to
  fix bsc#1099272.
- Move chrony-helper to /usr/lib/chrony/helper, because there
  should be no executables in /usr/share.

Update to version 3.4

  * Enhancements

    + Add filter option to server/pool/peer directive
    + Add minsamples and maxsamples options to hwtimestamp directive
    + Add support for faster frequency adjustments in Linux 4.19
    + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd 
      without root privileges to remove it on exit
    + Disable sub-second polling intervals for distant NTP sources
    + Extend range of supported sub-second polling intervals
    + Get/set IPv4 destination/source address of NTP packets on FreeBSD
    + Make burst options and command useful with short polling intervals
    + Modify auto_offline option to activate when sending request failed
    + Respond from interface that received NTP request if possible
    + Add onoffline command to switch between online and offline state 
      according to current system network configuration
    + Improve example NetworkManager dispatcher script

  * Bug fixes

    + Avoid waiting in Linux getrandom system call
    + Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  * Enhancements:

    + Add burst option to server/pool directive
    + Add stratum and tai options to refclock directive
    + Add support for Nettle crypto library
    + Add workaround for missing kernel receive timestamps on Linux
    + Wait for late hardware transmit timestamps
    + Improve source selection with unreachable sources
    + Improve protection against replay attacks on symmetric mode
    + Allow PHC refclock to use socket in /var/run/chrony
    + Add shutdown command to stop chronyd
    + Simplify format of response to manual list command
    + Improve handling of unknown responses in chronyc

  * Bug fixes:

    + Respond to NTPv1 client requests with zero mode
    + Fix -x option to not require CAP_SYS_TIME under non-root user
    + Fix acquisitionport directive to work with privilege separation
    + Fix handling of socket errors on Linux to avoid high CPU usage
    + Fix chronyc to not get stuck in infinite loop after clock step
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:853-1
Released:    Tue Mar 15 19:27:30 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1196877,CVE-2022-0778
This update for openssl-1_1 fixes the following issues:

- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:861-1
Released:    Tue Mar 15 23:31:21 2022
Summary:     Recommended update for openssl-1_1 
Type:        recommended
Severity:    moderate
References:  1182959,1195149,1195792,1195856
This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)
- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
- FIPS: Fix function and reason error codes (bsc#1182959)
- Enable zlib compression support (bsc#1195149)
    
glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1
    
linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:867-1
Released:    Wed Mar 16 07:14:44 2022
Summary:     Recommended update for libtirpc
Type:        recommended
Severity:    moderate
References:  1193805
This update for libtirpc fixes the following issues:

- Fix memory leak in client protocol version 2 code (bsc#1193805)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:874-1
Released:    Wed Mar 16 10:40:52 2022
Summary:     Recommended update for openldap2
Type:        recommended
Severity:    moderate
References:  1197004
This update for openldap2 fixes the following issue:

- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:888-1
Released:    Thu Mar 17 10:56:42 2022
Summary:     Recommended update for avahi
Type:        recommended
Severity:    moderate
References:  1179060,1194561,1195614,1196282
This update for avahi fixes the following issues:

- Change python3-Twisted to a soft dependency. It is not available
  on SLED or PackageHub, and it is only needed by avahi-bookmarks
  (bsc#1196282)
- Fix warning when Twisted is not available
- Have python3-avahi require python3-dbus-python, not the
  python 2 dbus-1-python package (bsc#1195614)
- Ensure that NetworkManager or wicked have already started before 
  initializing (bsc#1194561)
- Move sftp-ssh and ssh services to the doc directory. They allow
  a host's up/down status to be easily discovered and should not
  be enabled by default (bsc#1179060)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:931-1
Released:    Tue Mar 22 11:10:44 2022
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1196915,CVE-2021-26401,CVE-2022-0001,CVE-2022-0002
This update for xen fixes the following issues:

Transient execution side-channel attacks attacking the Branch History Buffer (BHB),
named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.

- CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: BHB speculation issues (bsc#1196915).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:936-1
Released:    Tue Mar 22 18:10:17 2022
Summary:     Recommended update for filesystem and systemd-rpm-macros
Type:        recommended
Severity:    moderate
References:  1196275,1196406
This update for filesystem and systemd-rpm-macros fixes the following issues:

filesystem:

- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

systemd-rpm-macros:

- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:946-1
Released:    Thu Mar 24 15:19:49 2022
Summary:     Security update for bind
Type:        security
Severity:    important
References:  1197135,CVE-2021-25220
This update for bind fixes the following issues:

- CVE-2021-25220: Fixed a DNS cache poisoning vulnerability due to loose
  caching rules (bsc#1197135).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1021-1
Released:    Tue Mar 29 13:24:21 2022
Summary:     Recommended update for systemd
Type:        recommended
Severity:    moderate
References:  1195899
This update for systemd fixes the following issues:

- allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1047-1
Released:    Wed Mar 30 16:20:56 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1196093,1197024
This update for pam fixes the following issues:

- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. 
  This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1061-1
Released:    Wed Mar 30 18:27:06 2022
Summary:     Security update for zlib
Type:        security
Severity:    important
References:  1197459,CVE-2018-25032
This update for zlib fixes the following issues:

- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1073-1
Released:    Fri Apr  1 11:45:01 2022
Summary:     Security update for yaml-cpp
Type:        security
Severity:    moderate
References:  1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292
This update for yaml-cpp fixes the following issues:

- CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).
- CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).
- CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).
- CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1074-1
Released:    Fri Apr  1 13:27:00 2022
Summary:     Recommended update for cloud-init
Type:        recommended
Severity:    moderate
References:  1193531
This update for cloud-init contains the following fixes:

- Enable broader systemctl location. (bsc#1193531)

- Remove unneeded BuildRequires on python3-nose.

  
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1099-1
Released:    Mon Apr  4 12:53:05 2022
Summary:     Recommended update for aaa_base
Type:        recommended
Severity:    moderate
References:  1194883
This update for aaa_base fixes the following issues:

- Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)
- Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8
  multi byte characters as well as support the vi mode of readline library

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1109-1
Released:    Mon Apr  4 17:50:01 2022
Summary:     Recommended update for util-linux
Type:        recommended
Severity:    important
References:  1172427,1194642
This update for util-linux fixes the following issues:

- Improve throughput and reduce clock sequence increments for high load situation with time based 
  version 1 uuids. (bsc#1194642)
- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)
- Warn if uuidd lock state is not usable. (bsc#1194642)
- Fix 'su -s' bash completion. (bsc#1172427)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1118-1
Released:    Tue Apr  5 18:34:06 2022
Summary:     Recommended update for timezone
Type:        recommended
Severity:    moderate
References:  1177460
This update for timezone fixes the following issues:

- timezone update 2022a (bsc#1177460):
  * Palestine will spring forward on 2022-03-27, not on 03-26
  * `zdump -v` now outputs better failure indications
  * Bug fixes for code that reads corrupted TZif data

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1126-1
Released:    Thu Apr  7 14:05:02 2022
Summary:     Recommended update for nfs-utils
Type:        recommended
Severity:    moderate
References:  1197297,1197788
This update for nfs-utils fixes the following issues:

- Ensure `sloppy` is added correctly for newer kernels. (bsc#1197297)
  * This is required for kernels since 5.6 (like in SUSE Linux Enterprise 15 SP4), and it's safe for all kernels.
- Fix the source build with new `glibc` like in SUSE Linux Enterprise 15 SP4. (bsc#1197788)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1131-1
Released:    Fri Apr  8 09:43:53 2022
Summary:     Security update for libsolv, libzypp, zypper
Type:        security
Severity:    important
References:  1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134
This update for libsolv, libzypp, zypper fixes the following issues:

Security relevant fix:

- Harden package signature checks (bsc#1184501).

libsolv to 0.7.22:

- reworked choice rule generation to cover more usecases
- support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)
- support parsing of Debian's Multi-Arch indicator
- fix segfault on conflict resolution when using bindings
- fix split provides not working if the update includes a forbidden vendor change
- support strict repository priorities
  new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY
- support zstd compressed control files in debian packages
- add an ifdef allowing to rename Solvable dependency members
  ('requires' is a keyword in C++20)
- support setting/reading userdata in solv files
  new functions: repowriter_set_userdata, solv_read_userdata
- support queying of the custom vendor check function
  new function: pool_get_custom_vendorcheck
- support solv files with an idarray block
- allow accessing the toolversion at runtime

libzypp to 17.30.0:

- ZConfig: Update solver settings if target changes (bsc#1196368)
- Fix possible hang in singletrans mode (bsc#1197134)
- Do 2 retries if mount is still busy.
- Fix package signature check (bsc#1184501)
  Pay attention that header and payload are secured by a valid
  signature and report more detailed which signature is missing.
- Retry umount if device is busy (bsc#1196061, closes #381)
  A previously released ISO image may need a bit more time to
  release it's loop device. So we wait a bit and retry.
- Fix serializing/deserializing type mismatch in zypp-rpm
  protocol (bsc#1196925)
- Fix handling of ISO media in releaseAll (bsc#1196061)
- Hint on common ptf resolver conflicts (bsc#1194848)
- Hint on ptf<>patch resolver conflicts (bsc#1194848)

zypper to 1.14.52:

- info: print the packages upstream URL if available (fixes #426)
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- Don't prevent less restrictive umasks (bsc#1195999)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1135-1
Released:    Fri Apr  8 13:12:45 2022
Summary:     Recommended update for supportutils
Type:        recommended
Severity:    moderate
References:  1189028,1190315,1190943,1191096,1191794,1193204,1193732,1193868,1195797
This update for supportutils fixes the following issues:

- Add command `blkid`
- Add email.txt based on OPTION_EMAIL (bsc#1189028)
- Add rpcinfo -p output #116
- Add s390x specific files and output
- Add shared memory as a log directory for emergency use (bsc#1190943)
- Fix cron package for RPM validation (bsc#1190315)
- Fix for invalid argument during updates (bsc#1193204)
- Fix iscsi initiator name (bsc#1195797)
- Improve `lsblk` readability with `--ascsi` option
- Include 'multipath -t' output in mpio.txt
- Include /etc/sssd/conf.d configuration files
- Include udev rules in /lib/udev/rules.d/
- Made /proc directory and network names spaces configurable (bsc#1193868)
- Prepare future installation of binaries to /usr/sbin instead of /sbin. This does not affect 
  current SUSE Linux Enterprise 15 Service Packs (bsc#1191096)
- Move localmessage/warm logs out of messages.txt to new localwarn.txt
- Optimize configuration files
- Remove chronyc DNS lookups with -n switch (bsc#1193732)
- Remove duplicate commands in network.txt
- Remove duplicate firewalld status output
- getappcore identifies compressed core files (bsc#1191794)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1147-1
Released:    Mon Apr 11 15:49:43 2022
Summary:     Recommended update for containerd
Type:        recommended
Severity:    moderate
References:  1195784

This update of containerd fixes the following issue:

- container-ctr is shipped to the PackageHub repos.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1149-1
Released:    Mon Apr 11 16:29:14 2022
Summary:     Security update for mozilla-nss
Type:        security
Severity:    important
References:  1197903,CVE-2022-1097
This update for mozilla-nss fixes the following issues:

Mozilla NSS 3.68.3 (bsc#1197903):
  - CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11
    tokens are removed while in use.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1150-1
Released:    Mon Apr 11 17:34:19 2022
Summary:     Recommended update for suse-build-key
Type:        recommended
Severity:    moderate
References:  1197293
This update for suse-build-key fixes the following issues:

No longer install 1024bit keys by default. (bsc#1197293)

- The SLE11 key has been moved to documentation directory, and is obsoleted / removed by the package.
- The old PTF (pre March 2022) key moved to documentation directory.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1158-1
Released:    Tue Apr 12 14:44:43 2022
Summary:     Security update for xz
Type:        security
Severity:    important
References:  1198062,CVE-2022-1271
This update for xz fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1190-1
Released:    Wed Apr 13 20:52:23 2022
Summary:     Recommended update for cloud-init
Type:        recommended
Severity:    important
References:  1192343
This update for cloud-init contains the following fixes:

- Update to version 21.4 (bsc#1192343, jsc#PM-3181)
  + Also include VMWare functionality for (jsc#PM-3175)
  + Remove patches included upstream.
  + Forward port fixes.
  + Fix for VMware Test, system dependend, not properly mocked previously.
  + Azure: fallback nic needs to be reevaluated during reprovisioning
    (#1094) [Anh Vo]
  + azure: pps imds (#1093) [Anh Vo]
  + testing: Remove calls to 'install_new_cloud_init' (#1092)
  + Add LXD datasource (#1040)
  + Fix unhandled apt_configure case. (#1065) [Brett Holman]
  + Allow libexec for hotplug (#1088)
  + Add necessary mocks to test_ovf unit tests (#1087)
  + Remove (deprecated) apt-key (#1068) [Brett Holman] (LP: #1836336)
  + distros: Remove a completed 'TODO' comment (#1086)
  + cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083)
    [dermotbradley]
  + Add 'install hotplug' module (SC-476) (#1069) (LP: #1946003)
  + hosts.alpine.tmpl: rearrange the order of short and long hostnames
    (#1084) [dermotbradley]
  + Add max version to docutils
  + cloudinit/dmi.py: Change warning to debug to prevent console display
    (#1082) [dermotbradley]
  + remove unnecessary EOF string in
    disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele
    Giuseppe Esposito]
  + Add module 'write-files-deferred' executed in stage 'final' (#916)
    [Lucendio]
  + Bump pycloudlib to fix CI (#1080)
  + Remove pin in dependencies for jsonschema (#1078)
  + Add 'Google' as possible system-product-name (#1077) [vteratipally]
  + Update Debian security suite for bullseye (#1076) [Johann Queuniet]
  + Leave the details of service management to the distro (#1074)
    [Andy Fiddaman]
  + Fix typos in setup.py (#1059) [Christian Clauss]
  + Update Azure _unpickle (SC-500) (#1067) (LP: #1946644)
  + cc_ssh.py: fix private key group owner and permissions (#1070)
    [Emanuele Giuseppe Esposito]
  + VMware: read network-config from ISO (#1066) [Thomas Weißschuh]
  + testing: mock sleep in gce unit tests (#1072)
  + CloudStack: fix data-server DNS resolution (#1004)
    [Olivier Lemasle] (LP: #1942232)
  + Fix unit test broken by pyyaml upgrade (#1071)
  + testing: add get_cloud function (SC-461) (#1038)
  + Inhibit [email protected] if cloud-init is active (#1028)
    [Ryan Harper]
  + VMWARE: search the deployPkg plugin in multiarch dir (#1061)
    [xiaofengw-vmware] (LP: #1944946)
  + Fix set-name/interface DNS bug (#1058) [Andrew Kutz] (LP: #1946493)
  + Use specified tmp location for growpart (#1046) [jshen28]
  + .gitignore: ignore tags file for ctags users (#1057) [Brett Holman]
  + Allow comments in runcmd and report failed commands correctly (#1049)
    [Brett Holman] (LP: #1853146)
  + tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050)
    [Paride Legovini]
  + Allow disabling of network activation (SC-307) (#1048) (LP: #1938299)
  + renderer: convert relative imports to absolute (#1052) [Paride Legovini]
  + Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045)
    [Vlastimil Holer]
  + integration-requirements: bump the pycloudlib commit (#1047)
    [Paride Legovini]
  + Allow Vultr to set MTU and use as-is configs (#1037) [eb3095]
  + pin jsonschema in requirements.txt (#1043)
  + testing: remove cloud_tests (#1020)
  + Add andgein as contributor (#1042) [Andrew Gein]
  + Make wording for module frequency consistent (#1039) [Nicolas Bock]
  + Use ascii code for growpart (#1036) [jshen28]
  + Add jshen28 as contributor (#1035) [jshen28]
  + Skip test_cache_purged_on_version_change on Azure (#1033)
  + Remove invalid ssh_import_id from examples (#1031)
  + Cleanup Vultr support (#987) [eb3095]
  + docs: update cc_disk_setup for fs to raw disk (#1017)
  + HACKING.rst: change contact info to James Falcon (#1030)
  + tox: bump the pinned flake8 and pylint version (#1029)
    [Paride Legovini] (LP: #1944414)
  + Add retries to DataSourceGCE.py when connecting to GCE (#1005)
    [vteratipally]
  + Set Azure to apply networking config every BOOT (#1023)
  + Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) (LP: #1939603)
  + docs: fix typo and include sudo for report bugs commands (#1022)
    [Renan Rodrigo] (LP: #1940236)
  + VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun]
  + Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] (LP: #1943798)
  + Integration test upgrades for the 21.3-1 SRU (#1001)
  + Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans]
  + Improve ug_util.py (#1013) [Shreenidhi Shedi]
  + Support openEuler OS (#1012) [zhuzaifangxuele]
  + ssh_utils.py: ignore when sshd_config options are not key/value pairs
    (#1007) [Emanuele Giuseppe Esposito]
  + Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006)
  + cc_update_etc_hosts: Use the distribution-defined path for the hosts
    file (#983) [Andy Fiddaman]
  + Add CloudLinux OS support (#1003) [Alexandr Kravchenko]
  + puppet config: add the start_agent option (#1002) [Andrew Bogott]
  + Fix `make style-check` errors (#1000) [Shreenidhi Shedi]
  + Make cloud-id copyright year (#991) [Andrii Podanenko]
  + Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi]
  + Update ds-identify to pass shellcheck (#979) [Andrew Kutz]
  + Azure: Retry dhcp on timeouts when polling reprovisiondata (#998)
    [aswinrajamannar]
  + testing: Fix ssh keys integration test (#992)

- From 21.3
  + Azure: During primary nic detection, check interface status continuously
    before rebinding again (#990) [aswinrajamannar]
  + Fix home permissions modified by ssh module (SC-338) (#984)
    (LP: #1940233)
  + Add integration test for sensitive jinja substitution (#986)
  + Ignore hotplug socket when collecting logs (#985) (LP: #1940235)
  + testing: Add missing mocks to test_vmware.py (#982)
  + add Zadara Edge Cloud Platform to the supported clouds list (#963)
    [sarahwzadara]
  + testing: skip upgrade tests on LXD VMs (#980)
  + Only invoke hotplug socket when functionality is enabled (#952)
  + Revert unnecesary lcase in ds-identify (#978) [Andrew Kutz]
  + cc_resolv_conf: fix typos (#969) [Shreenidhi Shedi]
  + Replace broken httpretty tests with mock (SC-324) (#973)
  + Azure: Check if interface is up after sleep when trying to bring it up
    (#972) [aswinrajamannar]
  + Update dscheck_VMware's rpctool check (#970) [Shreenidhi Shedi]
  + Azure: Logging the detected interfaces (#968) [Moustafa Moustafa]
  + Change netifaces dependency to 0.10.4 (#965) [Andrew Kutz]
  + Azure: Limit polling network metadata on connection errors (#961)
    [aswinrajamannar]
  + Update inconsistent indentation (#962) [Andrew Kutz]
  + cc_puppet: support AIO installations and more (#960) [Gabriel Nagy]
  + Add Puppet contributors to CLA signers (#964) [Noah Fontes]
  + Datasource for VMware (#953) [Andrew Kutz]
  + photon: refactor hostname handling and add networkd activator (#958)
    [sshedi]
  + Stop copying ssh system keys and check folder permissions (#956)
    [Emanuele Giuseppe Esposito]
  + testing: port remaining cloud tests to integration testing framework
    (SC-191) (#955)
  + generate contents for ovf-env.xml when provisioning via IMDS (#959)
    [Anh Vo]
  + Add support for EuroLinux 7 && EuroLinux 8 (#957) [Aleksander Baranowski]
  + Implementing device_aliases as described in docs (#945)
    [Mal Graty] (LP: #1867532)
  + testing: fix test_ssh_import_id.py (#954)
  + Add ability to manage fallback network config on PhotonOS (#941) [sshedi]
  + Add VZLinux support (#951) [eb3095]
  + VMware: add network-config support in ovf-env.xml (#947) [PengpengSun]
  + Update pylint to v2.9.3 and fix the new issues it spots (#946)
    [Paride Legovini]
  + Azure: mount default provisioning iso before try device listing (#870)
    [Anh Vo]
  + Document known hotplug limitations (#950)
  + Initial hotplug support (#936)
  + Fix MIME policy failure on python version upgrade (#934)
  + run-container: fixup the centos repos baseurls when using http_proxy
    (#944) [Paride Legovini]
  + tools: add support for building rpms on rocky linux (#940)
  + ssh-util: allow cloudinit to merge all ssh keys into a custom user
    file, defined in AuthorizedKeysFile (#937) [Emanuele Giuseppe Esposito]
    (LP: #1911680)
  + VMware: new 'allow_raw_data' switch (#939) [xiaofengw-vmware]
  + bump pycloudlib version (#935)
  + add renanrodrigo as a contributor (#938) [Renan Rodrigo]
  + testing: simplify test_upgrade.py (#932)
  + freebsd/net_v1 format: read MTU from root (#930) [Gonéri Le Bouder]
  + Add new network activators to bring up interfaces (#919)
  + Detect a Python version change and clear the cache (#857)
    [Robert Schweikert]
  + cloud_tests: fix the Impish release name (#931) [Paride Legovini]
  + Removed distro specific network code from Photon (#929) [sshedi]
  + Add support for VMware PhotonOS (#909) [sshedi]
  + cloud_tests: add impish release definition (#927) [Paride Legovini]
  + docs: fix stale links rename master branch to main (#926)
  + Fix DNS in NetworkState (SC-133) (#923)
  + tests: Add 'adhoc' mark for integration tests (#925)
  + Fix the spelling of 'DigitalOcean' (#924) [Mark Mercado]
  + Small Doc Update for ReportEventStack and Test (#920) [Mike Russell]
  + Replace deprecated collections.Iterable with abc replacement (#922)
    (LP: #1932048)
  + testing: OCI availability domain is now required (SC-59) (#910)
  + add DragonFlyBSD support (#904) [Gonéri Le Bouder]
  + Use instance-data-sensitive.json in jinja templates (SC-117) (#917)
    (LP: #1931392)
  + doc: Update NoCloud docs stating required files (#918) (LP: #1931577)
  + build-on-netbsd: don't pin a specific py3 version (#913)
    [Gonéri Le Bouder]
  + Create the log file with 640 permissions (#858) [Robert Schweikert]
  + Allow braces to appear in dhclient output (#911) [eb3095]
  + Docs: Replace all freenode references with libera (#912)
  + openbsd/net: flush the route table on net restart (#908)
    [Gonéri Le Bouder]
  + Add Rocky Linux support to cloud-init (#906) [Louis Abel]
  + Add 'esposem' as contributor (#907) [Emanuele Giuseppe Esposito]
  + Add integration test for #868 (#901)
  + Added support for importing keys via primary/security mirror clauses
    (#882) [Paul Goins] (LP: #1925395)
  + [examples] config-user-groups expire in the future (#902)
    [Geert Stappers]
  + BSD: static network, set the mtu (#894) [Gonéri Le Bouder]
  + Add integration test for lp-1920939 (#891)
  + Fix unit tests breaking from new httpretty version (#903)
  + Allow user control over update events (#834)
  + Update test characters in substitution unit test (#893)
  + cc_disk_setup.py: remove UDEVADM_CMD definition as not used (#886)
    [dermotbradley]
  + Add AlmaLinux OS support (#872) [Andrew Lukoshko]

  + Still need to consider the 'network' configuration option
  
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1250-1
Released:    Sun Apr 17 15:39:47 2022
Summary:     Security update for gzip
Type:        security
Severity:    important
References:  1177047,1180713,1198062,CVE-2022-1271
This update for gzip fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

The following non-security bugs were fixed:

- Fixed an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)
- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1256-1
Released:    Tue Apr 19 10:22:49 2022
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1189562,1193738,1194943,1195051,1195254,1195353,1196018,1196114,1196433,1196468,1196488,1196514,1196639,1196761,1196830,1196836,1196942,1196973,1197227,1197331,1197366,1197391,1198031,1198032,1198033,CVE-2021-39713,CVE-2021-45868,CVE-2022-0812,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2022-28356: Fixed a refcount leak bug in net/llc/af_llc.c (bnc#1197391).
- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution (bsc#1197227).
- CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel (bnc#1198032).
- CVE-2022-28389: Fixed a double free in drivers/net/can/usb/mcba_usb.c vulnerability in the Linux kernel (bnc#1198033).
- CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel (bnc#1198031).
- CVE-2022-0812: Fixed an incorrect header size calculations in xprtrdma (bsc#1196639).
- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197331).
- CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c (bsc#1196761).
- CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from the memory via crafted frame lengths from a USB device (bsc#1196836).
- CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file (bnc#1197366).
- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1196973).
- CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers (bsc#1196488).
- CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could trigger crash the system or corrupt system memory (bsc#1196830).

The following non-security bugs were fixed:

- ax88179_178a: Fixed memory issues that could be triggered by malicious USB devices (bsc#1196018).
- genirq: Use rcu in kstat_irqs_usr() (bsc#1193738).
- gve/net: Fixed multiple bugfixes (jsc#SLE-23652).
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- net: tipc: validate domain record count on input (bsc#1195254).
- powerpc: Fixed issues related to slow I/O on PowerPC (bsc#1196433).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1302-1
Released:    Fri Apr 22 10:04:46 2022
Summary:     Recommended update for e2fsprogs
Type:        recommended
Severity:    moderate
References:  1196939
This update for e2fsprogs fixes the following issues:

- Add support for 'libreadline7' for Leap. (bsc#1196939)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1409-1
Released:    Tue Apr 26 12:54:57 2022
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1195628,1196107
This update for gcc11 fixes the following issues:

- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
  packages provided by older GCC work.  Add a requires from that
  package to the corresponding libstc++6 package to keep those
  at the same version.  [bsc#1196107]
- Fixed memory corruption when creating dependences with the D language frontend.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
  to Recommends.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1430-1
Released:    Wed Apr 27 10:01:43 2022
Summary:     Security update for cifs-utils
Type:        security
Severity:    important
References:  1197216,CVE-2022-27239
This update for cifs-utils fixes the following issues:

- CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1438-1
Released:    Wed Apr 27 15:27:19 2022
Summary:     Recommended update for systemd-presets-common-SUSE
Type:        recommended
Severity:    low
References:  1195251
This update for systemd-presets-common-SUSE fixes the following issue:

- enable vgauthd service for VMWare by default (bsc#1195251)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1452-1
Released:    Thu Apr 28 10:48:06 2022
Summary:     Recommended update for perl
Type:        recommended
Severity:    moderate
References:  1193489
This update for perl fixes the following issues:

- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1470-1
Released:    Fri Apr 29 16:47:50 2022
Summary:     Recommended update for samba
Type:        recommended
Severity:    low
References:  1134046
This update for samba fixes the following issue:

- Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba. (bsc#1134046)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1512-1
Released:    Tue May  3 16:11:28 2022
Summary:     Security update for ruby2.5
Type:        security
Severity:    important
References:  1188160,1188161,1190375,1193035,1198441,CVE-2021-31799,CVE-2021-31810,CVE-2021-32066,CVE-2021-41817,CVE-2022-28739
This update for ruby2.5 fixes the following issues:

- CVE-2022-28739: Fixed a buffer overrun in String-to-Float conversion (bsc#1198441).
- CVE-2021-41817: Fixed a regular expression denial of service in Date Parsing Methods (bsc#1193035).
- CVE-2021-32066: Fixed a StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).
- CVE-2021-31810: Fixed a trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).
- CVE-2021-31799: Fixed a command injection vulnerability in RDoc (bsc#1190375). 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1548-1
Released:    Thu May  5 16:45:28 2022
Summary:     Security update for tar
Type:        security
Severity:    moderate
References:  1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193
This update for tar fixes the following issues:

- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

- Update to GNU tar 1.34:
  * Fix extraction over pipe
  * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)
  * Fix extraction when . and .. are unreadable
  * Gracefully handle duplicate symlinks when extracting
  * Re-initialize supplementary groups when switching to user
    privileges

- Update to GNU tar 1.33:
  * POSIX extended format headers do not include PID by default
  * --delay-directory-restore works for archives with reversed
    member ordering
  * Fix extraction of a symbolic link hardlinked to another
    symbolic link
  * Wildcards in exclude-vcs-ignore mode don't match slash
  * Fix the --no-overwrite-dir option
  * Fix handling of chained renames in incremental backups
  * Link counting works for file names supplied with -T
  * Accept only position-sensitive (file-selection) options in file
    list files

- prepare usrmerge (bsc#1029961)

- Update to GNU 1.32
  * Fix the use of --checkpoint without explicit --checkpoint-action
  * Fix extraction with the -U option
  * Fix iconv usage on BSD-based systems
  * Fix possible NULL dereference (savannah bug #55369)
    [bsc#1130496] [CVE-2019-9923]
  * Improve the testsuite

- Update to GNU 1.31
  * Fix heap-buffer-overrun with --one-top-level, bug introduced
    with the addition of that option in 1.28
  * Support for zstd compression
  * New option '--zstd' instructs tar to use zstd as compression
    program. When listing, extractng and comparing, zstd compressed
    archives are recognized automatically. When '-a' option is in
    effect, zstd compression is selected if the destination archive
    name ends in '.zst' or '.tzst'.
  * The -K option interacts properly with member names given in the
    command line. Names of members to extract can be specified along
    with the '-K NAME' option. In this case, tar will extract NAME
    and those of named members that appear in the archive after it,
    which is consistent with the semantics of the option. Previous
    versions of tar extracted NAME, those of named members that
    appeared before it, and everything after it.
  * Fix CVE-2018-20482 - When creating archives with the --sparse
    option, previous versions of tar would loop endlessly if a
    sparse file had been truncated while being archived.

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1556-1
Released:    Fri May  6 12:54:09 2022
Summary:     Recommended update for xkeyboard-config
Type:        recommended
Severity:    moderate
References:  1188867
This update for xkeyboard-config fixes the following issues:

- Add French standardized AZERTY layout (AFNOR: NF Z71-300) (bsc#1188867)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1655-1
Released:    Fri May 13 15:36:10 2022
Summary:     Recommended update for pam
Type:        recommended
Severity:    moderate
References:  1197794
This update for pam fixes the following issue:

- Do not include obsolete header files (bsc#1197794)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1658-1
Released:    Fri May 13 15:40:20 2022
Summary:     Recommended update for libpsl
Type:        recommended
Severity:    important
References:  1197771
This update for libpsl fixes the following issues:

- Fix libpsl compilation issues (bsc#1197771)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1659-1
Released:    Fri May 13 15:41:32 2022
Summary:     Recommended update for cups
Type:        recommended
Severity:    moderate
References:  1189517,1195115
This update for cups fixes the following issues:

- CUPS printservice takes much longer than before with a big number of printers (bsc#1189517)
- CUPS PreserveJobHistory doesn't work with seconds (bsc#1195115)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1674-1
Released:    Mon May 16 10:12:11 2022
Summary:     Security update for gzip
Type:        security
Severity:    important
References:  CVE-2022-1271
This update for gzip fixes the following issues:

- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1688-1
Released:    Mon May 16 14:02:49 2022
Summary:     Security update for e2fsprogs
Type:        security
Severity:    important
References:  1198446,CVE-2022-1304
This update for e2fsprogs fixes the following issues:

- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault
  and possibly arbitrary code execution. (bsc#1198446)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1689-1
Released:    Mon May 16 14:09:01 2022
Summary:     Security update for containerd, docker
Type:        security
Severity:    important
References:  1193930,1196441,1197284,1197517,CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191
This update for containerd, docker fixes the following issues:

- CVE-2022-24769: Fixed incorrect default inheritable capabilities (bsc#1197517).
- CVE-2022-23648: Fixed directory traversal issue (bsc#1196441).
- CVE-2022-27191: Fixed a crash in a golang.org/x/crypto/ssh server (bsc#1197284).
- CVE-2021-43565: Fixed a panic in golang.org/x/crypto by empty plaintext packet (bsc#1193930).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1691-1
Released:    Mon May 16 15:13:39 2022
Summary:     Recommended update for augeas
Type:        recommended
Severity:    moderate
References:  1197443
This update for augeas fixes the following issue:

- Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443) 

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1750-1
Released:    Thu May 19 15:28:20 2022
Summary:     Security update for libxml2
Type:        security
Severity:    important
References:  1196490,1199132,CVE-2022-23308,CVE-2022-29824
This update for libxml2 fixes the following issues:

- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).
- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1817-1
Released:    Mon May 23 14:58:24 2022
Summary:     Security update for rsyslog
Type:        security
Severity:    important
References:  1199061,CVE-2022-24903
This update for rsyslog fixes the following issues:

- CVE-2022-24903: Fixed potential heap buffer overflow in modules for TCP syslog reception (bsc#1199061).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1824-1
Released:    Tue May 24 10:31:13 2022
Summary:     Recommended update for dhcp
Type:        recommended
Severity:    moderate
References:  1198657
This update for dhcp fixes the following issues:

- Properly handle DHCRELAY(6)_OPTIONS (bsc#1198657)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1832-1
Released:    Tue May 24 11:52:33 2022
Summary:     Security update for openldap2
Type:        security
Severity:    important
References:  1191157,1197004,1199240,CVE-2022-29155
This update for openldap2 fixes the following issues:

Security:
- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

Bugfixes:
- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)
- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol
  resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)
- restore CLDAP functionality in CLI tools (jsc#PM-3288)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1843-1
Released:    Wed May 25 15:25:44 2022
Summary:     Recommended update for suse-build-key
Type:        recommended
Severity:    moderate
References:  1198504
This update for suse-build-key fixes the following issues:

- still ship the old ptf key in the documentation directory (bsc#1198504)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1861-1
Released:    Thu May 26 12:07:40 2022
Summary:     Security update for cups
Type:        security
Severity:    important
References:  1199474,CVE-2022-26691
This update for cups fixes the following issues:

- CVE-2022-26691: Fixed an authentication bypass and code execution vulnerability (bsc#1199474)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:1883-1
Released:    Mon May 30 12:41:35 2022
Summary:     Security update for pcre2
Type:        security
Severity:    important
References:  1199232,CVE-2022-1586
This update for pcre2 fixes the following issues:

- CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1887-1
Released:    Tue May 31 09:24:18 2022
Summary:     Recommended update for grep
Type:        recommended
Severity:    moderate
References:  1040589
This update for grep fixes the following issues:

- Make profiling deterministic. (bsc#1040589, SLE-24115)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2002-1
Released:    Mon Jun  6 20:54:06 2022
Summary:     Recommended update for btrfsprogs
Type:        recommended
Severity:    moderate
References:  1186571,1186823
This update for btrfsprogs fixes the following issues:

- Ignore path devices when enumerating multipath device. (bsc#1186823)
- Prevention 32bit overflow in btrfs-convert. (bsc#1186571)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2019-1
Released:    Wed Jun  8 16:50:07 2022
Summary:     Recommended update for gcc11
Type:        recommended
Severity:    moderate
References:  1192951,1193659,1195283,1196861,1197065
This update for gcc11 fixes the following issues:

Update to the GCC 11.3.0 release.

* includes SLS hardening backport on x86_64.  [bsc#1195283]
* includes change to adjust gnats idea of the target, fixing the build of gprbuild.  [bsc#1196861]
* fixed miscompile of embedded premake in 0ad on i586.  [bsc#1197065]
* use --with-cpu rather than specifying --with-arch/--with-tune 
* Fix D memory corruption in -M output.
* Fix ICE in is_this_parameter with coroutines.  [bsc#1193659]
* fixes issue with debug dumping together with -o /dev/null
* fixes libgccjit issue showing up in emacs build  [bsc#1192951]
* Package mwaitintrin.h

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2041-1
Released:    Fri Jun 10 11:33:51 2022
Summary:     Security update for grub2
Type:        security
Severity:    important
References:  1191184,1191185,1191186,1193282,1198460,1198493,1198496,1198581,CVE-2021-3695,CVE-2021-3696,CVE-2021-3697,CVE-2022-28733,CVE-2022-28734,CVE-2022-28736
This update for grub2 fixes the following issues:

Security fixes and hardenings for Boothole 3 / Boothole 2022 (bsc#1198581)

- CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184)
- CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185)
- CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186)
- CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)
- CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493)
- CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496)
- Update SBAT security contact (bsc#1193282)
- Bump grub's SBAT generation to 2

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2068-1
Released:    Tue Jun 14 10:14:47 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1185637,1199166,CVE-2022-1292
This update for openssl-1_1 fixes the following issues:

- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2102-1
Released:    Thu Jun 16 15:18:23 2022
Summary:     Security update for vim
Type:        security
Severity:    important
References:  1070955,1191770,1192167,1192902,1192903,1192904,1193466,1193905,1194093,1194216,1194217,1194388,1194872,1194885,1195004,1195203,1195332,1195354,1196361,1198596,1198748,1199331,1199333,1199334,1199651,1199655,1199693,1199745,1199747,1199936,1200010,1200011,1200012,CVE-2017-17087,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3875,CVE-2021-3903,CVE-2021-3927,CVE-2021-3928,CVE-2021-3968,CVE-2021-3973,CVE-2021-3974,CVE-2021-3984,CVE-2021-4019,CVE-2021-4069,CVE-2021-4136,CVE-2021-4166,CVE-2021-4192,CVE-2021-4193,CVE-2021-46059,CVE-2022-0128,CVE-2022-0213,CVE-2022-0261,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0359,CVE-2022-0361,CVE-2022-0392,CVE-2022-0407,CVE-2022-0413,CVE-2022-0696,CVE-2022-1381,CVE-2022-1420,CVE-2022-1616,CVE-2022-1619,CVE-2022-1620,CVE-2022-1733,CVE-2022-1735,CVE-2022-1771,CVE-2022-1785,CVE-2022-1796,CVE-2022-1851,CVE-2022-1897,CVE-2022-1898,CVE-2022-1927
This update for vim fixes the following issues:

- CVE-2017-17087: Fixed information leak via .swp files (bsc#1070955).
- CVE-2021-3875: Fixed heap-based buffer overflow (bsc#1191770).
- CVE-2021-3903: Fixed heap-based buffer overflow (bsc#1192167).
- CVE-2021-3968: Fixed heap-based buffer overflow (bsc#1192902).
- CVE-2021-3973: Fixed heap-based buffer overflow (bsc#1192903).
- CVE-2021-3974: Fixed use-after-free (bsc#1192904).
- CVE-2021-4069: Fixed use-after-free in ex_open()in src/ex_docmd.c (bsc#1193466).
- CVE-2021-4136: Fixed heap-based buffer overflow (bsc#1193905).
- CVE-2021-4166: Fixed out-of-bounds read (bsc#1194093).
- CVE-2021-4192: Fixed use-after-free (bsc#1194217).
- CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216).
- CVE-2022-0128: Fixed out-of-bounds read (bsc#1194388).
- CVE-2022-0213: Fixed heap-based buffer overflow (bsc#1194885).
- CVE-2022-0261: Fixed heap-based buffer overflow (bsc#1194872).
- CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004).
- CVE-2022-0359: Fixed heap-based buffer overflow in init_ccline() in ex_getln.c (bsc#1195203).
- CVE-2022-0392: Fixed heap-based buffer overflow (bsc#1195332).
- CVE-2022-0407: Fixed heap-based buffer overflow (bsc#1195354).
- CVE-2022-0696: Fixed NULL pointer dereference (bsc#1196361).
- CVE-2022-1381: Fixed global heap buffer overflow in skip_range (bsc#1198596).
- CVE-2022-1420: Fixed out-of-range pointer offset (bsc#1198748).
- CVE-2022-1616: Fixed use-after-free in append_command (bsc#1199331).
- CVE-2022-1619: Fixed heap-based Buffer Overflow in function cmdline_erase_chars (bsc#1199333).
- CVE-2022-1620: Fixed NULL pointer dereference in function vim_regexec_string (bsc#1199334).
- CVE-2022-1733: Fixed heap-based buffer overflow in cindent.c (bsc#1199655).
- CVE-2022-1735: Fixed heap-based buffer overflow (bsc#1199651).
- CVE-2022-1771: Fixed stack exhaustion (bsc#1199693).
- CVE-2022-1785: Fixed out-of-bounds write (bsc#1199745).
- CVE-2022-1796: Fixed use-after-free in find_pattern_in_path (bsc#1199747).
- CVE-2022-1851: Fixed out-of-bounds read (bsc#1199936).
- CVE-2022-1897: Fixed out-of-bounds write (bsc#1200010).
- CVE-2022-1898: Fixed use-after-free (bsc#1200011).
- CVE-2022-1927: Fixed buffer over-read (bsc#1200012).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2111-1
Released:    Fri Jun 17 09:22:18 2022
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1028340,1055710,1065729,1071995,1084513,1087082,1114648,1158266,1172456,1177282,1182171,1183723,1187055,1191647,1191958,1195065,1195651,1196018,1196367,1196426,1196999,1197219,1197343,1197663,1198400,1198516,1198577,1198660,1198687,1198742,1198777,1198825,1199012,1199063,1199314,1199399,1199426,1199505,1199507,1199605,1199650,1200143,1200144,1200249,CVE-2017-13695,CVE-2018-7755,CVE-2019-19377,CVE-2019-20811,CVE-2020-26541,CVE-2021-20292,CVE-2021-20321,CVE-2021-33061,CVE-2021-38208,CVE-2021-39711,CVE-2021-43389,CVE-2022-1011,CVE-2022-1184,CVE-2022-1353,CVE-2022-1419,CVE-2022-1516,CVE-2022-1652,CVE-2022-1729,CVE-2022-1734,CVE-2022-1974,CVE-2022-1975,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-22942,CVE-2022-28748,CVE-2022-30594

The SUSE Linux Enterprise 15 SP1 kernel was updated.

The following security bugs were fixed:

- CVE-2022-21127: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21123: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21125: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21180: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2022-21166: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)
- CVE-2019-19377: Fixed an user-after-free that could be triggered when an attacker mounts a crafted btrfs filesystem image. (bnc#1158266)
- CVE-2022-1184: Fixed an use-after-free and memory errors in ext4 when mounting and operating on a corrupted image. (bsc#1198577)
- CVE-2017-13695: Fixed a bug that caused a stack dump allowing local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted ACPI table. (bnc#1055710)
- CVE-2022-1729: Fixed a sys_perf_event_open() race condition against self (bsc#1199507).
- CVE-2022-1652: Fixed a statically allocated error counter inside the floppy kernel module (bsc#1199063).
- CVE-2021-39711: In bpf_prog_test_run_skb of test_run.c, there is a possible out of bounds read due to Incorrect Size Value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1197219).
- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199505).
- CVE-2021-33061: Fixed insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters that may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1196426).
- CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect (bsc#1199012).
- CVE-2021-20321: Fixed a race condition accessing file object in the OverlayFS subsystem in the way users do rename in specific way with OverlayFS. A local user could have used this flaw to crash the system (bnc#1191647).
- CVE-2019-20811: Fixed issue in rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, where a reference count is mishandled (bnc#1172456).
- CVE-2022-28748: Fixed memory lead over the network by ax88179_178a devices (bsc#1196018).
- CVE-2018-7755: Fixed an issue in the fd_locked_ioctl function in drivers/block/floppy.c. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR (bnc#1084513).
- CVE-2022-22942: Fixed stale file descriptors on failed usercopy (bsc#1195065).
- CVE-2022-1419: Fixed a concurrency use-after-free in vgem_gem_dumb_create (bsc#1198742).
- CVE-2021-43389: Fixed an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958).
- CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call (bnc#1187055).
- CVE-2022-1353: Fixed access controll to kernel memory in the pfkey_register function in net/key/af_key.c (bnc#1198516).
- CVE-2021-20292: Fixed object validation prior to performing operations on the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem (bnc#1183723).
- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343)
- CVE-2022-1974: Fixed an use-after-free that could causes kernel crash by simulating an nfc device from user-space. (bsc#1200144).
- CVE-2020-26541: Enforce the secure boot forbidden signature database (aka dbx) protection mechanism. (bnc#1177282)
- CVE-2022-1975: Fixed a bug that allows an attacker to crash the linux kernel by simulating nfc device from user-space. (bsc#1200143)
- CVE-2022-21499: Reinforce the kernel lockdown feature, until now it's been trivial to break out of it with kgdb or kdb. (bsc#1199426)
- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605).

The following non-security bugs were fixed:

- btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (bsc#1199399).
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- net: ena: A typo fix in the file ena_com.h (bsc#1198777).
- net: ena: Add capabilities field with support for ENI stats capability (bsc#1198777).
- net: ena: Add debug prints for invalid req_id resets (bsc#1198777).
- net: ena: add device distinct log prefix to files (bsc#1198777).
- net: ena: add jiffies of last napi call to stats (bsc#1198777).
- net: ena: aggregate doorbell common operations into a function (bsc#1198777).
- net: ena: aggregate stats increase into a function (bsc#1198777).
- net: ena: Change ENI stats support check to use capabilities field (bsc#1198777).
- net: ena: Change return value of ena_calc_io_queue_size() to void (bsc#1198777).
- net: ena: Change the name of bad_csum variable (bsc#1198777).
- net: ena: Extract recurring driver reset code into a function (bsc#1198777).
- net: ena: fix coding style nits (bsc#1198777).
- net: ena: fix DMA mapping function issues in XDP (bsc#1198777).
- net: ena: Fix error handling when calculating max IO queues number (bsc#1198777).
- net: ena: fix inaccurate print type (bsc#1198777).
- net: ena: Fix undefined state when tx request id is out of bounds (bsc#1198777).
- net: ena: Fix wrong rx request id by resetting device (bsc#1198777).
- net: ena: Improve error logging in driver (bsc#1198777).
- net: ena: introduce ndo_xdp_xmit() function for XDP_REDIRECT (bsc#1198777).
- net: ena: introduce XDP redirect implementation (bsc#1198777).
- net: ena: make symbol 'ena_alloc_map_page' static (bsc#1198777).
- net: ena: Move reset completion print to the reset function (bsc#1198777).
- net: ena: optimize data access in fast-path code (bsc#1198777).
- net: ena: re-organize code to improve readability (bsc#1198777).
- net: ena: Remove ena_calc_queue_size_ctx struct (bsc#1198777).
- net: ena: remove extra words from comments (bsc#1198777).
- net: ena: Remove module param and change message severity (bsc#1198777).
- net: ena: Remove rcu_read_lock() around XDP program invocation (bsc#1198777).
- net: ena: Remove redundant return code check (bsc#1198777).
- net: ena: Remove unused code (bsc#1198777).
- net: ena: store values in their appropriate variables types (bsc#1198777).
- net: ena: Update XDP verdict upon failure (bsc#1198777).
- net: ena: use build_skb() in RX path (bsc#1198777).
- net: ena: use constant value for net_device allocation (bsc#1198777).
- net: ena: Use dev_alloc() in RX buffer allocation (bsc#1198777).
- net: ena: Use pci_sriov_configure_simple() to enable VFs (bsc#1198777).
- net: ena: use xdp_frame in XDP TX flow (bsc#1198777).
- net: ena: use xdp_return_frame() to free xdp frames (bsc#1198777).
- net: mana: Add counter for packet dropped by XDP (bsc#1195651).
- net: mana: Add counter for XDP_TX (bsc#1195651).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- net: mana: Remove unnecessary check of cqe_type in mana_process_rx_cqe() (bsc#1195651).
- net: mana: Reuse XDP dropped page (bsc#1195651).
- net: mana: Use struct_size() helper in mana_gd_create_dma_region() (bsc#1195651).
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- powerpc/64: Fix kernel stack 16-byte alignment (bsc#1196999 ltc#196609S git-fixes).
- powerpc/64: Interrupts save PPR on stack rather than thread_struct (bsc#1196999 ltc#196609).
- powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900 bsc#1198660 ltc#197803).
- powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729 bsc#1198660 ltc#197803).
- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() (bsc#1028340 bsc#1198825).
- SUNRPC: change locking for xs_swap_enable/disable (bsc#1196367).
- x86/pm: Save the MSR validity status at context setup (bsc#1114648).
- x86/speculation: Restore speculation related MSRs during S3 resume (bsc#1114648).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2158-1
Released:    Thu Jun 23 10:03:53 2022
Summary:     Security update for xen
Type:        security
Severity:    important
References:  1197423,1197425,1197426,1199965,1199966,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364
This update for xen fixes the following issues:

- CVE-2022-26356: Fixed potential race conditions in dirty memory tracking that
  could cause a denial of service in the host (bsc#1197423).
- CVE-2022-26357: Fixed a potential race condition in memory cleanup for hosts
  using VT-d IOMMU hardware, which could lead to a denial of service in the host
  (bsc#1197425).
- CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361: Fixed various memory
  corruption issues for hosts using VT-d or AMD-Vi IOMMU hardware. These could be
  leveraged by an attacker to cause a denial of service in the host (bsc#1197426).
- CVE-2022-26362: Fixed race condition in typeref acquisition (bsc#1199965)
- CVE-2022-26363, CVE-2022-26364: Fixed insufficient care with non-coherent mappings (bsc#1199966)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2179-1
Released:    Fri Jun 24 14:05:25 2022
Summary:     Security update for openssl
Type:        security
Severity:    moderate
References:  1200550,CVE-2022-2068
This update for openssl fixes the following issues:

- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2311-1
Released:    Wed Jul  6 15:16:17 2022
Summary:     Security update for openssl-1_1
Type:        security
Severity:    important
References:  1201099,CVE-2022-2097
This update for openssl-1_1 fixes the following issues:

- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2323-1
Released:    Thu Jul  7 12:16:58 2022
Summary:     Recommended update for systemd-presets-branding-SLE
Type:        recommended
Severity:    low
References:  
This update for systemd-presets-branding-SLE fixes the following issues:

- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2341-1
Released:    Fri Jul  8 16:09:12 2022
Summary:     Security update for containerd, docker and runc
Type:        security
Severity:    important
References:  1192051,1199460,1199565,1200088,1200145,CVE-2022-29162,CVE-2022-31030
This update for containerd, docker and runc fixes the following issues:

containerd:

- CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145)

docker:

- Update to Docker 20.10.17-ce. See upstream changelog online at
  https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145)

runc:

Update to runc v1.1.3.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3.

* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
  s390 and s390x. This solves the issue where syscalls the host kernel did not
  support would return `-EPERM` despite the existence of the `-ENOSYS` stub
  code (this was due to how s390x does syscall multiplexing).
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
  intended; this fix does not affect runc binary itself but is important for
  libcontainer users such as Kubernetes.
* Inability to compile with recent clang due to an issue with duplicate
  constants in libseccomp-golang.
* When using systemd cgroup driver, skip adding device paths that don't exist,
  to stop systemd from emitting warnings about those paths.
* Socket activation was failing when more than 3 sockets were used.
* Various CI fixes.
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
- Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
  that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565)

Update to runc v1.1.2.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.2.

Security issue fixed:

- CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with
  non-empty inheritable Linux process capabilities, creating an atypical Linux
  environment. (bsc#1199460)

- `runc spec` no longer sets any inheritable capabilities in the created
  example OCI spec (`config.json`) file.

Update to runc v1.1.1.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.1.

* runc run/start can now run a container with read-only /dev in OCI spec,
  rather than error out. (#3355)
* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
  libcontainer systemd v2 manager no longer errors out if one of the files
  listed in /sys/kernel/cgroup/delegate do not exist in container's
  cgroup. (#3387, #3404)
* Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported'
  error. (#3406)
* libcontainer/cgroups no longer panics in cgroup v1 managers if stat
  of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

Update to runc v1.1.0.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0.

- libcontainer will now refuse to build without the nsenter package being
  correctly compiled (specifically this requires CGO to be enabled). This
  should avoid folks accidentally creating broken runc binaries (and
  incorrectly importing our internal libraries into their projects). (#3331)

Update to runc v1.1.0~rc1.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.

+ Add support for RDMA cgroup added in Linux 4.11.
* runc exec now produces exit code of 255 when the exec failed.
  This may help in distinguishing between runc exec failures
  (such as invalid options, non-running container or non-existent
  binary etc.) and failures of the command being executed.
+ runc run: new --keep option to skip removal exited containers artefacts.
  This might be useful to check the state (e.g. of cgroup controllers) after
  the container hasexited.
+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
  (the latter is just an alias for SCMP_ACT_KILL).
+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
  users to create sophisticated seccomp filters where syscalls can be
  efficiently emulated by privileged processes on the host.
+ checkpoint/restore: add an option (--lsm-mount-context) to set
  a different LSM mount context on restore.
+ intelrdt: support ClosID parameter.
+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup
  to use for the process being executed.
+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
  machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
  run/exec now adds the container to the appropriate cgroup under it).
+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
  behaviour.
+ mounts: add support for bind-mounts which are inaccessible after switching
  the user namespace. Note that this does not permit the container any
  additional access to the host filesystem, it simply allows containers to
  have bind-mounts configured for paths the user can access but have
  restrictive access control settings for other users.
+ Add support for recursive mount attributes using mount_setattr(2). These
  have the same names as the proposed mount(8) options -- just prepend r
  to the option name (such as rro).
+ Add runc features subcommand to allow runc users to detect what features
  runc has been built with. This includes critical information such as
  supported mount flags, hook names, and so on. Note that the output of this
  command is subject to change and will not be considered stable until runc
  1.2 at the earliest. The runtime-spec specification for this feature is
  being developed in opencontainers/runtime-spec#1130.
* system: improve performance of /proc/$pid/stat parsing.
* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
  the ownership of certain cgroup control files (as per
  /sys/kernel/cgroup/delegate) to allow for proper deferral to the container
  process.
* runc checkpoint/restore: fixed for containers with an external bind mount
  which destination is a symlink.
* cgroup: improve openat2 handling for cgroup directory handle hardening.
  runc delete -f now succeeds (rather than timing out) on a paused
  container.
* runc run/start/exec now refuses a frozen cgroup (paused container in case of
  exec). Users can disable this using --ignore-paused.
- Update version data embedded in binary to correctly include the git commit of the release.

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2351-1
Released:    Mon Jul 11 10:50:12 2022
Summary:     Security update for python3
Type:        security
Severity:    important
References:  1186819,1190566,1192249,1193179,1198511,CVE-2015-20107,CVE-2021-3572
This update for python3 fixes the following issues:

Security issues fixed:

- CVE-2021-3572: Update bundled pip wheel to the latest SLE version (bsc#1186819)
- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

Other bugs fixed:

- Remove shebangs from from python-base libraries in _libdir
  (bsc#1193179, bsc#1192249).


-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2361-1
Released:    Tue Jul 12 12:05:01 2022
Summary:     Security update for pcre
Type:        security
Severity:    important
References:  1199232,CVE-2022-1586
This update for pcre fixes the following issues:

- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:2380-1
Released:    Wed Jul 13 10:46:20 2022
Summary:     Recommended update for dracut
Type:        recommended
Severity:    moderate
References:  1003872,1175102,1178219,1199453
This update for dracut fixes the following issues:

- Fixed for adding timeout to umount calls. (bsc#1178219)
- Fixed setup errors in net-lib.sh due to premature did-setup in ifup.sh (bsc#1175102)
- Fix kernel name parsing in purge-kernels script (bsc#1199453)
- Fix nfsroot option parsing to avoid 'dracut' creating faulty default command line argument. (bsc#1003872)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2403-1
Released:    Thu Jul 14 16:59:56 2022
Summary:     Security update for python-PyJWT
Type:        security
Severity:    important
References:  1199756,CVE-2022-29217
This update for python-PyJWT fixes the following issues:

- CVE-2022-29217: Fixed key confusion through non-blocklisted public key format (bsc#1199756).

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2405-1
Released:    Fri Jul 15 11:47:57 2022
Summary:     Security update for p11-kit
Type:        security
Severity:    moderate
References:  1180065,CVE-2020-29362
This update for p11-kit fixes the following issues:

- CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:2411-1
Released:    Fri Jul 15 14:27:56 2022
Summary:     Security update for the Linux Kernel
Type:        security
Severity:    important
References:  1194013,1196901,1199487,1199657,1200571,1200599,1200604,1200605,1200608,1200619,1200692,1200762,1201050,1201080,1201251,CVE-2021-26341,CVE-2021-4157,CVE-2022-1679,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-2318,CVE-2022-26365,CVE-2022-29900,CVE-2022-29901,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33981
The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.


The following security bugs were fixed:

- CVE-2022-29900, CVE-2022-29901: Fixed the RETBLEED attack, a new Spectre like Branch Target Buffer attack, that can leak arbitrary kernel information (bsc#1199657).
- CVE-2022-1679: Fixed a use-after-free in the Atheros wireless driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages (bsc#1199487).
- CVE-2022-20132: Fixed out of bounds read due to improper input validation in lg_probe and related functions of hid-lg.c (bsc#1200619).
- CVE-2022-33981: Fixed use-after-free in floppy driver (bsc#1200692)
- CVE-2022-20141: Fixed a possible use after free due to improper locking in ip_check_mc_rcu() (bsc#1200604).
- CVE-2021-4157: Fixed an out of memory bounds write flaw in the NFS subsystem, related to the replication of files with NFS. A user could potentially crash the system or escalate privileges on the system (bsc#1194013).
- CVE-2022-20154: Fixed a use after free due to a race condition in lock_sock_nested of sock.c. This could lead to local escalation of privilege with System execution privileges needed (bsc#1200599).
- CVE-2022-2318: Fixed a use-after-free vulnerabilities in the timer handler in net/rose/rose_timer.c that allow attackers to crash the system without any privileges (bsc#1201251).
- CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742: Fixed multiple potential data leaks with Block and Network devices when using untrusted backends (bsc#1200762).
- CVE-2021-26341: Some AMD CPUs may transiently execute beyond unconditional direct branches, which may potentially result in data leakage (bsc#1201050).

The following non-security bugs were fixed:

- exec: Force single empty string when argv is empty (bsc#1200571).


The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.57.1 updated
- bind-utils-9.16.6-150000.12.60.1 updated
- btrfsprogs-udev-rules-4.19.1-150100.8.11.1 updated
- btrfsprogs-4.19.1-150100.8.11.1 updated
- cifs-utils-6.9-150100.5.15.1 updated
- cloud-init-config-suse-21.4-150100.8.58.1 updated
- cloud-init-21.4-150100.8.58.1 updated
- containerd-ctr-1.6.6-150000.73.2 updated
- containerd-1.6.6-150000.73.2 updated
- coreutils-8.29-4.3.1 updated
- cups-config-2.2.7-150000.3.32.1 updated
- dhcp-client-4.3.6.P1-150000.6.14.1 updated
- dhcp-4.3.6.P1-150000.6.14.1 updated
- docker-20.10.17_ce-150000.166.1 updated
- dracut-044.2-150000.18.79.2 updated
- e2fsprogs-1.43.8-150000.4.33.1 updated
- filesystem-15.0-11.8.1 updated
- glibc-locale-base-2.26-13.65.1 updated
- glibc-locale-2.26-13.65.1 updated
- glibc-2.26-13.65.1 updated
- grep-3.1-150000.4.6.1 updated
- grub2-i386-pc-2.02-150100.123.12.2 updated
- grub2-x86_64-efi-2.02-150100.123.12.2 updated
- grub2-x86_64-xen-2.02-150100.123.12.2 updated
- grub2-2.02-150100.123.12.2 updated
- gzip-1.10-150000.4.15.1 updated
- kernel-default-4.12.14-150100.197.117.1 updated
- libaugeas0-1.10.1-150000.3.12.1 updated
- libavahi-client3-0.7-3.18.1 updated
- libavahi-common3-0.7-3.18.1 updated
- libbind9-1600-9.16.6-150000.12.60.1 updated
- libblkid1-2.33.2-150100.4.21.1 updated
- libcom_err2-1.43.8-150000.4.33.1 updated
- libcups2-2.2.7-150000.3.32.1 updated
- libdcerpc-binding0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libdcerpc0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libdns1605-9.16.6-150000.12.60.1 updated
- libexpat1-2.2.5-3.19.1 updated
- libext2fs2-1.43.8-150000.4.33.1 updated
- libfdisk1-2.33.2-150100.4.21.1 updated
- libfreebl3-3.68.3-150000.3.67.1 updated
- libgcc_s1-11.3.0+git1637-150000.1.9.1 updated
- libirs1601-9.16.6-150000.12.60.1 updated
- libisc1606-9.16.6-150000.12.60.1 updated
- libisccc1600-9.16.6-150000.12.60.1 updated
- libisccfg1600-9.16.6-150000.12.60.1 updated
- libldap-2_4-2-2.4.46-150000.9.71.1 updated
- libldap-data-2.4.46-150000.9.71.1 updated
- liblzma5-5.2.3-150000.4.7.1 updated
- libmount1-2.33.2-150100.4.21.1 updated
- libndr-krb5pac0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libndr-nbt0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libndr-standard0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libndr0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libnetapi0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libns1604-9.16.6-150000.12.60.1 updated
- libopenssl1_1-1.1.0i-150100.14.36.1 updated
- libp11-kit0-0.23.2-150000.4.16.1 updated
- libpcre1-8.45-150000.20.13.1 updated
- libpcre2-8-0-10.31-150000.3.7.1 updated
- libprocps7-3.3.15-7.22.1 updated
- libprotobuf-lite15-3.5.0-5.5.1 updated
- libpsl5-0.20.1-150000.3.3.1 updated
- libpython3_6m1_0-3.6.15-150000.3.106.1 updated
- libruby2_5-2_5-2.5.9-150000.4.23.1 updated
- libsamba-credentials0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libsamba-errors0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libsamba-hostconfig0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libsamba-passdb0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libsamba-util0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libsamdb0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libsasl2-3-2.1.26-5.10.1 updated
- libsmartcols1-2.33.2-150100.4.21.1 updated
- libsmbconf0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libsmbldap2-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libsolv-tools-0.7.22-150100.4.6.1 updated
- libstdc++6-11.3.0+git1637-150000.1.9.1 updated
- libsystemd0-234-24.108.1 updated
- libtevent-util0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libtirpc-netconfig-1.0.2-3.11.1 updated
- libtirpc3-1.0.2-3.11.1 updated
- libudev1-234-24.108.1 updated
- libuuid1-2.33.2-150100.4.21.1 updated
- libwbclient0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- libxml2-2-2.9.7-150000.3.46.1 updated
- libyaml-cpp0_6-0.6.1-4.5.1 updated
- libz1-1.2.11-150000.3.30.1 updated
- libzypp-17.30.0-150100.3.78.1 updated
- nfs-client-2.1.1-150100.10.24.1 updated
- openssl-1_1-1.1.0i-150100.14.36.1 updated
- p11-kit-tools-0.23.2-150000.4.16.1 updated
- p11-kit-0.23.2-150000.4.16.1 updated
- pam-1.3.0-150000.6.58.3 updated
- perl-base-5.26.1-150000.7.15.1 updated
- perl-5.26.1-150000.7.15.1 updated
- procps-3.3.15-7.22.1 updated
- python3-PyJWT-1.7.1-150100.6.7.1 updated
- python3-base-3.6.15-150000.3.106.1 updated
- python3-bind-9.16.6-150000.12.60.1 updated
- python3-netifaces-0.10.6-1.31 added
- python3-3.6.15-150000.3.106.1 updated
- rsyslog-8.33.1-150000.3.37.1 updated
- ruby2.5-stdlib-2.5.9-150000.4.23.1 updated
- ruby2.5-2.5.9-150000.4.23.1 updated
- runc-1.1.3-150000.30.1 updated
- samba-libs-python3-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- samba-libs-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated
- sudo-1.8.27-4.24.1 updated
- supportutils-plugin-suse-public-cloud-1.0.6-3.9.1 updated
- supportutils-3.1.20-150000.5.39.1 updated
- suse-build-key-12.0-150000.8.25.1 updated
- systemd-presets-branding-SLE-15.1-150100.20.11.1 updated
- systemd-presets-common-SUSE-15-150100.8.12.1 updated
- systemd-sysvinit-234-24.108.1 updated
- systemd-234-24.108.1 updated
- tar-1.34-150000.3.12.1 updated
- tcpdump-4.9.2-3.18.1 updated
- timezone-2022a-150000.75.7.1 updated
- udev-234-24.108.1 updated
- update-alternatives-1.19.0.4-4.3.1 updated
- util-linux-systemd-2.33.2-150100.4.21.1 updated
- util-linux-2.33.2-150100.4.21.1 updated
- vim-data-common-8.2.5038-150000.5.21.1 updated
- vim-8.2.5038-150000.5.21.1 updated
- wicked-service-0.6.68-3.24.1 updated
- wicked-0.6.68-3.24.1 updated
- xen-libs-4.12.4_24-150100.3.72.1 updated
- xen-tools-domU-4.12.4_24-150100.3.72.1 updated
- xkeyboard-config-2.23.1-150000.3.12.1 updated
- xz-5.2.3-150000.4.7.1 updated
- zypper-1.14.52-150100.3.55.2 updated

SUSE: 2022:814-1 suse-sles-15-sp1-chost-byos-v20220715-hvm-ssd-x86_64 Security Update

July 18, 2022
The container suse-sles-15-sp1-chost-byos-v20220715-hvm-ssd-x86_64 was updated

Summary

Advisory ID: SUSE-SU-2022:284-1 Released: Tue Feb 1 17:15:23 2022 Summary: Security update for samba Type: security Severity: critical Advisory ID: SUSE-SU-2022:334-1 Released: Fri Feb 4 09:30:58 2022 Summary: Security update for containerd, docker Type: security Severity: moderate Advisory ID: SUSE-RU-2022:337-1 Released: Fri Feb 4 10:24:28 2022 Summary: Recommended update for libzypp Type: recommended Severity: important Advisory ID: SUSE-RU-2022:345-1 Released: Tue Feb 8 05:13:04 2022 Summary: Recommended update for wicked Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:366-1 Released: Thu Feb 10 17:40:06 2022 Summary: Security update for the Linux Kernel Type: security Severity: critical Advisory ID: SUSE-SU-2022:468-1 Released: Thu Feb 17 09:52:01 2022 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-RU-2022:473-1 Released: Thu Feb 17 10:29:42 2022 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:476-1 Released: Thu Feb 17 10:31:35 2022 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:498-1 Released: Fri Feb 18 10:46:56 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-RU-2022:511-1 Released: Fri Feb 18 12:41:53 2022 Summary: Recommended update for coreutils Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:523-1 Released: Fri Feb 18 12:49:09 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:674-1 Released: Wed Mar 2 13:24:36 2022 Summary: Recommended update for yast2-network Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:682-1 Released: Thu Mar 3 11:37:03 2022 Summary: Recommended update for supportutils-plugin-suse-public-cloud Type: recommended Severity: important Advisory ID: SUSE-RU-2022:692-1 Released: Thu Mar 3 15:46:47 2022 Summary: Recommended update for filesystem Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:701-1 Released: Thu Mar 3 17:45:33 2022 Summary: Recommended update for sudo Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:702-1 Released: Thu Mar 3 18:22:59 2022 Summary: Security update for cyrus-sasl Type: security Severity: important Advisory ID: SUSE-SU-2022:713-1 Released: Fri Mar 4 09:34:17 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:720-1 Released: Fri Mar 4 10:20:28 2022 Summary: Security update for containerd Type: security Severity: moderate Advisory ID: SUSE-SU-2022:736-1 Released: Fri Mar 4 14:51:57 2022 Summary: Security update for vim Type: security Severity: important Advisory ID: SUSE-SU-2022:768-1 Released: Tue Mar 8 19:10:57 2022 Summary: Security update for the Linux Kernel Type: security Severity: important Advisory ID: SUSE-SU-2022:774-1 Released: Wed Mar 9 10:52:10 2022 Summary: Security update for tcpdump Type: security Severity: moderate Advisory ID: SUSE-RU-2022:787-1 Released: Thu Mar 10 11:20:13 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:789-1 Released: Thu Mar 10 11:22:05 2022 Summary: Recommended update for update-alternatives Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:792-1 Released: Thu Mar 10 11:58:18 2022 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:808-1 Released: Fri Mar 11 06:07:58 2022 Summary: Recommended update for procps Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:823-1 Released: Mon Mar 14 15:16:37 2022 Summary: Security update for protobuf Type: security Severity: moderate Advisory ID: SUSE-SU-2022:832-1 Released: Mon Mar 14 17:27:03 2022 Summary: Security update for glibc Type: security Severity: important Advisory ID: SUSE-SU-2022:844-1 Released: Tue Mar 15 11:33:57 2022 Summary: Security update for expat Type: security Severity: important Advisory ID: SUSE-SU-2022:845-1 Released: Tue Mar 15 11:40:50 2022 Summary: Security update for chrony Type: security Severity: moderate Advisory ID: SUSE-SU-2022:853-1 Released: Tue Mar 15 19:27:30 2022 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-RU-2022:861-1 Released: Tue Mar 15 23:31:21 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:867-1 Released: Wed Mar 16 07:14:44 2022 Summary: Recommended update for libtirpc Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:874-1 Released: Wed Mar 16 10:40:52 2022 Summary: Recommended update for openldap2 Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:888-1 Released: Thu Mar 17 10:56:42 2022 Summary: Recommended update for avahi Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:931-1 Released: Tue Mar 22 11:10:44 2022 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-RU-2022:936-1 Released: Tue Mar 22 18:10:17 2022 Summary: Recommended update for filesystem and systemd-rpm-macros Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:946-1 Released: Thu Mar 24 15:19:49 2022 Summary: Security update for bind Type: security Severity: important Advisory ID: SUSE-RU-2022:1021-1 Released: Tue Mar 29 13:24:21 2022 Summary: Recommended update for systemd Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1047-1 Released: Wed Mar 30 16:20:56 2022 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1061-1 Released: Wed Mar 30 18:27:06 2022 Summary: Security update for zlib Type: security Severity: important Advisory ID: SUSE-SU-2022:1073-1 Released: Fri Apr 1 11:45:01 2022 Summary: Security update for yaml-cpp Type: security Severity: moderate Advisory ID: SUSE-RU-2022:1074-1 Released: Fri Apr 1 13:27:00 2022 Summary: Recommended update for cloud-init Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1099-1 Released: Mon Apr 4 12:53:05 2022 Summary: Recommended update for aaa_base Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1109-1 Released: Mon Apr 4 17:50:01 2022 Summary: Recommended update for util-linux Type: recommended Severity: important Advisory ID: SUSE-RU-2022:1118-1 Released: Tue Apr 5 18:34:06 2022 Summary: Recommended update for timezone Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1126-1 Released: Thu Apr 7 14:05:02 2022 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1131-1 Released: Fri Apr 8 09:43:53 2022 Summary: Security update for libsolv, libzypp, zypper Type: security Severity: important Advisory ID: SUSE-RU-2022:1135-1 Released: Fri Apr 8 13:12:45 2022 Summary: Recommended update for supportutils Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1147-1 Released: Mon Apr 11 15:49:43 2022 Summary: Recommended update for containerd Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1149-1 Released: Mon Apr 11 16:29:14 2022 Summary: Security update for mozilla-nss Type: security Severity: important Advisory ID: SUSE-RU-2022:1150-1 Released: Mon Apr 11 17:34:19 2022 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1158-1 Released: Tue Apr 12 14:44:43 2022 Summary: Security update for xz Type: security Severity: important Advisory ID: SUSE-RU-2022:1190-1 Released: Wed Apr 13 20:52:23 2022 Summary: Recommended update for cloud-init Type: recommended Severity: important Advisory ID: SUSE-SU-2022:1250-1 Released: Sun Apr 17 15:39:47 2022 Summary: Security update for gzip Type: security Severity: important Advisory ID: SUSE-SU-2022:1256-1 Released: Tue Apr 19 10:22:49 2022 Summary: Security update for the Linux Kernel Type: security Severity: important Advisory ID: SUSE-RU-2022:1302-1 Released: Fri Apr 22 10:04:46 2022 Summary: Recommended update for e2fsprogs Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1409-1 Released: Tue Apr 26 12:54:57 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1430-1 Released: Wed Apr 27 10:01:43 2022 Summary: Security update for cifs-utils Type: security Severity: important Advisory ID: SUSE-RU-2022:1438-1 Released: Wed Apr 27 15:27:19 2022 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: low Advisory ID: SUSE-RU-2022:1452-1 Released: Thu Apr 28 10:48:06 2022 Summary: Recommended update for perl Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1470-1 Released: Fri Apr 29 16:47:50 2022 Summary: Recommended update for samba Type: recommended Severity: low Advisory ID: SUSE-SU-2022:1512-1 Released: Tue May 3 16:11:28 2022 Summary: Security update for ruby2.5 Type: security Severity: important Advisory ID: SUSE-SU-2022:1548-1 Released: Thu May 5 16:45:28 2022 Summary: Security update for tar Type: security Severity: moderate Advisory ID: SUSE-RU-2022:1556-1 Released: Fri May 6 12:54:09 2022 Summary: Recommended update for xkeyboard-config Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1655-1 Released: Fri May 13 15:36:10 2022 Summary: Recommended update for pam Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:1658-1 Released: Fri May 13 15:40:20 2022 Summary: Recommended update for libpsl Type: recommended Severity: important Advisory ID: SUSE-RU-2022:1659-1 Released: Fri May 13 15:41:32 2022 Summary: Recommended update for cups Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1674-1 Released: Mon May 16 10:12:11 2022 Summary: Security update for gzip Type: security Severity: important Advisory ID: SUSE-SU-2022:1688-1 Released: Mon May 16 14:02:49 2022 Summary: Security update for e2fsprogs Type: security Severity: important Advisory ID: SUSE-SU-2022:1689-1 Released: Mon May 16 14:09:01 2022 Summary: Security update for containerd, docker Type: security Severity: important Advisory ID: SUSE-RU-2022:1691-1 Released: Mon May 16 15:13:39 2022 Summary: Recommended update for augeas Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1750-1 Released: Thu May 19 15:28:20 2022 Summary: Security update for libxml2 Type: security Severity: important Advisory ID: SUSE-SU-2022:1817-1 Released: Mon May 23 14:58:24 2022 Summary: Security update for rsyslog Type: security Severity: important Advisory ID: SUSE-RU-2022:1824-1 Released: Tue May 24 10:31:13 2022 Summary: Recommended update for dhcp Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1832-1 Released: Tue May 24 11:52:33 2022 Summary: Security update for openldap2 Type: security Severity: important Advisory ID: SUSE-RU-2022:1843-1 Released: Wed May 25 15:25:44 2022 Summary: Recommended update for suse-build-key Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:1861-1 Released: Thu May 26 12:07:40 2022 Summary: Security update for cups Type: security Severity: important Advisory ID: SUSE-SU-2022:1883-1 Released: Mon May 30 12:41:35 2022 Summary: Security update for pcre2 Type: security Severity: important Advisory ID: SUSE-RU-2022:1887-1 Released: Tue May 31 09:24:18 2022 Summary: Recommended update for grep Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:2002-1 Released: Mon Jun 6 20:54:06 2022 Summary: Recommended update for btrfsprogs Type: recommended Severity: moderate Advisory ID: SUSE-RU-2022:2019-1 Released: Wed Jun 8 16:50:07 2022 Summary: Recommended update for gcc11 Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:2041-1 Released: Fri Jun 10 11:33:51 2022 Summary: Security update for grub2 Type: security Severity: important Advisory ID: SUSE-SU-2022:2068-1 Released: Tue Jun 14 10:14:47 2022 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-SU-2022:2102-1 Released: Thu Jun 16 15:18:23 2022 Summary: Security update for vim Type: security Severity: important Advisory ID: SUSE-SU-2022:2111-1 Released: Fri Jun 17 09:22:18 2022 Summary: Security update for the Linux Kernel Type: security Severity: important Advisory ID: SUSE-SU-2022:2158-1 Released: Thu Jun 23 10:03:53 2022 Summary: Security update for xen Type: security Severity: important Advisory ID: SUSE-SU-2022:2179-1 Released: Fri Jun 24 14:05:25 2022 Summary: Security update for openssl Type: security Severity: moderate Advisory ID: SUSE-SU-2022:2311-1 Released: Wed Jul 6 15:16:17 2022 Summary: Security update for openssl-1_1 Type: security Severity: important Advisory ID: SUSE-RU-2022:2323-1 Released: Thu Jul 7 12:16:58 2022 Summary: Recommended update for systemd-presets-branding-SLE Type: recommended Severity: low Advisory ID: SUSE-SU-2022:2341-1 Released: Fri Jul 8 16:09:12 2022 Summary: Security update for containerd, docker and runc Type: security Severity: important Advisory ID: SUSE-SU-2022:2351-1 Released: Mon Jul 11 10:50:12 2022 Summary: Security update for python3 Type: security Severity: important Advisory ID: SUSE-SU-2022:2361-1 Released: Tue Jul 12 12:05:01 2022 Summary: Security update for pcre Type: security Severity: important Advisory ID: SUSE-RU-2022:2380-1 Released: Wed Jul 13 10:46:20 2022 Summary: Recommended update for dracut Type: recommended Severity: moderate Advisory ID: SUSE-SU-2022:2403-1 Released: Thu Jul 14 16:59:56 2022 Summary: Security update for python-PyJWT Type: security Severity: important Advisory ID: SUSE-SU-2022:2405-1 Released: Fri Jul 15 11:47:57 2022 Summary: Security update for p11-kit Type: security Severity: moderate Advisory ID: SUSE-SU-2022:2411-1 Released: Fri Jul 15 14:27:56 2022 Summary: Security update for the Linux Kernel Type: security Severity: important

References

References : 1003872 1028340 1029961 1029961 1040589 1055710 1057592 1065729

1070955 1071995 1071995 1082318 1084513 1087082 1099272 1114648

1115529 1120610 1121227 1121230 1122004 1122021 1124431 1128846

1130496 1134046 1156920 1158266 1160654 1162964 1167162 1169514

1172073 1172113 1172427 1172456 1173277 1174075 1174911 1175102

1177047 1177215 1177282 1177460 1178219 1178357 1179060 1179599

1180065 1180689 1180713 1181131 1181163 1181186 1181703 1181812

1181826 1182171 1182227 1182959 1183407 1183495 1183723 1184501

1184804 1185377 1185637 1185973 1186207 1186222 1186571 1186819

1186823 1187055 1187167 1187512 1187906 1188019 1188160 1188161

1188867 1189028 1189152 1189305 1189517 1189560 1189562 1189841

1190315 1190358 1190375 1190428 1190447 1190533 1190566 1190570

1190926 1190943 1191015 1191096 1191121 1191157 1191184 1191185

1191186 1191229 1191241 1191334 1191384 1191434 1191580 1191647

1191731 1191770 1191794 1191893 1191958 1192032 1192051 1192164

1192167 1192249 1192267 1192311 1192343 1192353 1192478 1192481

1192740 1192845 1192847 1192877 1192902 1192903 1192904 1192946

1192951 1193007 1193035 1193179 1193204 1193273 1193282 1193294

1193298 1193306 1193440 1193442 1193466 1193489 1193531 1193575

1193625 1193659 1193669 1193727 1193731 1193732 1193738 1193759

1193767 1193805 1193841 1193861 1193864 1193867 1193868 1193905

1193927 1193930 1194001 1194013 1194048 1194087 1194093 1194216

1194216 1194217 1194227 1194229 1194302 1194388 1194392 1194516

1194516 1194529 1194556 1194561 1194576 1194581 1194588 1194597

1194640 1194642 1194661 1194768 1194770 1194845 1194848 1194859

1194872 1194880 1194883 1194885 1194888 1194898 1194943 1194985

1195004 1195004 1195051 1195054 1195065 1195066 1195095 1195096

1195115 1195126 1195149 1195166 1195202 1195203 1195217 1195251

1195254 1195254 1195258 1195283 1195326 1195332 1195353 1195354

1195356 1195468 1195536 1195543 1195560 1195612 1195614 1195628

1195651 1195654 1195784 1195792 1195797 1195825 1195840 1195856

1195897 1195899 1195908 1195949 1195987 1195999 1196018 1196018

1196025 1196025 1196026 1196036 1196061 1196079 1196093 1196107

1196114 1196155 1196168 1196169 1196171 1196275 1196282 1196317

1196361 1196367 1196368 1196406 1196426 1196433 1196441 1196441

1196468 1196488 1196490 1196494 1196495 1196514 1196514 1196584

1196612 1196639 1196761 1196784 1196830 1196836 1196861 1196877

1196901 1196915 1196925 1196939 1196942 1196973 1196999 1197004

1197004 1197024 1197065 1197134 1197135 1197216 1197219 1197227

1197284 1197293 1197297 1197331 1197343 1197366 1197391 1197423

1197425 1197426 1197443 1197459 1197517 1197663 1197771 1197788

1197794 1197903 1198031 1198032 1198033 1198062 1198062 1198400

1198441 1198446 1198460 1198493 1198496 1198504 1198511 1198516

1198577 1198581 1198596 1198657 1198660 1198687 1198742 1198748

1198777 1198825 1199012 1199061 1199063 1199132 1199166 1199232

1199232 1199240 1199314 1199331 1199333 1199334 1199399 1199426

1199453 1199460 1199474 1199487 1199505 1199507 1199565 1199605

1199650 1199651 1199655 1199657 1199693 1199745 1199747 1199756

1199936 1199965 1199966 1200010 1200011 1200012 1200088 1200143

1200144 1200145 1200249 1200550 1200571 1200599 1200604 1200605

1200608 1200619 1200692 1200762 1201050 1201080 1201099 1201251

954329 CVE-2015-20107 CVE-2015-8985 CVE-2017-13695 CVE-2017-17087

CVE-2018-16301 CVE-2018-20482 CVE-2018-20573 CVE-2018-20574 CVE-2018-25020

CVE-2018-25032 CVE-2018-7755 CVE-2019-15126 CVE-2019-19377 CVE-2019-20811

CVE-2019-6285 CVE-2019-6292 CVE-2019-9923 CVE-2020-14367 CVE-2020-26541

CVE-2020-27820 CVE-2020-29362 CVE-2021-0920 CVE-2021-0935 CVE-2021-20193

CVE-2021-20292 CVE-2021-20321 CVE-2021-22570 CVE-2021-25220 CVE-2021-26341

CVE-2021-26401 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2021-28714

CVE-2021-28715 CVE-2021-31799 CVE-2021-31810 CVE-2021-32066 CVE-2021-33061

CVE-2021-33098 CVE-2021-3564 CVE-2021-3572 CVE-2021-3695 CVE-2021-3696

CVE-2021-3697 CVE-2021-3778 CVE-2021-3778 CVE-2021-3796 CVE-2021-3796

CVE-2021-38208 CVE-2021-3872 CVE-2021-3872 CVE-2021-3875 CVE-2021-3903

CVE-2021-3927 CVE-2021-3927 CVE-2021-3928 CVE-2021-3928 CVE-2021-39648

CVE-2021-39657 CVE-2021-3968 CVE-2021-39711 CVE-2021-39713 CVE-2021-3973

CVE-2021-3974 CVE-2021-3984 CVE-2021-3984 CVE-2021-3999 CVE-2021-4002

CVE-2021-4019 CVE-2021-4019 CVE-2021-4069 CVE-2021-4083 CVE-2021-41089

CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 CVE-2021-41190 CVE-2021-4135

CVE-2021-4136 CVE-2021-4149 CVE-2021-4157 CVE-2021-4166 CVE-2021-41817

CVE-2021-4192 CVE-2021-4193 CVE-2021-4193 CVE-2021-4197 CVE-2021-4202

CVE-2021-43389 CVE-2021-43565 CVE-2021-43975 CVE-2021-43976 CVE-2021-44142

CVE-2021-44733 CVE-2021-44879 CVE-2021-45095 CVE-2021-45486 CVE-2021-45868

CVE-2021-46059 CVE-2021-46059 CVE-2022-0001 CVE-2022-0001 CVE-2022-0002

CVE-2022-0002 CVE-2022-0128 CVE-2022-0213 CVE-2022-0261 CVE-2022-0318

CVE-2022-0318 CVE-2022-0319 CVE-2022-0319 CVE-2022-0322 CVE-2022-0330

CVE-2022-0351 CVE-2022-0351 CVE-2022-0359 CVE-2022-0361 CVE-2022-0361

CVE-2022-0392 CVE-2022-0407 CVE-2022-0413 CVE-2022-0413 CVE-2022-0487

CVE-2022-0492 CVE-2022-0617 CVE-2022-0644 CVE-2022-0696 CVE-2022-0778

CVE-2022-0812 CVE-2022-0850 CVE-2022-1011 CVE-2022-1016 CVE-2022-1048

CVE-2022-1097 CVE-2022-1184 CVE-2022-1271 CVE-2022-1271 CVE-2022-1271

CVE-2022-1292 CVE-2022-1304 CVE-2022-1353 CVE-2022-1381 CVE-2022-1419

CVE-2022-1420 CVE-2022-1516 CVE-2022-1586 CVE-2022-1586 CVE-2022-1616

CVE-2022-1619 CVE-2022-1620 CVE-2022-1652 CVE-2022-1679 CVE-2022-1729

CVE-2022-1733 CVE-2022-1734 CVE-2022-1735 CVE-2022-1771 CVE-2022-1785

CVE-2022-1796 CVE-2022-1851 CVE-2022-1897 CVE-2022-1898 CVE-2022-1927

CVE-2022-1974 CVE-2022-1975 CVE-2022-20132 CVE-2022-20141 CVE-2022-20154

CVE-2022-2068 CVE-2022-2097 CVE-2022-21123 CVE-2022-21125 CVE-2022-21127

CVE-2022-21166 CVE-2022-21180 CVE-2022-21499 CVE-2022-22942 CVE-2022-23033

CVE-2022-23034 CVE-2022-23035 CVE-2022-23036 CVE-2022-23037 CVE-2022-23038

CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 CVE-2022-2318

CVE-2022-23218 CVE-2022-23219 CVE-2022-23308 CVE-2022-23648 CVE-2022-23648

CVE-2022-23852 CVE-2022-23990 CVE-2022-24407 CVE-2022-24448 CVE-2022-24769

CVE-2022-24903 CVE-2022-24959 CVE-2022-25235 CVE-2022-25236 CVE-2022-25236

CVE-2022-25313 CVE-2022-25314 CVE-2022-25315 CVE-2022-26356 CVE-2022-26357

CVE-2022-26358 CVE-2022-26359 CVE-2022-26360 CVE-2022-26361 CVE-2022-26362

CVE-2022-26363 CVE-2022-26364 CVE-2022-26365 CVE-2022-26490 CVE-2022-26691

CVE-2022-26966 CVE-2022-27191 CVE-2022-27239 CVE-2022-28356 CVE-2022-28388

CVE-2022-28389 CVE-2022-28390 CVE-2022-28733 CVE-2022-28734 CVE-2022-28736

CVE-2022-28739 CVE-2022-28748 CVE-2022-29155 CVE-2022-29162 CVE-2022-29217

CVE-2022-29824 CVE-2022-29900 CVE-2022-29901 CVE-2022-30594 CVE-2022-31030

CVE-2022-33740 CVE-2022-33741 CVE-2022-33742 CVE-2022-33981

1194859,CVE-2021-44142

This update for samba fixes the following issues:

- CVE-2021-44142: Fixed out-of-Bound Read/Write on Samba vfs_fruit module. (bsc#1194859)

1191015,1191121,1191334,1191434,1193273,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190

This update for containerd, docker fixes the following issues:

- CVE-2021-41089: Fixed 'cp' can chmod host files (bsc#1191015).

- CVE-2021-41091: Fixed flaw that could lead to data directory traversal in moby (bsc#1191434).

- CVE-2021-41092: Fixed exposed user credentials with a misconfigured configuration file (bsc#1191334).

- CVE-2021-41103: Fixed file access to local users in containerd (bsc#1191121).

- CVE-2021-41190: Fixed OCI manifest and index parsing confusion (bsc#1193273).

1193007,1194597,1194898

This update for libzypp fixes the following issues:

- RepoManager: remember execution errors in exception history (bsc#1193007)

- Fix exception handling when reading or writing credentials (bsc#1194898)

- Fix install path for parser (bsc#1194597)

- Fix Legacy include (bsc#1194597)

- Public header files on older distros must use c++11 (bsc#1194597)

1029961,1057592,1156920,1160654,1177215,1178357,1181163,1181186,1181812,1182227,1183407,1183495,1188019,1189560,1192164,1192311,1192353,1194392,954329

This update for wicked fixes the following issues:

- Fix device rename issue when done via Yast2 (bsc#1194392)

- Prepare RPM packaging for migration of dbus configuration files from /etc to /usr, however

this change does not affect SUSE Linux Enterprise 15 (bsc#1183407,jsc#SLE-9750)

- Prepare RPM packaging for merging of /bin and /usr/bin directories, however this merge

does not affect SUSE Linux Enterprise 15 (bsc#1029961)

- Parse sysctl files in the correct order (bsc#1181186)

- Fix sysctl values for loopback device (bsc#1181163, bsc#1178357)

- Add option for dhcp4 to set route pref-src to dhcp IP (bsc#1192353)

- Cleanup warnings, time calculations and add dhcp fixes to reduce resource usage (bsc#1188019)

- Avoid sysfs attribute read error when the kernel has already deleted the TUN/TAP interface (bsc#1192311)

- Fix warning in `ifstatus` about unexpected interface flag combination (bsc#1192164)

- Fix `ifstatus` not to show link as 'up' when interface is not running

- Make firewalld zone assignment permanent (bsc#1189560)

- Cleanup and improve ifconfig and ifpolicy access utilities

- Initial fixes for dracut integration and improved option handling (bsc#1182227)

- Fix `nanny` to identify node owner exit condition

- Using wicked without nanny is no longer supported and use-nanny=false configuration

option was removed

- Add `ethtool --get-permanent-address` option in the client

- Fix `ifup` to refresh link state of network interface after being unenslaved from

an unconfigured master (bsc#954329)

- Prevent re-trigger Duplicate Address Detection on address updates when is not needed (bsc#1177215)

- Fix Network Information Service configuration (bsc#1181812)

- Reconnect on unexpected wpa_supplicant restart (bsc#1183495)

- Migrate wireless to wpa-supplicant v1 DBus interface (bsc#1156920)

- Support multiple wireless networks configurations per interface

- Show wireless connection status and scan-results (bsc#1160654)

- Fix eap-tls,ttls cetificate handling and fix open vs. shared

wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)

- Updated `man ifcfg-wireless` manual pages

1071995,1124431,1167162,1169514,1172073,1179599,1184804,1185377,1186207,1186222,1187167,1189305,1189841,1190358,1190428,1191229,1191241,1191384,1191731,1192032,1192267,1192740,1192845,1192847,1192877,1192946,1193306,1193440,1193442,1193575,1193669,1193727,1193731,1193767,1193861,1193864,1193867,1193927,1194001,1194048,1194087,1194227,1194302,1194516,1194529,1194880,1194888,1194985,1195166,1195254,CVE-2018-25020,CVE-2019-15126,CVE-2020-27820,CVE-2021-0920,CVE-2021-0935,CVE-2021-28711,CVE-2021-28712,CVE-2021-28713,CVE-2021-28714,CVE-2021-28715,CVE-2021-33098,CVE-2021-3564,CVE-2021-39648,CVE-2021-39657,CVE-2021-4002,CVE-2021-4083,CVE-2021-4135,CVE-2021-4149,CVE-2021-4197,CVE-2021-4202,CVE-2021-43975,CVE-2021-43976,CVE-2021-44733,CVE-2021-45095,CVE-2021-45486,CVE-2022-0322,CVE-2022-0330

The SUSE Linux Enterprise 15 SP1 LTSS kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2022-0435: Fixed remote stack overflow in net/tipc module that validate domain record count on input (bsc#1195254).

- CVE-2022-0330: Fixed flush TLBs before releasing backing store (bsc#1194880).

- CVE-2021-45486: Fixed an information leak because the hash table is very small in net/ipv4/route.c (bnc#1194087).

- CVE-2021-45095: Fixed refcount leak in pep_sock_accept in net/phonet/pep.c (bnc#1193867).

- CVE-2021-44733: Fixed a use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem, that could have occured because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object (bnc#1193767).

- CVE-2021-43976: Fixed a flaw that could allow an attacker (who can connect a crafted USB device) to cause a denial of service. (bnc#1192847)

- CVE-2021-43975: Fixed a flaw in hw_atl_utils_fw_rpc_wait that could allow an attacker (who can introduce a crafted device) to trigger an out-of-bounds write via a crafted length value. (bsc#1192845)

- CVE-2021-4202: Fixed NFC race condition by adding NCI_UNREG flag (bsc#1194529).

- CVE-2021-4197: Use cgroup open-time credentials for process migraton perm checks (bsc#1194302).

- CVE-2021-4159: Fixed kernel ptr leak vulnerability via BPF in coerce_reg_to_size (bsc#1194227).

- CVE-2021-4149: Fixed btrfs unlock newly allocated extent buffer after error (bsc#1194001).

- CVE-2021-4135: Fixed zero-initialize memory inside netdevsim for new map's value in function nsim_bpf_map_alloc (bsc#1193927).

- CVE-2021-4083: Fixed a read-after-free memory flaw inside the garbage collection for Unix domain socket file handlers when users call close() and fget() simultaneouslyand can potentially trigger a race condition (bnc#1193727).

- CVE-2021-4002: Fixed incorrect TLBs flush in hugetlbfs after huge_pmd_unshare (bsc#1192946).

- CVE-2021-39657: Fixed out of bounds read due to a missing bounds check in ufshcd_eh_device_reset_handler of ufshcd.c. This could lead to local information disclosure with System execution privileges needed (bnc#1193864).

- CVE-2021-39648: Fixed possible disclosure of kernel heap memory due to a race condition in gadget_dev_desc_UDC_show of configfs.c. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1193861).

- CVE-2021-3564: Fixed double-free memory corruption in the Linux kernel HCI device initialization subsystem that could have been used by attaching malicious HCI TTY Bluetooth devices. A local user could use this flaw to crash the system (bnc#1186207).

- CVE-2021-33098: Fixed a potential denial of service in Intel(R) Ethernet ixgbe driver due to improper input validation. (bsc#1192877)

- CVE-2021-28715: Fixed issue with xen/netback to do not queue unlimited number of packages (XSA-392) (bsc#1193442).

- CVE-2021-28714: Fixed issue with xen/netback to handle rx queue stall detection (XSA-392) (bsc#1193442).

- CVE-2021-28713: Fixed issue with xen/console to harden hvc_xen against event channel storms (XSA-391) (bsc#1193440).

- CVE-2021-28712: Fixed issue with xen/netfront to harden netfront against event channel storms (XSA-391) (bsc#1193440).

- CVE-2021-28711: Fixed issue with xen/blkfront to harden blkfront against event channel storms (XSA-391) (bsc#1193440).

- CVE-2021-0935: Fixed possible out of bounds write in ip6_xmit of ip6_output.c due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation (bnc#1192032).

- CVE-2021-0920: Fixed a local privilege escalation due to an use after free bug in unix_gc (bsc#1193731).

- CVE-2020-27820: Fixed a vulnerability where a use-after-frees in nouveau's postclose() handler could happen if removing device (bsc#1179599).

- CVE-2019-15126: Fixed a vulnerability in Broadcom and Cypress Wi-Fi chips, used in RPi family of devices aka 'Kr00k'. (bsc#1167162)

- CVE-2018-25020: Fixed an overflow in the BPF subsystem due to a mishandling of a long jump over an instruction sequence where inner instructions require substantial expansions into multiple BPF instructions. This affects kernel/bpf/core.c and net/core/filter.c (bnc#1193575).

The following non-security bugs were fixed:

- Bluetooth: fix the erroneous flush_work() order (git-fixes).

- Build: Add obsolete_rebuilds_subpackage (boo#1172073 bsc#1191731).

- ICMPv6: Add ICMPv6 Parameter Problem, code 3 definition (bsc#1191241 bsc#1195166).

- IPv6: reply ICMP error if the first fragment do not include all headers (bsc#1191241).

- elfcore: fix building with clang (bsc#1169514).

- hv_netvsc: Set needed_headroom according to VF (bsc#1193506).

- ipv6/netfilter: Discard first fragment not including all headers (bsc#1191241 bsc#1195166).

- kernel-*-subpackage: Add dependency on kernel scriptlets (bsc#1192740).

- kernel-binary.spec.in Stop templating the scriptlets for subpackages (bsc#1190358).

- kernel-binary.spec.in: add zstd to BuildRequires if used

- kernel-binary.spec.in: make sure zstd is supported by kmod if used

- kernel-binary.spec: Check for no kernel signing certificates. Also remove unused variable.

- kernel-binary.spec: Define $image as rpm macro (bsc#1189841).

- kernel-binary.spec: Do not fail silently when KMP is empty (bsc#1190358). Copy the code from kernel-module-subpackage that deals with empty KMPs.

- kernel-binary.spec: Do not sign kernel when no key provided (bsc#1187167).

- kernel-binary.spec: Fix kernel-default-base scriptlets after packaging merge.

- kernel-binary.spec: Require dwarves for kernel-binary-devel when BTF is enabled (jsc#SLE-17288).

- kernel-binary.spec: suse-kernel-rpm-scriptlets required for uninstall as well.

- kernel-cert-subpackage: Fix certificate location in scriptlets (bsc#1189841).

- kernel-source.spec: install-kernel-tools also required on 15.4

- kernel-spec-macros: Since rpm 4.17 %verbose is unusable (bsc#1191229). The semantic changed in an incompatible way so invoking the macro now causes a build failure.

- kprobes: Limit max data_size of the kretprobe instances (bsc#1193669).

- livepatch: Avoid CPU hogging with cond_resched (bsc#1071995).

- memstick: rtsx_usb_ms: fix UAF (bsc#1194516).

- moxart: fix potential use-after-free on remove path (bsc#1194516).

- net, xdp: Introduce xdp_init_buff utility routine (bsc#1193506).

- net, xdp: Introduce xdp_prepare_buff utility routine (bsc#1193506).

- net: Using proper atomic helper (bsc#1186222).

- net: ipv6: Discard next-hop MTU less than minimum link MTU (bsc#1191241).

- net: mana: Add RX fencing (bsc#1193506).

- net: mana: Add XDP support (bsc#1193506).

- net: mana: Allow setting the number of queues while the NIC is down (bsc#1193506).

- net: mana: Fix spelling mistake 'calledd' -> 'called' (bsc#1193506).

- net: mana: Fix the netdev_err()'s vPort argument in mana_init_port() (bsc#1193506).

- net: mana: Improve the HWC error handling (bsc#1193506).

- net: mana: Support hibernation and kexec (bsc#1193506).

- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193506).

- objtool: Support Clang non-section symbols in ORC generation (bsc#1169514).

- post.sh: detect /usr mountpoint too

- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).

- recordmcount.pl: look for jgnop instruction as well as bcrl on s390 (bsc#1192267).

- rpm/kernel-binary.spec.in: Use kmod-zstd provide. This makes it possible to use kmod with ZSTD support on non-Tumbleweed.

- rpm/kernel-binary.spec.in: avoid conflicting suse-release suse-release had arbitrary values in staging, we can't use it for dependencies. The filesystem one has to be enough (boo#1184804).

- rpm/kernel-binary.spec.in: do not strip vmlinux again (bsc#1193306).

- rpm/kernel-binary.spec: Use only non-empty certificates.

- rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305).

- rpm/kernel-source.rpmlintrc: ignore new include/config files.

- rpm/kernel-source.spec.in: do some more for vanilla_only.

- rpm: Abolish image suffix (bsc#1189841).

- rpm: Abolish scritplet templating (bsc#1189841). Outsource kernel-binary and KMP scriptlets to suse-module-tools.

- rpm: Define $certs as rpm macro (bsc#1189841).

- rpm: Fold kernel-devel and kernel-source scriptlets into spec files (bsc#1189841).

- rpm: fix kmp install path

- rpm: use _rpmmacrodir (boo#1191384)

- tty: hvc: replace BUG_ON() with negative return value.

- vfs: check fd has read access in kernel_read_file_from_fd() (bsc#1194888).

- x86/xen: Mark cpu_bringup_and_idle() as dead_end_function (bsc#1169514).

- xen/blkfront: do not take local copy of a request from the ring page (git-fixes).

- xen/blkfront: do not trust the backend response data blindly (git-fixes).

- xen/blkfront: read response from backend only once (git-fixes).

- xen/netfront: disentangle tx_skb_freelist (git-fixes).

- xen/netfront: do not read data from request on the ring page (git-fixes).

- xen/netfront: do not trust the backend response data blindly (git-fixes).

- xen/netfront: read response from backend only once (git-fixes).

- xen: sync include/xen/interface/io/ring.h with Xen's newest version (git-fixes).

- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).

1194576,1194581,1194588,CVE-2022-23033,CVE-2022-23034,CVE-2022-23035

This update for xen fixes the following issues:

- CVE-2022-23033: Fixed guest_physmap_remove_page not removing the p2m mappings. (XSA-393) (bsc#1194576)

- CVE-2022-23034: Fixed possible DoS by a PV guest Xen while unmapping a grant. (XSA-394) (bsc#1194581)

- CVE-2022-23035: Fixed insufficient cleanup of passed-through device IRQs. (XSA-395) (bsc#1194588)

1195326

This update for libzypp, zypper fixes the following issues:

- Fix handling of redirected command in-/output (bsc#1195326)

This fixes delays at the end of zypper operations, where

zypper unintentionally waits for appdata plugin scripts to

complete.

1194661

This update for nfs-utils fixes the following issues:

- If an error or warning message is produced before closeall() is called, mountd doesn't work. (bsc#1194661)

1195054,1195217,CVE-2022-23852,CVE-2022-23990

This update for expat fixes the following issues:

- CVE-2022-23852: Fixed signed integer overflow in XML_GetBuffer (bsc#1195054).

- CVE-2022-23990: Fixed integer overflow in the doProlog function (bsc#1195217).

1082318,1189152

This update for coreutils fixes the following issues:

- Add 'fuse.portal' as a dummy file system (used in flatpak implementations) (bsc#1189152).

- Properly sort docs and license files (bsc#1082318).

1193759,1193841

This update for systemd fixes the following issues:

- systemctl: exit with 1 if no unit files found (bsc#1193841).

- add rules for virtual devices (bsc#1193759).

- enforce 'none' for loop devices (bsc#1193759).

1187512

This update for yast2-network fixes the following issues:

- Don't crash at the end of installation when storing wifi configuration for NetworkManager. (bsc#1187512)

1195095,1195096

This update for supportutils-plugin-suse-public-cloud fixes the following issues:

- Update to version 1.0.6 (bsc#1195095, bsc#1195096)

- Include cloud-init logs whenever they are present

- Update the packages we track in AWS, Azure, and Google

- Include the ecs logs for AWS ECS instances

1190447

This update for filesystem fixes the following issues:

- Release ported filesystem to LTSS channels (bsc#1190447).

1181703

This update for sudo fixes the following issues:

- Add support in the LDAP filter for negated users (jsc#SLE-20068)

- Restrict use of sudo -U other -l to people who have permission

to run commands as that user (bsc#1181703, jsc#SLE-22569)

1196036,CVE-2022-24407

This update for cyrus-sasl fixes the following issues:

- CVE-2022-24407: Fixed SQL injection in sql_auxprop_store in plugins/sql.c (bsc#1196036).

1196025,1196026,1196168,1196169,1196171,CVE-2022-25235,CVE-2022-25236,CVE-2022-25313,CVE-2022-25314,CVE-2022-25315

This update for expat fixes the following issues:

- CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).

- CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).

- CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).

- CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).

- CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

1196441,CVE-2022-23648

This update for containerd fixes the following issues:

- CVE-2022-23648: A specially-crafted image configuration could gain access to

read-only copies of arbitrary files and directories on the host (bsc#1196441).

1190533,1190570,1191893,1192478,1192481,1193294,1193298,1194216,1194556,1195004,1195066,1195126,1195202,1195356,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3927,CVE-2021-3928,CVE-2021-3984,CVE-2021-4019,CVE-2021-4193,CVE-2021-46059,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0361,CVE-2022-0413

This update for vim fixes the following issues:

- CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004).

- CVE-2021-3796: Fixed use-after-free in nv_replace() in normal.c (bsc#1190570).

- CVE-2021-3872: Fixed heap-based buffer overflow in win_redr_status() drawscreen.c (bsc#1191893).

- CVE-2021-3927: Fixed heap-based buffer overflow (bsc#1192481).

- CVE-2021-3928: Fixed stack-based buffer overflow (bsc#1192478).

- CVE-2021-4019: Fixed heap-based buffer overflow (bsc#1193294).

- CVE-2021-3984: Fixed illegal memory access when C-indenting could have led to heap buffer overflow (bsc#1193298).

- CVE-2021-3778: Fixed heap-based buffer overflow in regexp_nfa.c (bsc#1190533).

- CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216).

- CVE-2021-46059: Fixed pointer dereference vulnerability via the vim_regexec_multi function at regexp.c (bsc#1194556).

- CVE-2022-0319: Fixded out-of-bounds read (bsc#1195066).

- CVE-2022-0351: Fixed uncontrolled recursion in eval7() (bsc#1195126).

- CVE-2022-0361: Fixed buffer overflow (bsc#1195126).

- CVE-2022-0413: Fixed use-after-free in src/ex_cmds.c (bsc#1195356).

1185973,1191580,1194516,1195536,1195543,1195612,1195840,1195897,1195908,1195949,1195987,1196079,1196155,1196584,1196612,CVE-2021-44879,CVE-2022-0001,CVE-2022-0002,CVE-2022-0487,CVE-2022-0492,CVE-2022-0617,CVE-2022-0644,CVE-2022-24448,CVE-2022-24959

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

Transient execution side-channel attacks attacking the Branch History Buffer (BHB),

named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.

The following security bugs were fixed:

- CVE-2022-0001: Fixed Branch History Injection vulnerability (bsc#1191580).

- CVE-2022-0002: Fixed Intra-Mode Branch Target Injection vulnerability (bsc#1191580).

- CVE-2022-0617: Fixed a null pointer dereference in UDF file system functionality. A local user could crash the system by triggering udf_file_write_iter() via a malicious UDF image. (bsc#1196079)

- CVE-2022-0644: Fixed a denial of service by a local user. A assertion failure could be triggered in kernel_read_file_from_fd() (bsc#1196155).

- CVE-2021-44879: In gc_data_segment() in fs/f2fs/gc.c, special files were not considered, which lead to a move_data_page NULL pointer dereference (bsc#1195987).

- CVE-2022-24959: Fixed a memory leak in yam_siocdevprivate() in drivers/net/hamradio/yam.c (bsc#1195897).

- CVE-2022-0487: A use-after-free vulnerability was found in rtsx_usb_ms_drv_remove() in drivers/memstick/host/rtsx_usb_ms.c (bsc#1194516).

- CVE-2022-0492: Fixed a privilege escalation related to cgroups v1 release_agent feature, which allowed bypassing namespace isolation unexpectedly (bsc#1195543).

- CVE-2022-24448: Fixed an issue in fs/nfs/dir.c. If an application sets the O_DIRECTORY flag, and tries to open a regular file, nfs_atomic_open() performs a regular lookup. If a regular file is found, ENOTDIR should have occured, but the server instead returned uninitialized data in the file descriptor (bsc#1195612).

The following non-security bugs were fixed:

- crypto: af_alg - get_page upon reassignment to TX SGL (bsc#1195840).

- lib/iov_iter: initialize 'flags' in new pipe_buffer (bsc#1196584).

1195825,CVE-2018-16301

This update for tcpdump fixes the following issues:

- CVE-2018-16301: Fixed segfault when handling large files (bsc#1195825).

This update for openldap2 fixes the following issue:

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

1195654

This update for update-alternatives fixes the following issues:

- Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

1194845,1196494,1196495

This update for suse-build-key fixes the following issues:

- The old SUSE PTF key was extended, but also move it to suse_ptf_key_old.asc (as it is a DSA1024 key).

- Added a new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)

- Extended the expiry of SUSE Linux Enterprise 11 key (bsc#1194845)

- Added SUSE Container signing key in PEM format for use e.g. by cosign.

- The SUSE security key was replaced with 2022 edition (E-Mail usage only). (bsc#1196495)

1195468

This update for procps fixes the following issues:

- Stop registering signal handler for SIGURG, to avoid `ps` failure if

someone sends such signal. Without the signal handler, SIGURG will

just be ignored. (bsc#1195468)

1195258,CVE-2021-22570

This update for protobuf fixes the following issues:

- CVE-2021-22570: Fix incorrect parsing of nullchar in the proto symbol (bsc#1195258).

1193625,1194640,1194768,1194770,1195560,CVE-2015-8985,CVE-2021-3999,CVE-2022-23218,CVE-2022-23219

glibc was updated to fix the following issues:

Security issues fixed:

- CVE-2022-23219: Fixed Buffer overflow in sunrpc clnt_create for 'unix' (bsc#1194768)

- CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bsc#1194770)

- CVE-2021-3999: Fixed getcwd to set errno to ERANGE for size == 1 (bsc#1194640)

- CVE-2015-8985: Fixed Assertion failure in pop_fail_stack when executing a malformed regexp (bsc#1193625)

Also the following bug was fixed:

- Fix pthread_rwlock_try*lock stalls (bsc#1195560)

1196025,1196784,CVE-2022-25236

This update for expat fixes the following issues:

- Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).

1099272,1115529,1128846,1162964,1172113,1173277,1174075,1174911,1180689,1181826,1187906,1190926,1194229,CVE-2020-14367

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

* Add support for NTS servers specified by IP address (matching

Subject Alternative Name in server certificate)

* Add source-specific configuration of trusted certificates

* Allow multiple files and directories with trusted certificates

* Allow multiple pairs of server keys and certificates

* Add copy option to server/pool directive

* Increase PPS lock limit to 40% of pulse interval

* Perform source selection immediately after loading dump files

* Reload dump files for addresses negotiated by NTS-KE server

* Update seccomp filter and add less restrictive level

* Restart ongoing name resolution on online command

* Fix dump files to not include uncorrected offset

* Fix initstepslew to accept time from own NTP clients

* Reset NTP address and port when no longer negotiated by NTS-KE

server

- Ensure the correct pool packages are installed for openSUSE

and SLE (bsc#1180689).

- Fix pool package dependencies, so that SLE prefers chrony-pool-suse

over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

- Enhancements

- Add support for Network Time Security (NTS) authentication

- Add support for AES-CMAC keys (AES128, AES256) with Nettle

- Add authselectmode directive to control selection of

unauthenticated sources

- Add binddevice, bindacqdevice, bindcmddevice directives

- Add confdir directive to better support fragmented

configuration

- Add sourcedir directive and 'reload sources' command to

support dynamic NTP sources specified in files

- Add clockprecision directive

- Add dscp directive to set Differentiated Services Code Point

(DSCP)

- Add -L option to limit log messages by severity

- Add -p option to print whole configuration with included

files

- Add -U option to allow start under non-root user

- Allow maxsamples to be set to 1 for faster update with -q/-Q

option

- Avoid replacing NTP sources with sources that have

unreachable address

- Improve pools to repeat name resolution to get 'maxsources'

sources

- Improve source selection with trusted sources

- Improve NTP loop test to prevent synchronisation to itself

- Repeat iburst when NTP source is switched from offline state

to online

- Update clock synchronisation status and leap status more

frequently

- Update seccomp filter

- Add 'add pool' command

- Add 'reset sources' command to drop all measurements

- Add authdata command to print details about NTP

authentication

- Add selectdata command to print details about source

selection

- Add -N option and sourcename command to print original names

of sources

- Add -a option to some commands to print also unresolved

sources

- Add -k, -p, -r options to clients command to select, limit,

reset data

- Bug fixes

- Don’t set interface for NTP responses to allow asymmetric

routing

- Handle RTCs that don’t support interrupts

- Respond to command requests with correct address on

multihomed hosts

- Removed features

- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)

- Drop support for long (non-standard) MACs in NTPv4 packets

(chrony 2.x clients using non-MD5/SHA1 keys need to use

option 'version 3')

- Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so

only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the

expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial

synchronisation (bsc#1172113).

Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0

+ Add support for hardware timestamping on interfaces with read-only timestamping configuration

+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris

+ Update seccomp filter to work on more architectures

+ Validate refclock driver options

+ Fix bindaddress directive on FreeBSD

+ Fix transposition of hardware RX timestamp on Linux 4.13 and later

+ Fix building on non-glibc systems

- Fix location of helper script in [email protected]

(bsc#1128846).

- Read runtime servers from /var/run/netconfig/chrony.servers to

fix bsc#1099272.

- Move chrony-helper to /usr/lib/chrony/helper, because there

should be no executables in /usr/share.

Update to version 3.4

* Enhancements

+ Add filter option to server/pool/peer directive

+ Add minsamples and maxsamples options to hwtimestamp directive

+ Add support for faster frequency adjustments in Linux 4.19

+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd

without root privileges to remove it on exit

+ Disable sub-second polling intervals for distant NTP sources

+ Extend range of supported sub-second polling intervals

+ Get/set IPv4 destination/source address of NTP packets on FreeBSD

+ Make burst options and command useful with short polling intervals

+ Modify auto_offline option to activate when sending request failed

+ Respond from interface that received NTP request if possible

+ Add onoffline command to switch between online and offline state

according to current system network configuration

+ Improve example NetworkManager dispatcher script

* Bug fixes

+ Avoid waiting in Linux getrandom system call

+ Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

* Enhancements:

+ Add burst option to server/pool directive

+ Add stratum and tai options to refclock directive

+ Add support for Nettle crypto library

+ Add workaround for missing kernel receive timestamps on Linux

+ Wait for late hardware transmit timestamps

+ Improve source selection with unreachable sources

+ Improve protection against replay attacks on symmetric mode

+ Allow PHC refclock to use socket in /var/run/chrony

+ Add shutdown command to stop chronyd

+ Simplify format of response to manual list command

+ Improve handling of unknown responses in chronyc

* Bug fixes:

+ Respond to NTPv1 client requests with zero mode

+ Fix -x option to not require CAP_SYS_TIME under non-root user

+ Fix acquisitionport directive to work with privilege separation

+ Fix handling of socket errors on Linux to avoid high CPU usage

+ Fix chronyc to not get stuck in infinite loop after clock step

1196877,CVE-2022-0778

This update for openssl-1_1 fixes the following issues:

- CVE-2022-0778: Infinite loop in BN_mod_sqrt() reachable when parsing certificates (bsc#1196877).

1182959,1195149,1195792,1195856

This update for openssl-1_1 fixes the following issues:

openssl-1_1:

- Fix PAC pointer authentication in ARM (bsc#1195856)

- Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)

- FIPS: Fix function and reason error codes (bsc#1182959)

- Enable zlib compression support (bsc#1195149)

glibc:

- Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

linux-glibc-devel:

- Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

libxcrypt:

- Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

zlib:

- Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

1193805

This update for libtirpc fixes the following issues:

- Fix memory leak in client protocol version 2 code (bsc#1193805)

1197004

This update for openldap2 fixes the following issue:

- Revert jsc#PM-3288 - CLDAP ( -DLDAP_CONNECTIONLESS ) due to regression (bsc#1197004)

1179060,1194561,1195614,1196282

This update for avahi fixes the following issues:

- Change python3-Twisted to a soft dependency. It is not available

on SLED or PackageHub, and it is only needed by avahi-bookmarks

(bsc#1196282)

- Fix warning when Twisted is not available

- Have python3-avahi require python3-dbus-python, not the

python 2 dbus-1-python package (bsc#1195614)

- Ensure that NetworkManager or wicked have already started before

initializing (bsc#1194561)

- Move sftp-ssh and ssh services to the doc directory. They allow

a host's up/down status to be easily discovered and should not

be enabled by default (bsc#1179060)

1196915,CVE-2021-26401,CVE-2022-0001,CVE-2022-0002

This update for xen fixes the following issues:

Transient execution side-channel attacks attacking the Branch History Buffer (BHB),

named 'Branch Target Injection' and 'Intra-Mode Branch History Injection' are now mitigated.

- CVE-2022-0001, CVE-2022-0002, CVE-2021-26401: BHB speculation issues (bsc#1196915).

1196275,1196406

This update for filesystem and systemd-rpm-macros fixes the following issues:

filesystem:

- Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

systemd-rpm-macros:

- Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

1197135,CVE-2021-25220

This update for bind fixes the following issues:

- CVE-2021-25220: Fixed a DNS cache poisoning vulnerability due to loose

caching rules (bsc#1197135).

1195899

This update for systemd fixes the following issues:

- allow setting external core size to infinity (bsc#1195899 jsc#SLE-23868 jsc#SLE-23870)

1196093,1197024

This update for pam fixes the following issues:

- Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)

- Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable.

This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

1197459,CVE-2018-25032

This update for zlib fixes the following issues:

- CVE-2018-25032: Fixed memory corruption on deflate (bsc#1197459).

1121227,1121230,1122004,1122021,CVE-2018-20573,CVE-2018-20574,CVE-2019-6285,CVE-2019-6292

This update for yaml-cpp fixes the following issues:

- CVE-2018-20573: Fixed remote DOS via a crafted YAML file in function Scanner:EnsureTokensInQueue (bsc#1121227).

- CVE-2018-20574: Fixed remote DOS via a crafted YAML file in function SingleDocParser:HandleFlowMap (bsc#1121230).

- CVE-2019-6285: Fixed remote DOS via a crafted YAML file in function SingleDocParser::HandleFlowSequence (bsc#1122004).

- CVE-2019-6292: Fixed DOS by stack consumption in singledocparser.cpp (bsc#1122021).

1193531

This update for cloud-init contains the following fixes:

- Enable broader systemctl location. (bsc#1193531)

- Remove unneeded BuildRequires on python3-nose.

1194883

This update for aaa_base fixes the following issues:

- Set net.ipv4.ping_group_range to allow ICMP ping (bsc#1194883)

- Include all fixes and changes for systemwide inputrc to remove the 8 bit escape sequence which interfere with UTF-8

multi byte characters as well as support the vi mode of readline library

1172427,1194642

This update for util-linux fixes the following issues:

- Improve throughput and reduce clock sequence increments for high load situation with time based

version 1 uuids. (bsc#1194642)

- Prevent root owning of `/var/lib/libuuid/clock.txt`. (bsc#1194642)

- Warn if uuidd lock state is not usable. (bsc#1194642)

- Fix 'su -s' bash completion. (bsc#1172427)

1177460

This update for timezone fixes the following issues:

- timezone update 2022a (bsc#1177460):

* Palestine will spring forward on 2022-03-27, not on 03-26

* `zdump -v` now outputs better failure indications

* Bug fixes for code that reads corrupted TZif data

1197297,1197788

This update for nfs-utils fixes the following issues:

- Ensure `sloppy` is added correctly for newer kernels. (bsc#1197297)

* This is required for kernels since 5.6 (like in SUSE Linux Enterprise 15 SP4), and it's safe for all kernels.

- Fix the source build with new `glibc` like in SUSE Linux Enterprise 15 SP4. (bsc#1197788)

1184501,1194848,1195999,1196061,1196317,1196368,1196514,1196925,1197134

This update for libsolv, libzypp, zypper fixes the following issues:

Security relevant fix:

- Harden package signature checks (bsc#1184501).

libsolv to 0.7.22:

- reworked choice rule generation to cover more usecases

- support SOLVABLE_PREREQ_IGNOREINST in the ordering code (bsc#1196514)

- support parsing of Debian's Multi-Arch indicator

- fix segfault on conflict resolution when using bindings

- fix split provides not working if the update includes a forbidden vendor change

- support strict repository priorities

new solver flag: SOLVER_FLAG_STRICT_REPO_PRIORITY

- support zstd compressed control files in debian packages

- add an ifdef allowing to rename Solvable dependency members

('requires' is a keyword in C++20)

- support setting/reading userdata in solv files

new functions: repowriter_set_userdata, solv_read_userdata

- support queying of the custom vendor check function

new function: pool_get_custom_vendorcheck

- support solv files with an idarray block

- allow accessing the toolversion at runtime

libzypp to 17.30.0:

- ZConfig: Update solver settings if target changes (bsc#1196368)

- Fix possible hang in singletrans mode (bsc#1197134)

- Do 2 retries if mount is still busy.

- Fix package signature check (bsc#1184501)

Pay attention that header and payload are secured by a valid

signature and report more detailed which signature is missing.

- Retry umount if device is busy (bsc#1196061, closes #381)

A previously released ISO image may need a bit more time to

release it's loop device. So we wait a bit and retry.

- Fix serializing/deserializing type mismatch in zypp-rpm

protocol (bsc#1196925)

- Fix handling of ISO media in releaseAll (bsc#1196061)

- Hint on common ptf resolver conflicts (bsc#1194848)

- Hint on ptf<>patch resolver conflicts (bsc#1194848)

zypper to 1.14.52:

- info: print the packages upstream URL if available (fixes #426)

- info: Fix SEGV with not installed PTFs (bsc#1196317)

- Don't prevent less restrictive umasks (bsc#1195999)

1189028,1190315,1190943,1191096,1191794,1193204,1193732,1193868,1195797

This update for supportutils fixes the following issues:

- Add command `blkid`

- Add email.txt based on OPTION_EMAIL (bsc#1189028)

- Add rpcinfo -p output #116

- Add s390x specific files and output

- Add shared memory as a log directory for emergency use (bsc#1190943)

- Fix cron package for RPM validation (bsc#1190315)

- Fix for invalid argument during updates (bsc#1193204)

- Fix iscsi initiator name (bsc#1195797)

- Improve `lsblk` readability with `--ascsi` option

- Include 'multipath -t' output in mpio.txt

- Include /etc/sssd/conf.d configuration files

- Include udev rules in /lib/udev/rules.d/

- Made /proc directory and network names spaces configurable (bsc#1193868)

- Prepare future installation of binaries to /usr/sbin instead of /sbin. This does not affect

current SUSE Linux Enterprise 15 Service Packs (bsc#1191096)

- Move localmessage/warm logs out of messages.txt to new localwarn.txt

- Optimize configuration files

- Remove chronyc DNS lookups with -n switch (bsc#1193732)

- Remove duplicate commands in network.txt

- Remove duplicate firewalld status output

- getappcore identifies compressed core files (bsc#1191794)

1195784

This update of containerd fixes the following issue:

- container-ctr is shipped to the PackageHub repos.

1197903,CVE-2022-1097

This update for mozilla-nss fixes the following issues:

Mozilla NSS 3.68.3 (bsc#1197903):

- CVE-2022-1097: Fixed memory safety violations that could occur when PKCS#11

tokens are removed while in use.

1197293

This update for suse-build-key fixes the following issues:

No longer install 1024bit keys by default. (bsc#1197293)

- The SLE11 key has been moved to documentation directory, and is obsoleted / removed by the package.

- The old PTF (pre March 2022) key moved to documentation directory.

1198062,CVE-2022-1271

This update for xz fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

1192343

This update for cloud-init contains the following fixes:

- Update to version 21.4 (bsc#1192343, jsc#PM-3181)

+ Also include VMWare functionality for (jsc#PM-3175)

+ Remove patches included upstream.

+ Forward port fixes.

+ Fix for VMware Test, system dependend, not properly mocked previously.

+ Azure: fallback nic needs to be reevaluated during reprovisioning

(#1094) [Anh Vo]

+ azure: pps imds (#1093) [Anh Vo]

+ testing: Remove calls to 'install_new_cloud_init' (#1092)

+ Add LXD datasource (#1040)

+ Fix unhandled apt_configure case. (#1065) [Brett Holman]

+ Allow libexec for hotplug (#1088)

+ Add necessary mocks to test_ovf unit tests (#1087)

+ Remove (deprecated) apt-key (#1068) [Brett Holman] (LP: #1836336)

+ distros: Remove a completed 'TODO' comment (#1086)

+ cc_ssh.py: Add configuration for controlling ssh-keygen output (#1083)

[dermotbradley]

+ Add 'install hotplug' module (SC-476) (#1069) (LP: #1946003)

+ hosts.alpine.tmpl: rearrange the order of short and long hostnames

(#1084) [dermotbradley]

+ Add max version to docutils

+ cloudinit/dmi.py: Change warning to debug to prevent console display

(#1082) [dermotbradley]

+ remove unnecessary EOF string in

disable-sshd-keygen-if-cloud-init-active.conf (#1075) [Emanuele

Giuseppe Esposito]

+ Add module 'write-files-deferred' executed in stage 'final' (#916)

[Lucendio]

+ Bump pycloudlib to fix CI (#1080)

+ Remove pin in dependencies for jsonschema (#1078)

+ Add 'Google' as possible system-product-name (#1077) [vteratipally]

+ Update Debian security suite for bullseye (#1076) [Johann Queuniet]

+ Leave the details of service management to the distro (#1074)

[Andy Fiddaman]

+ Fix typos in setup.py (#1059) [Christian Clauss]

+ Update Azure _unpickle (SC-500) (#1067) (LP: #1946644)

+ cc_ssh.py: fix private key group owner and permissions (#1070)

[Emanuele Giuseppe Esposito]

+ VMware: read network-config from ISO (#1066) [Thomas Weißschuh]

+ testing: mock sleep in gce unit tests (#1072)

+ CloudStack: fix data-server DNS resolution (#1004)

[Olivier Lemasle] (LP: #1942232)

+ Fix unit test broken by pyyaml upgrade (#1071)

+ testing: add get_cloud function (SC-461) (#1038)

+ Inhibit [email protected] if cloud-init is active (#1028)

[Ryan Harper]

+ VMWARE: search the deployPkg plugin in multiarch dir (#1061)

[xiaofengw-vmware] (LP: #1944946)

+ Fix set-name/interface DNS bug (#1058) [Andrew Kutz] (LP: #1946493)

+ Use specified tmp location for growpart (#1046) [jshen28]

+ .gitignore: ignore tags file for ctags users (#1057) [Brett Holman]

+ Allow comments in runcmd and report failed commands correctly (#1049)

[Brett Holman] (LP: #1853146)

+ tox integration: pass the *_proxy, GOOGLE_*, GCP_* env vars (#1050)

[Paride Legovini]

+ Allow disabling of network activation (SC-307) (#1048) (LP: #1938299)

+ renderer: convert relative imports to absolute (#1052) [Paride Legovini]

+ Support ETHx_IP6_GATEWAY, SET_HOSTNAME on OpenNebula (#1045)

[Vlastimil Holer]

+ integration-requirements: bump the pycloudlib commit (#1047)

[Paride Legovini]

+ Allow Vultr to set MTU and use as-is configs (#1037) [eb3095]

+ pin jsonschema in requirements.txt (#1043)

+ testing: remove cloud_tests (#1020)

+ Add andgein as contributor (#1042) [Andrew Gein]

+ Make wording for module frequency consistent (#1039) [Nicolas Bock]

+ Use ascii code for growpart (#1036) [jshen28]

+ Add jshen28 as contributor (#1035) [jshen28]

+ Skip test_cache_purged_on_version_change on Azure (#1033)

+ Remove invalid ssh_import_id from examples (#1031)

+ Cleanup Vultr support (#987) [eb3095]

+ docs: update cc_disk_setup for fs to raw disk (#1017)

+ HACKING.rst: change contact info to James Falcon (#1030)

+ tox: bump the pinned flake8 and pylint version (#1029)

[Paride Legovini] (LP: #1944414)

+ Add retries to DataSourceGCE.py when connecting to GCE (#1005)

[vteratipally]

+ Set Azure to apply networking config every BOOT (#1023)

+ Add connectivity_url to Oracle's EphemeralDHCPv4 (#988) (LP: #1939603)

+ docs: fix typo and include sudo for report bugs commands (#1022)

[Renan Rodrigo] (LP: #1940236)

+ VMware: Fix typo introduced in #947 and add test (#1019) [PengpengSun]

+ Update IPv6 entries in /etc/hosts (#1021) [Richard Hansen] (LP: #1943798)

+ Integration test upgrades for the 21.3-1 SRU (#1001)

+ Add Jille to tools/.github-cla-signers (#1016) [Jille Timmermans]

+ Improve ug_util.py (#1013) [Shreenidhi Shedi]

+ Support openEuler OS (#1012) [zhuzaifangxuele]

+ ssh_utils.py: ignore when sshd_config options are not key/value pairs

(#1007) [Emanuele Giuseppe Esposito]

+ Set Azure to only update metadata on BOOT_NEW_INSTANCE (#1006)

+ cc_update_etc_hosts: Use the distribution-defined path for the hosts

file (#983) [Andy Fiddaman]

+ Add CloudLinux OS support (#1003) [Alexandr Kravchenko]

+ puppet config: add the start_agent option (#1002) [Andrew Bogott]

+ Fix `make style-check` errors (#1000) [Shreenidhi Shedi]

+ Make cloud-id copyright year (#991) [Andrii Podanenko]

+ Add support to accept-ra in networkd renderer (#999) [Shreenidhi Shedi]

+ Update ds-identify to pass shellcheck (#979) [Andrew Kutz]

+ Azure: Retry dhcp on timeouts when polling reprovisiondata (#998)

[aswinrajamannar]

+ testing: Fix ssh keys integration test (#992)

- From 21.3

+ Azure: During primary nic detection, check interface status continuously

before rebinding again (#990) [aswinrajamannar]

+ Fix home permissions modified by ssh module (SC-338) (#984)

(LP: #1940233)

+ Add integration test for sensitive jinja substitution (#986)

+ Ignore hotplug socket when collecting logs (#985) (LP: #1940235)

+ testing: Add missing mocks to test_vmware.py (#982)

+ add Zadara Edge Cloud Platform to the supported clouds list (#963)

[sarahwzadara]

+ testing: skip upgrade tests on LXD VMs (#980)

+ Only invoke hotplug socket when functionality is enabled (#952)

+ Revert unnecesary lcase in ds-identify (#978) [Andrew Kutz]

+ cc_resolv_conf: fix typos (#969) [Shreenidhi Shedi]

+ Replace broken httpretty tests with mock (SC-324) (#973)

+ Azure: Check if interface is up after sleep when trying to bring it up

(#972) [aswinrajamannar]

+ Update dscheck_VMware's rpctool check (#970) [Shreenidhi Shedi]

+ Azure: Logging the detected interfaces (#968) [Moustafa Moustafa]

+ Change netifaces dependency to 0.10.4 (#965) [Andrew Kutz]

+ Azure: Limit polling network metadata on connection errors (#961)

[aswinrajamannar]

+ Update inconsistent indentation (#962) [Andrew Kutz]

+ cc_puppet: support AIO installations and more (#960) [Gabriel Nagy]

+ Add Puppet contributors to CLA signers (#964) [Noah Fontes]

+ Datasource for VMware (#953) [Andrew Kutz]

+ photon: refactor hostname handling and add networkd activator (#958)

[sshedi]

+ Stop copying ssh system keys and check folder permissions (#956)

[Emanuele Giuseppe Esposito]

+ testing: port remaining cloud tests to integration testing framework

(SC-191) (#955)

+ generate contents for ovf-env.xml when provisioning via IMDS (#959)

[Anh Vo]

+ Add support for EuroLinux 7 && EuroLinux 8 (#957) [Aleksander Baranowski]

+ Implementing device_aliases as described in docs (#945)

[Mal Graty] (LP: #1867532)

+ testing: fix test_ssh_import_id.py (#954)

+ Add ability to manage fallback network config on PhotonOS (#941) [sshedi]

+ Add VZLinux support (#951) [eb3095]

+ VMware: add network-config support in ovf-env.xml (#947) [PengpengSun]

+ Update pylint to v2.9.3 and fix the new issues it spots (#946)

[Paride Legovini]

+ Azure: mount default provisioning iso before try device listing (#870)

[Anh Vo]

+ Document known hotplug limitations (#950)

+ Initial hotplug support (#936)

+ Fix MIME policy failure on python version upgrade (#934)

+ run-container: fixup the centos repos baseurls when using http_proxy

(#944) [Paride Legovini]

+ tools: add support for building rpms on rocky linux (#940)

+ ssh-util: allow cloudinit to merge all ssh keys into a custom user

file, defined in AuthorizedKeysFile (#937) [Emanuele Giuseppe Esposito]

(LP: #1911680)

+ VMware: new 'allow_raw_data' switch (#939) [xiaofengw-vmware]

+ bump pycloudlib version (#935)

+ add renanrodrigo as a contributor (#938) [Renan Rodrigo]

+ testing: simplify test_upgrade.py (#932)

+ freebsd/net_v1 format: read MTU from root (#930) [Gonéri Le Bouder]

+ Add new network activators to bring up interfaces (#919)

+ Detect a Python version change and clear the cache (#857)

[Robert Schweikert]

+ cloud_tests: fix the Impish release name (#931) [Paride Legovini]

+ Removed distro specific network code from Photon (#929) [sshedi]

+ Add support for VMware PhotonOS (#909) [sshedi]

+ cloud_tests: add impish release definition (#927) [Paride Legovini]

+ docs: fix stale links rename master branch to main (#926)

+ Fix DNS in NetworkState (SC-133) (#923)

+ tests: Add 'adhoc' mark for integration tests (#925)

+ Fix the spelling of 'DigitalOcean' (#924) [Mark Mercado]

+ Small Doc Update for ReportEventStack and Test (#920) [Mike Russell]

+ Replace deprecated collections.Iterable with abc replacement (#922)

(LP: #1932048)

+ testing: OCI availability domain is now required (SC-59) (#910)

+ add DragonFlyBSD support (#904) [Gonéri Le Bouder]

+ Use instance-data-sensitive.json in jinja templates (SC-117) (#917)

(LP: #1931392)

+ doc: Update NoCloud docs stating required files (#918) (LP: #1931577)

+ build-on-netbsd: don't pin a specific py3 version (#913)

[Gonéri Le Bouder]

+ Create the log file with 640 permissions (#858) [Robert Schweikert]

+ Allow braces to appear in dhclient output (#911) [eb3095]

+ Docs: Replace all freenode references with libera (#912)

+ openbsd/net: flush the route table on net restart (#908)

[Gonéri Le Bouder]

+ Add Rocky Linux support to cloud-init (#906) [Louis Abel]

+ Add 'esposem' as contributor (#907) [Emanuele Giuseppe Esposito]

+ Add integration test for #868 (#901)

+ Added support for importing keys via primary/security mirror clauses

(#882) [Paul Goins] (LP: #1925395)

+ [examples] config-user-groups expire in the future (#902)

[Geert Stappers]

+ BSD: static network, set the mtu (#894) [Gonéri Le Bouder]

+ Add integration test for lp-1920939 (#891)

+ Fix unit tests breaking from new httpretty version (#903)

+ Allow user control over update events (#834)

+ Update test characters in substitution unit test (#893)

+ cc_disk_setup.py: remove UDEVADM_CMD definition as not used (#886)

[dermotbradley]

+ Add AlmaLinux OS support (#872) [Andrew Lukoshko]

+ Still need to consider the 'network' configuration option

1177047,1180713,1198062,CVE-2022-1271

This update for gzip fixes the following issues:

- CVE-2022-1271: Fixed an incorrect escaping of malicious filenames (ZDI-CAN-16587). (bsc#1198062)

The following non-security bugs were fixed:

- Fixed an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

- Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

1189562,1193738,1194943,1195051,1195254,1195353,1196018,1196114,1196433,1196468,1196488,1196514,1196639,1196761,1196830,1196836,1196942,1196973,1197227,1197331,1197366,1197391,1198031,1198032,1198033,CVE-2021-39713,CVE-2021-45868,CVE-2022-0812,CVE-2022-0850,CVE-2022-1016,CVE-2022-1048,CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042,CVE-2022-26490,CVE-2022-26966,CVE-2022-28356,CVE-2022-28388,CVE-2022-28389,CVE-2022-28390

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2022-28356: Fixed a refcount leak bug in net/llc/af_llc.c (bnc#1197391).

- CVE-2022-1016: Fixed a vulnerability in the nf_tables component of the netfilter subsystem. This vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data, which can lead to arbitrary code execution (bsc#1197227).

- CVE-2022-28388: Fixed a double free in drivers/net/can/usb/usb_8dev.c vulnerability in the Linux kernel (bnc#1198032).

- CVE-2022-28389: Fixed a double free in drivers/net/can/usb/mcba_usb.c vulnerability in the Linux kernel (bnc#1198033).

- CVE-2022-28390: Fixed a double free in drivers/net/can/usb/ems_usb.c vulnerability in the Linux kernel (bnc#1198031).

- CVE-2022-0812: Fixed an incorrect header size calculations in xprtrdma (bsc#1196639).

- CVE-2022-1048: Fixed a race Condition in snd_pcm_hw_free leading to use-after-free due to the AB/BA lock with buffer_mutex and mmap_lock (bsc#1197331).

- CVE-2022-0850: Fixed a kernel information leak vulnerability in iov_iter.c (bsc#1196761).

- CVE-2022-26966: Fixed an issue in drivers/net/usb/sr9700.c, which allowed attackers to obtain sensitive information from the memory via crafted frame lengths from a USB device (bsc#1196836).

- CVE-2021-45868: Fixed a wrong validation check in fs/quota/quota_tree.c which could lead to an use-after-free if there is a corrupted quota file (bnc#1197366).

- CVE-2021-39713: Fixed a race condition in the network scheduling subsystem which could lead to a use-after-free (bsc#1196973).

- CVE-2022-23036,CVE-2022-23037,CVE-2022-23038,CVE-2022-23039,CVE-2022-23040,CVE-2022-23041,CVE-2022-23042: Fixed multiple issues which could have lead to read/write access to memory pages or denial of service. These issues are related to the Xen PV device frontend drivers (bsc#1196488).

- CVE-2022-26490: Fixed a buffer overflow in the st21nfca driver. An attacker with adjacent NFC access could trigger crash the system or corrupt system memory (bsc#1196830).

The following non-security bugs were fixed:

- ax88179_178a: Fixed memory issues that could be triggered by malicious USB devices (bsc#1196018).

- genirq: Use rcu in kstat_irqs_usr() (bsc#1193738).

- gve/net: Fixed multiple bugfixes (jsc#SLE-23652).

- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).

- net: tipc: validate domain record count on input (bsc#1195254).

- powerpc: Fixed issues related to slow I/O on PowerPC (bsc#1196433).

1196939

This update for e2fsprogs fixes the following issues:

- Add support for 'libreadline7' for Leap. (bsc#1196939)

1195628,1196107

This update for gcc11 fixes the following issues:

- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from

packages provided by older GCC work. Add a requires from that

package to the corresponding libstc++6 package to keep those

at the same version. [bsc#1196107]

- Fixed memory corruption when creating dependences with the D language frontend.

- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]

- Put libstdc++6-pp Requires on the shared library and drop

to Recommends.

1197216,CVE-2022-27239

This update for cifs-utils fixes the following issues:

- CVE-2022-27239: Fixed a buffer overflow in the command line ip option (bsc#1197216).

1195251

This update for systemd-presets-common-SUSE fixes the following issue:

- enable vgauthd service for VMWare by default (bsc#1195251)

1193489

This update for perl fixes the following issues:

- Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

1134046

This update for samba fixes the following issue:

- Adjust systemd tmpfiles.d configuration, use /run/samba instead of /var/run/samba. (bsc#1134046)

1188160,1188161,1190375,1193035,1198441,CVE-2021-31799,CVE-2021-31810,CVE-2021-32066,CVE-2021-41817,CVE-2022-28739

This update for ruby2.5 fixes the following issues:

- CVE-2022-28739: Fixed a buffer overrun in String-to-Float conversion (bsc#1198441).

- CVE-2021-41817: Fixed a regular expression denial of service in Date Parsing Methods (bsc#1193035).

- CVE-2021-32066: Fixed a StartTLS stripping vulnerability in Net:IMAP (bsc#1188160).

- CVE-2021-31810: Fixed a trusting FTP PASV responses vulnerability in Net:FTP (bsc#1188161).

- CVE-2021-31799: Fixed a command injection vulnerability in RDoc (bsc#1190375).

1029961,1120610,1130496,1181131,CVE-2018-20482,CVE-2019-9923,CVE-2021-20193

This update for tar fixes the following issues:

- CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).

- CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).

- CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

- Update to GNU tar 1.34:

* Fix extraction over pipe

* Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131)

* Fix extraction when . and .. are unreadable

* Gracefully handle duplicate symlinks when extracting

* Re-initialize supplementary groups when switching to user

privileges

- Update to GNU tar 1.33:

* POSIX extended format headers do not include PID by default

* --delay-directory-restore works for archives with reversed

member ordering

* Fix extraction of a symbolic link hardlinked to another

symbolic link

* Wildcards in exclude-vcs-ignore mode don't match slash

* Fix the --no-overwrite-dir option

* Fix handling of chained renames in incremental backups

* Link counting works for file names supplied with -T

* Accept only position-sensitive (file-selection) options in file

list files

- prepare usrmerge (bsc#1029961)

- Update to GNU 1.32

* Fix the use of --checkpoint without explicit --checkpoint-action

* Fix extraction with the -U option

* Fix iconv usage on BSD-based systems

* Fix possible NULL dereference (savannah bug #55369)

[bsc#1130496] [CVE-2019-9923]

* Improve the testsuite

- Update to GNU 1.31

* Fix heap-buffer-overrun with --one-top-level, bug introduced

with the addition of that option in 1.28

* Support for zstd compression

* New option '--zstd' instructs tar to use zstd as compression

program. When listing, extractng and comparing, zstd compressed

archives are recognized automatically. When '-a' option is in

effect, zstd compression is selected if the destination archive

name ends in '.zst' or '.tzst'.

* The -K option interacts properly with member names given in the

command line. Names of members to extract can be specified along

with the '-K NAME' option. In this case, tar will extract NAME

and those of named members that appear in the archive after it,

which is consistent with the semantics of the option. Previous

versions of tar extracted NAME, those of named members that

appeared before it, and everything after it.

* Fix CVE-2018-20482 - When creating archives with the --sparse

option, previous versions of tar would loop endlessly if a

sparse file had been truncated while being archived.

1188867

This update for xkeyboard-config fixes the following issues:

- Add French standardized AZERTY layout (AFNOR: NF Z71-300) (bsc#1188867)

1197794

This update for pam fixes the following issue:

- Do not include obsolete header files (bsc#1197794)

1197771

This update for libpsl fixes the following issues:

- Fix libpsl compilation issues (bsc#1197771)

1189517,1195115

This update for cups fixes the following issues:

- CUPS printservice takes much longer than before with a big number of printers (bsc#1189517)

- CUPS PreserveJobHistory doesn't work with seconds (bsc#1195115)

CVE-2022-1271

This update for gzip fixes the following issues:

- CVE-2022-1271: Add hardening for zgrep. (bsc#1198062)

1198446,CVE-2022-1304

This update for e2fsprogs fixes the following issues:

- CVE-2022-1304: Fixed out-of-bounds read/write leading to segmentation fault

and possibly arbitrary code execution. (bsc#1198446)

1193930,1196441,1197284,1197517,CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191

This update for containerd, docker fixes the following issues:

- CVE-2022-24769: Fixed incorrect default inheritable capabilities (bsc#1197517).

- CVE-2022-23648: Fixed directory traversal issue (bsc#1196441).

- CVE-2022-27191: Fixed a crash in a golang.org/x/crypto/ssh server (bsc#1197284).

- CVE-2021-43565: Fixed a panic in golang.org/x/crypto by empty plaintext packet (bsc#1193930).

1197443

This update for augeas fixes the following issue:

- Sysctl keys can contain some more non-alphanumeric characters. (bsc#1197443)

1196490,1199132,CVE-2022-23308,CVE-2022-29824

This update for libxml2 fixes the following issues:

- CVE-2022-23308: Fixed a use-after-free of ID and IDREF attributes (bsc#1196490).

- CVE-2022-29824: Fixed integer overflow that could have led to an out-of-bounds write in buf.c (xmlBuf*) and tree.c (xmlBuffer*) (bsc#1199132).

1199061,CVE-2022-24903

This update for rsyslog fixes the following issues:

- CVE-2022-24903: Fixed potential heap buffer overflow in modules for TCP syslog reception (bsc#1199061).

1198657

This update for dhcp fixes the following issues:

- Properly handle DHCRELAY(6)_OPTIONS (bsc#1198657)

1191157,1197004,1199240,CVE-2022-29155

This update for openldap2 fixes the following issues:

Security:

- CVE-2022-29155: Fixed SQL injection in back-sql (bsc#1199240).

Bugfixes:

- allow specification of max/min TLS version with TLS1.3 (bsc#1191157)

- libldap was able to be out of step with openldap in some cases which could cause incorrect installations and symbol

resolution failures. openldap2 and libldap now are locked to their related release versions. (bsc#1197004)

- restore CLDAP functionality in CLI tools (jsc#PM-3288)

1198504

This update for suse-build-key fixes the following issues:

- still ship the old ptf key in the documentation directory (bsc#1198504)

1199474,CVE-2022-26691

This update for cups fixes the following issues:

- CVE-2022-26691: Fixed an authentication bypass and code execution vulnerability (bsc#1199474)

1199232,CVE-2022-1586

This update for pcre2 fixes the following issues:

- CVE-2022-1586: Fixed out-of-bounds read via missing Unicode property matching issue in JIT compiled regular expressions (bsc#1199232).

1040589

This update for grep fixes the following issues:

- Make profiling deterministic. (bsc#1040589, SLE-24115)

1186571,1186823

This update for btrfsprogs fixes the following issues:

- Ignore path devices when enumerating multipath device. (bsc#1186823)

- Prevention 32bit overflow in btrfs-convert. (bsc#1186571)

1192951,1193659,1195283,1196861,1197065

This update for gcc11 fixes the following issues:

Update to the GCC 11.3.0 release.

* includes SLS hardening backport on x86_64. [bsc#1195283]

* includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]

* fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]

* use --with-cpu rather than specifying --with-arch/--with-tune

* Fix D memory corruption in -M output.

* Fix ICE in is_this_parameter with coroutines. [bsc#1193659]

* fixes issue with debug dumping together with -o /dev/null

* fixes libgccjit issue showing up in emacs build [bsc#1192951]

* Package mwaitintrin.h

1191184,1191185,1191186,1193282,1198460,1198493,1198496,1198581,CVE-2021-3695,CVE-2021-3696,CVE-2021-3697,CVE-2022-28733,CVE-2022-28734,CVE-2022-28736

This update for grub2 fixes the following issues:

Security fixes and hardenings for Boothole 3 / Boothole 2022 (bsc#1198581)

- CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184)

- CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185)

- CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186)

- CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)

- CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493)

- CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496)

- Update SBAT security contact (bsc#1193282)

- Bump grub's SBAT generation to 2

1185637,1199166,CVE-2022-1292

This update for openssl-1_1 fixes the following issues:

- CVE-2022-1292: Fixed command injection in c_rehash (bsc#1199166).

1070955,1191770,1192167,1192902,1192903,1192904,1193466,1193905,1194093,1194216,1194217,1194388,1194872,1194885,1195004,1195203,1195332,1195354,1196361,1198596,1198748,1199331,1199333,1199334,1199651,1199655,1199693,1199745,1199747,1199936,1200010,1200011,1200012,CVE-2017-17087,CVE-2021-3778,CVE-2021-3796,CVE-2021-3872,CVE-2021-3875,CVE-2021-3903,CVE-2021-3927,CVE-2021-3928,CVE-2021-3968,CVE-2021-3973,CVE-2021-3974,CVE-2021-3984,CVE-2021-4019,CVE-2021-4069,CVE-2021-4136,CVE-2021-4166,CVE-2021-4192,CVE-2021-4193,CVE-2021-46059,CVE-2022-0128,CVE-2022-0213,CVE-2022-0261,CVE-2022-0318,CVE-2022-0319,CVE-2022-0351,CVE-2022-0359,CVE-2022-0361,CVE-2022-0392,CVE-2022-0407,CVE-2022-0413,CVE-2022-0696,CVE-2022-1381,CVE-2022-1420,CVE-2022-1616,CVE-2022-1619,CVE-2022-1620,CVE-2022-1733,CVE-2022-1735,CVE-2022-1771,CVE-2022-1785,CVE-2022-1796,CVE-2022-1851,CVE-2022-1897,CVE-2022-1898,CVE-2022-1927

This update for vim fixes the following issues:

- CVE-2017-17087: Fixed information leak via .swp files (bsc#1070955).

- CVE-2021-3875: Fixed heap-based buffer overflow (bsc#1191770).

- CVE-2021-3903: Fixed heap-based buffer overflow (bsc#1192167).

- CVE-2021-3968: Fixed heap-based buffer overflow (bsc#1192902).

- CVE-2021-3973: Fixed heap-based buffer overflow (bsc#1192903).

- CVE-2021-3974: Fixed use-after-free (bsc#1192904).

- CVE-2021-4069: Fixed use-after-free in ex_open()in src/ex_docmd.c (bsc#1193466).

- CVE-2021-4136: Fixed heap-based buffer overflow (bsc#1193905).

- CVE-2021-4166: Fixed out-of-bounds read (bsc#1194093).

- CVE-2021-4192: Fixed use-after-free (bsc#1194217).

- CVE-2021-4193: Fixed out-of-bounds read (bsc#1194216).

- CVE-2022-0128: Fixed out-of-bounds read (bsc#1194388).

- CVE-2022-0213: Fixed heap-based buffer overflow (bsc#1194885).

- CVE-2022-0261: Fixed heap-based buffer overflow (bsc#1194872).

- CVE-2022-0318: Fixed heap-based buffer overflow (bsc#1195004).

- CVE-2022-0359: Fixed heap-based buffer overflow in init_ccline() in ex_getln.c (bsc#1195203).

- CVE-2022-0392: Fixed heap-based buffer overflow (bsc#1195332).

- CVE-2022-0407: Fixed heap-based buffer overflow (bsc#1195354).

- CVE-2022-0696: Fixed NULL pointer dereference (bsc#1196361).

- CVE-2022-1381: Fixed global heap buffer overflow in skip_range (bsc#1198596).

- CVE-2022-1420: Fixed out-of-range pointer offset (bsc#1198748).

- CVE-2022-1616: Fixed use-after-free in append_command (bsc#1199331).

- CVE-2022-1619: Fixed heap-based Buffer Overflow in function cmdline_erase_chars (bsc#1199333).

- CVE-2022-1620: Fixed NULL pointer dereference in function vim_regexec_string (bsc#1199334).

- CVE-2022-1733: Fixed heap-based buffer overflow in cindent.c (bsc#1199655).

- CVE-2022-1735: Fixed heap-based buffer overflow (bsc#1199651).

- CVE-2022-1771: Fixed stack exhaustion (bsc#1199693).

- CVE-2022-1785: Fixed out-of-bounds write (bsc#1199745).

- CVE-2022-1796: Fixed use-after-free in find_pattern_in_path (bsc#1199747).

- CVE-2022-1851: Fixed out-of-bounds read (bsc#1199936).

- CVE-2022-1897: Fixed out-of-bounds write (bsc#1200010).

- CVE-2022-1898: Fixed use-after-free (bsc#1200011).

- CVE-2022-1927: Fixed buffer over-read (bsc#1200012).

1028340,1055710,1065729,1071995,1084513,1087082,1114648,1158266,1172456,1177282,1182171,1183723,1187055,1191647,1191958,1195065,1195651,1196018,1196367,1196426,1196999,1197219,1197343,1197663,1198400,1198516,1198577,1198660,1198687,1198742,1198777,1198825,1199012,1199063,1199314,1199399,1199426,1199505,1199507,1199605,1199650,1200143,1200144,1200249,CVE-2017-13695,CVE-2018-7755,CVE-2019-19377,CVE-2019-20811,CVE-2020-26541,CVE-2021-20292,CVE-2021-20321,CVE-2021-33061,CVE-2021-38208,CVE-2021-39711,CVE-2021-43389,CVE-2022-1011,CVE-2022-1184,CVE-2022-1353,CVE-2022-1419,CVE-2022-1516,CVE-2022-1652,CVE-2022-1729,CVE-2022-1734,CVE-2022-1974,CVE-2022-1975,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-22942,CVE-2022-28748,CVE-2022-30594

The SUSE Linux Enterprise 15 SP1 kernel was updated.

The following security bugs were fixed:

- CVE-2022-21127: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)

- CVE-2022-21123: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)

- CVE-2022-21125: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)

- CVE-2022-21180: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)

- CVE-2022-21166: Fixed a stale MMIO data transient which can be exploited to speculatively/transiently disclose information via spectre like attacks. (bsc#1199650)

- CVE-2019-19377: Fixed an user-after-free that could be triggered when an attacker mounts a crafted btrfs filesystem image. (bnc#1158266)

- CVE-2022-1184: Fixed an use-after-free and memory errors in ext4 when mounting and operating on a corrupted image. (bsc#1198577)

- CVE-2017-13695: Fixed a bug that caused a stack dump allowing local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted ACPI table. (bnc#1055710)

- CVE-2022-1729: Fixed a sys_perf_event_open() race condition against self (bsc#1199507).

- CVE-2022-1652: Fixed a statically allocated error counter inside the floppy kernel module (bsc#1199063).

- CVE-2021-39711: In bpf_prog_test_run_skb of test_run.c, there is a possible out of bounds read due to Incorrect Size Value. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation (bnc#1197219).

- CVE-2022-30594: Fixed restriction bypass on setting the PT_SUSPEND_SECCOMP flag (bnc#1199505).

- CVE-2021-33061: Fixed insufficient control flow management for the Intel(R) 82599 Ethernet Controllers and Adapters that may have allowed an authenticated user to potentially enable denial of service via local access (bnc#1196426).

- CVE-2022-1516: Fixed null-ptr-deref caused by x25_disconnect (bsc#1199012).

- CVE-2021-20321: Fixed a race condition accessing file object in the OverlayFS subsystem in the way users do rename in specific way with OverlayFS. A local user could have used this flaw to crash the system (bnc#1191647).

- CVE-2019-20811: Fixed issue in rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, where a reference count is mishandled (bnc#1172456).

- CVE-2022-28748: Fixed memory lead over the network by ax88179_178a devices (bsc#1196018).

- CVE-2018-7755: Fixed an issue in the fd_locked_ioctl function in drivers/block/floppy.c. The floppy driver will copy a kernel pointer to user memory in response to the FDGETPRM ioctl. An attacker can send the FDGETPRM ioctl and use the obtained kernel pointer to discover the location of kernel code and data and bypass kernel security protections such as KASLR (bnc#1084513).

- CVE-2022-22942: Fixed stale file descriptors on failed usercopy (bsc#1195065).

- CVE-2022-1419: Fixed a concurrency use-after-free in vgem_gem_dumb_create (bsc#1198742).

- CVE-2021-43389: Fixed an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c (bnc#1191958).

- CVE-2021-38208: Fixed a denial of service (NULL pointer dereference and BUG) by making a getsockname call after a certain type of failure of a bind call (bnc#1187055).

- CVE-2022-1353: Fixed access controll to kernel memory in the pfkey_register function in net/key/af_key.c (bnc#1198516).

- CVE-2021-20292: Fixed object validation prior to performing operations on the object in nouveau_sgdma_create_ttm in Nouveau DRM subsystem (bnc#1183723).

- CVE-2022-1011: Fixed an use-after-free vulnerability which could allow a local attacker to retireve (partial) /etc/shadow hashes or any other data from filesystem when he can mount a FUSE filesystems. (bnc#1197343)

- CVE-2022-1974: Fixed an use-after-free that could causes kernel crash by simulating an nfc device from user-space. (bsc#1200144).

- CVE-2020-26541: Enforce the secure boot forbidden signature database (aka dbx) protection mechanism. (bnc#1177282)

- CVE-2022-1975: Fixed a bug that allows an attacker to crash the linux kernel by simulating nfc device from user-space. (bsc#1200143)

- CVE-2022-21499: Reinforce the kernel lockdown feature, until now it's been trivial to break out of it with kgdb or kdb. (bsc#1199426)

- CVE-2022-1734: Fixed a r/w use-after-free when non synchronized between cleanup routine and firmware download routine. (bnc#1199605).

The following non-security bugs were fixed:

- btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized (bsc#1199399).

- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).

- net: ena: A typo fix in the file ena_com.h (bsc#1198777).

- net: ena: Add capabilities field with support for ENI stats capability (bsc#1198777).

- net: ena: Add debug prints for invalid req_id resets (bsc#1198777).

- net: ena: add device distinct log prefix to files (bsc#1198777).

- net: ena: add jiffies of last napi call to stats (bsc#1198777).

- net: ena: aggregate doorbell common operations into a function (bsc#1198777).

- net: ena: aggregate stats increase into a function (bsc#1198777).

- net: ena: Change ENI stats support check to use capabilities field (bsc#1198777).

- net: ena: Change return value of ena_calc_io_queue_size() to void (bsc#1198777).

- net: ena: Change the name of bad_csum variable (bsc#1198777).

- net: ena: Extract recurring driver reset code into a function (bsc#1198777).

- net: ena: fix coding style nits (bsc#1198777).

- net: ena: fix DMA mapping function issues in XDP (bsc#1198777).

- net: ena: Fix error handling when calculating max IO queues number (bsc#1198777).

- net: ena: fix inaccurate print type (bsc#1198777).

- net: ena: Fix undefined state when tx request id is out of bounds (bsc#1198777).

- net: ena: Fix wrong rx request id by resetting device (bsc#1198777).

- net: ena: Improve error logging in driver (bsc#1198777).

- net: ena: introduce ndo_xdp_xmit() function for XDP_REDIRECT (bsc#1198777).

- net: ena: introduce XDP redirect implementation (bsc#1198777).

- net: ena: make symbol 'ena_alloc_map_page' static (bsc#1198777).

- net: ena: Move reset completion print to the reset function (bsc#1198777).

- net: ena: optimize data access in fast-path code (bsc#1198777).

- net: ena: re-organize code to improve readability (bsc#1198777).

- net: ena: Remove ena_calc_queue_size_ctx struct (bsc#1198777).

- net: ena: remove extra words from comments (bsc#1198777).

- net: ena: Remove module param and change message severity (bsc#1198777).

- net: ena: Remove rcu_read_lock() around XDP program invocation (bsc#1198777).

- net: ena: Remove redundant return code check (bsc#1198777).

- net: ena: Remove unused code (bsc#1198777).

- net: ena: store values in their appropriate variables types (bsc#1198777).

- net: ena: Update XDP verdict upon failure (bsc#1198777).

- net: ena: use build_skb() in RX path (bsc#1198777).

- net: ena: use constant value for net_device allocation (bsc#1198777).

- net: ena: Use dev_alloc() in RX buffer allocation (bsc#1198777).

- net: ena: Use pci_sriov_configure_simple() to enable VFs (bsc#1198777).

- net: ena: use xdp_frame in XDP TX flow (bsc#1198777).

- net: ena: use xdp_return_frame() to free xdp frames (bsc#1198777).

- net: mana: Add counter for packet dropped by XDP (bsc#1195651).

- net: mana: Add counter for XDP_TX (bsc#1195651).

- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).

- net: mana: Remove unnecessary check of cqe_type in mana_process_rx_cqe() (bsc#1195651).

- net: mana: Reuse XDP dropped page (bsc#1195651).

- net: mana: Use struct_size() helper in mana_gd_create_dma_region() (bsc#1195651).

- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).

- powerpc/64: Fix kernel stack 16-byte alignment (bsc#1196999 ltc#196609S git-fixes).

- powerpc/64: Interrupts save PPR on stack rather than thread_struct (bsc#1196999 ltc#196609).

- powerpc/pseries: extract host bridge from pci_bus prior to bus removal (bsc#1182171 ltc#190900 bsc#1198660 ltc#197803).

- powerpc/pseries: Fix use after free in remove_phb_dynamic() (bsc#1065729 bsc#1198660 ltc#197803).

- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() (bsc#1028340 bsc#1198825).

- SUNRPC: change locking for xs_swap_enable/disable (bsc#1196367).

- x86/pm: Save the MSR validity status at context setup (bsc#1114648).

- x86/speculation: Restore speculation related MSRs during S3 resume (bsc#1114648).

1197423,1197425,1197426,1199965,1199966,CVE-2022-26356,CVE-2022-26357,CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361,CVE-2022-26362,CVE-2022-26363,CVE-2022-26364

This update for xen fixes the following issues:

- CVE-2022-26356: Fixed potential race conditions in dirty memory tracking that

could cause a denial of service in the host (bsc#1197423).

- CVE-2022-26357: Fixed a potential race condition in memory cleanup for hosts

using VT-d IOMMU hardware, which could lead to a denial of service in the host

(bsc#1197425).

- CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361: Fixed various memory

corruption issues for hosts using VT-d or AMD-Vi IOMMU hardware. These could be

leveraged by an attacker to cause a denial of service in the host (bsc#1197426).

- CVE-2022-26362: Fixed race condition in typeref acquisition (bsc#1199965)

- CVE-2022-26363, CVE-2022-26364: Fixed insufficient care with non-coherent mappings (bsc#1199966)

1200550,CVE-2022-2068

This update for openssl fixes the following issues:

- CVE-2022-2068: Fixed more shell code injection issues in c_rehash. (bsc#1200550)

1201099,CVE-2022-2097

This update for openssl-1_1 fixes the following issues:

- CVE-2022-2097: Fixed partial missing encryption in AES OCB mode (bsc#1201099).

This update for systemd-presets-branding-SLE fixes the following issues:

- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)

1192051,1199460,1199565,1200088,1200145,CVE-2022-29162,CVE-2022-31030

This update for containerd, docker and runc fixes the following issues:

containerd:

- CVE-2022-31030: Fixed denial of service via invocation of the ExecSync API (bsc#1200145)

docker:

- Update to Docker 20.10.17-ce. See upstream changelog online at

https://docs.docker.com/engine/release-notes/#201017. (bsc#1200145)

runc:

Update to runc v1.1.3.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.3.

* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on

s390 and s390x. This solves the issue where syscalls the host kernel did not

support would return `-EPERM` despite the existence of the `-ENOSYS` stub

code (this was due to how s390x does syscall multiplexing).

* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as

intended; this fix does not affect runc binary itself but is important for

libcontainer users such as Kubernetes.

* Inability to compile with recent clang due to an issue with duplicate

constants in libseccomp-golang.

* When using systemd cgroup driver, skip adding device paths that don't exist,

to stop systemd from emitting warnings about those paths.

* Socket activation was failing when more than 3 sockets were used.

* Various CI fixes.

* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.

- Fixed issues with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by

that platform's syscall multiplexing semantics. (bsc#1192051 bsc#1199565)

Update to runc v1.1.2.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.2.

Security issue fixed:

- CVE-2022-29162: A bug was found in runc where runc exec --cap executed processes with

non-empty inheritable Linux process capabilities, creating an atypical Linux

environment. (bsc#1199460)

- `runc spec` no longer sets any inheritable capabilities in the created

example OCI spec (`config.json`) file.

Update to runc v1.1.1.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.1.

* runc run/start can now run a container with read-only /dev in OCI spec,

rather than error out. (#3355)

* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)

libcontainer systemd v2 manager no longer errors out if one of the files

listed in /sys/kernel/cgroup/delegate do not exist in container's

cgroup. (#3387, #3404)

* Loosen OCI spec validation to avoid bogus 'Intel RDT is not supported'

error. (#3406)

* libcontainer/cgroups no longer panics in cgroup v1 managers if stat

of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)

Update to runc v1.1.0.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0.

- libcontainer will now refuse to build without the nsenter package being

correctly compiled (specifically this requires CGO to be enabled). This

should avoid folks accidentally creating broken runc binaries (and

incorrectly importing our internal libraries into their projects). (#3331)

Update to runc v1.1.0~rc1.

Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.

+ Add support for RDMA cgroup added in Linux 4.11.

* runc exec now produces exit code of 255 when the exec failed.

This may help in distinguishing between runc exec failures

(such as invalid options, non-running container or non-existent

binary etc.) and failures of the command being executed.

+ runc run: new --keep option to skip removal exited containers artefacts.

This might be useful to check the state (e.g. of cgroup controllers) after

the container hasexited.

+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD

(the latter is just an alias for SCMP_ACT_KILL).

+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows

users to create sophisticated seccomp filters where syscalls can be

efficiently emulated by privileged processes on the host.

+ checkpoint/restore: add an option (--lsm-mount-context) to set

a different LSM mount context on restore.

+ intelrdt: support ClosID parameter.

+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup

to use for the process being executed.

+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1

machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc

run/exec now adds the container to the appropriate cgroup under it).

+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s

behaviour.

+ mounts: add support for bind-mounts which are inaccessible after switching

the user namespace. Note that this does not permit the container any

additional access to the host filesystem, it simply allows containers to

have bind-mounts configured for paths the user can access but have

restrictive access control settings for other users.

+ Add support for recursive mount attributes using mount_setattr(2). These

have the same names as the proposed mount(8) options -- just prepend r

to the option name (such as rro).

+ Add runc features subcommand to allow runc users to detect what features

runc has been built with. This includes critical information such as

supported mount flags, hook names, and so on. Note that the output of this

command is subject to change and will not be considered stable until runc

1.2 at the earliest. The runtime-spec specification for this feature is

being developed in opencontainers/runtime-spec#1130.

* system: improve performance of /proc/$pid/stat parsing.

* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change

the ownership of certain cgroup control files (as per

/sys/kernel/cgroup/delegate) to allow for proper deferral to the container

process.

* runc checkpoint/restore: fixed for containers with an external bind mount

which destination is a symlink.

* cgroup: improve openat2 handling for cgroup directory handle hardening.

runc delete -f now succeeds (rather than timing out) on a paused

container.

* runc run/start/exec now refuses a frozen cgroup (paused container in case of

exec). Users can disable this using --ignore-paused.

- Update version data embedded in binary to correctly include the git commit of the release.

1186819,1190566,1192249,1193179,1198511,CVE-2015-20107,CVE-2021-3572

This update for python3 fixes the following issues:

Security issues fixed:

- CVE-2021-3572: Update bundled pip wheel to the latest SLE version (bsc#1186819)

- CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

Other bugs fixed:

- Remove shebangs from from python-base libraries in _libdir

(bsc#1193179, bsc#1192249).

1199232,CVE-2022-1586

This update for pcre fixes the following issues:

- CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

1003872,1175102,1178219,1199453

This update for dracut fixes the following issues:

- Fixed for adding timeout to umount calls. (bsc#1178219)

- Fixed setup errors in net-lib.sh due to premature did-setup in ifup.sh (bsc#1175102)

- Fix kernel name parsing in purge-kernels script (bsc#1199453)

- Fix nfsroot option parsing to avoid 'dracut' creating faulty default command line argument. (bsc#1003872)

1199756,CVE-2022-29217

This update for python-PyJWT fixes the following issues:

- CVE-2022-29217: Fixed key confusion through non-blocklisted public key format (bsc#1199756).

1180065,CVE-2020-29362

This update for p11-kit fixes the following issues:

- CVE-2020-29362: Fixed a 4 byte overread in p11_rpc_buffer_get_byte_array which could lead to crashes (bsc#1180065)

1194013,1196901,1199487,1199657,1200571,1200599,1200604,1200605,1200608,1200619,1200692,1200762,1201050,1201080,1201251,CVE-2021-26341,CVE-2021-4157,CVE-2022-1679,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-2318,CVE-2022-26365,CVE-2022-29900,CVE-2022-29901,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33981

The SUSE Linux Enterprise 15 SP1 kernel was updated to receive various security and bugfixes.

The following security bugs were fixed:

- CVE-2022-29900, CVE-2022-29901: Fixed the RETBLEED attack, a new Spectre like Branch Target Buffer attack, that can leak arbitrary kernel information (bsc#1199657).

- CVE-2022-1679: Fixed a use-after-free in the Atheros wireless driver in the way a user forces the ath9k_htc_wait_for_target function to fail with some input messages (bsc#1199487).

- CVE-2022-20132: Fixed out of bounds read due to improper input validation in lg_probe and related functions of hid-lg.c (bsc#1200619).

- CVE-2022-33981: Fixed use-after-free in floppy driver (bsc#1200692)

- CVE-2022-20141: Fixed a possible use after free due to improper locking in ip_check_mc_rcu() (bsc#1200604).

- CVE-2021-4157: Fixed an out of memory bounds write flaw in the NFS subsystem, related to the replication of files with NFS. A user could potentially crash the system or escalate privileges on the system (bsc#1194013).

- CVE-2022-20154: Fixed a use after free due to a race condition in lock_sock_nested of sock.c. This could lead to local escalation of privilege with System execution privileges needed (bsc#1200599).

- CVE-2022-2318: Fixed a use-after-free vulnerabilities in the timer handler in net/rose/rose_timer.c that allow attackers to crash the system without any privileges (bsc#1201251).

- CVE-2022-26365, CVE-2022-33740, CVE-2022-33741, CVE-2022-33742: Fixed multiple potential data leaks with Block and Network devices when using untrusted backends (bsc#1200762).

- CVE-2021-26341: Some AMD CPUs may transiently execute beyond unconditional direct branches, which may potentially result in data leakage (bsc#1201050).

The following non-security bugs were fixed:

- exec: Force single empty string when argv is empty (bsc#1200571).

The following package changes have been done:

- aaa_base-84.87+git20180409.04c9dae-3.57.1 updated

- bind-utils-9.16.6-150000.12.60.1 updated

- btrfsprogs-udev-rules-4.19.1-150100.8.11.1 updated

- btrfsprogs-4.19.1-150100.8.11.1 updated

- cifs-utils-6.9-150100.5.15.1 updated

- cloud-init-config-suse-21.4-150100.8.58.1 updated

- cloud-init-21.4-150100.8.58.1 updated

- containerd-ctr-1.6.6-150000.73.2 updated

- containerd-1.6.6-150000.73.2 updated

- coreutils-8.29-4.3.1 updated

- cups-config-2.2.7-150000.3.32.1 updated

- dhcp-client-4.3.6.P1-150000.6.14.1 updated

- dhcp-4.3.6.P1-150000.6.14.1 updated

- docker-20.10.17_ce-150000.166.1 updated

- dracut-044.2-150000.18.79.2 updated

- e2fsprogs-1.43.8-150000.4.33.1 updated

- filesystem-15.0-11.8.1 updated

- glibc-locale-base-2.26-13.65.1 updated

- glibc-locale-2.26-13.65.1 updated

- glibc-2.26-13.65.1 updated

- grep-3.1-150000.4.6.1 updated

- grub2-i386-pc-2.02-150100.123.12.2 updated

- grub2-x86_64-efi-2.02-150100.123.12.2 updated

- grub2-x86_64-xen-2.02-150100.123.12.2 updated

- grub2-2.02-150100.123.12.2 updated

- gzip-1.10-150000.4.15.1 updated

- kernel-default-4.12.14-150100.197.117.1 updated

- libaugeas0-1.10.1-150000.3.12.1 updated

- libavahi-client3-0.7-3.18.1 updated

- libavahi-common3-0.7-3.18.1 updated

- libbind9-1600-9.16.6-150000.12.60.1 updated

- libblkid1-2.33.2-150100.4.21.1 updated

- libcom_err2-1.43.8-150000.4.33.1 updated

- libcups2-2.2.7-150000.3.32.1 updated

- libdcerpc-binding0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libdcerpc0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libdns1605-9.16.6-150000.12.60.1 updated

- libexpat1-2.2.5-3.19.1 updated

- libext2fs2-1.43.8-150000.4.33.1 updated

- libfdisk1-2.33.2-150100.4.21.1 updated

- libfreebl3-3.68.3-150000.3.67.1 updated

- libgcc_s1-11.3.0+git1637-150000.1.9.1 updated

- libirs1601-9.16.6-150000.12.60.1 updated

- libisc1606-9.16.6-150000.12.60.1 updated

- libisccc1600-9.16.6-150000.12.60.1 updated

- libisccfg1600-9.16.6-150000.12.60.1 updated

- libldap-2_4-2-2.4.46-150000.9.71.1 updated

- libldap-data-2.4.46-150000.9.71.1 updated

- liblzma5-5.2.3-150000.4.7.1 updated

- libmount1-2.33.2-150100.4.21.1 updated

- libndr-krb5pac0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libndr-nbt0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libndr-standard0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libndr0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libnetapi0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libns1604-9.16.6-150000.12.60.1 updated

- libopenssl1_1-1.1.0i-150100.14.36.1 updated

- libp11-kit0-0.23.2-150000.4.16.1 updated

- libpcre1-8.45-150000.20.13.1 updated

- libpcre2-8-0-10.31-150000.3.7.1 updated

- libprocps7-3.3.15-7.22.1 updated

- libprotobuf-lite15-3.5.0-5.5.1 updated

- libpsl5-0.20.1-150000.3.3.1 updated

- libpython3_6m1_0-3.6.15-150000.3.106.1 updated

- libruby2_5-2_5-2.5.9-150000.4.23.1 updated

- libsamba-credentials0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libsamba-errors0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libsamba-hostconfig0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libsamba-passdb0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libsamba-util0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libsamdb0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libsasl2-3-2.1.26-5.10.1 updated

- libsmartcols1-2.33.2-150100.4.21.1 updated

- libsmbconf0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libsmbldap2-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libsolv-tools-0.7.22-150100.4.6.1 updated

- libstdc++6-11.3.0+git1637-150000.1.9.1 updated

- libsystemd0-234-24.108.1 updated

- libtevent-util0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libtirpc-netconfig-1.0.2-3.11.1 updated

- libtirpc3-1.0.2-3.11.1 updated

- libudev1-234-24.108.1 updated

- libuuid1-2.33.2-150100.4.21.1 updated

- libwbclient0-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- libxml2-2-2.9.7-150000.3.46.1 updated

- libyaml-cpp0_6-0.6.1-4.5.1 updated

- libz1-1.2.11-150000.3.30.1 updated

- libzypp-17.30.0-150100.3.78.1 updated

- nfs-client-2.1.1-150100.10.24.1 updated

- openssl-1_1-1.1.0i-150100.14.36.1 updated

- p11-kit-tools-0.23.2-150000.4.16.1 updated

- p11-kit-0.23.2-150000.4.16.1 updated

- pam-1.3.0-150000.6.58.3 updated

- perl-base-5.26.1-150000.7.15.1 updated

- perl-5.26.1-150000.7.15.1 updated

- procps-3.3.15-7.22.1 updated

- python3-PyJWT-1.7.1-150100.6.7.1 updated

- python3-base-3.6.15-150000.3.106.1 updated

- python3-bind-9.16.6-150000.12.60.1 updated

- python3-netifaces-0.10.6-1.31 added

- python3-3.6.15-150000.3.106.1 updated

- rsyslog-8.33.1-150000.3.37.1 updated

- ruby2.5-stdlib-2.5.9-150000.4.23.1 updated

- ruby2.5-2.5.9-150000.4.23.1 updated

- runc-1.1.3-150000.30.1 updated

- samba-libs-python3-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- samba-libs-4.9.5+git.487.9b5717b962b-150100.3.67.2 updated

- sudo-1.8.27-4.24.1 updated

- supportutils-plugin-suse-public-cloud-1.0.6-3.9.1 updated

- supportutils-3.1.20-150000.5.39.1 updated

- suse-build-key-12.0-150000.8.25.1 updated

- systemd-presets-branding-SLE-15.1-150100.20.11.1 updated

- systemd-presets-common-SUSE-15-150100.8.12.1 updated

- systemd-sysvinit-234-24.108.1 updated

- systemd-234-24.108.1 updated

- tar-1.34-150000.3.12.1 updated

- tcpdump-4.9.2-3.18.1 updated

- timezone-2022a-150000.75.7.1 updated

- udev-234-24.108.1 updated

- update-alternatives-1.19.0.4-4.3.1 updated

- util-linux-systemd-2.33.2-150100.4.21.1 updated

- util-linux-2.33.2-150100.4.21.1 updated

- vim-data-common-8.2.5038-150000.5.21.1 updated

- vim-8.2.5038-150000.5.21.1 updated

- wicked-service-0.6.68-3.24.1 updated

- wicked-0.6.68-3.24.1 updated

- xen-libs-4.12.4_24-150100.3.72.1 updated

- xen-tools-domU-4.12.4_24-150100.3.72.1 updated

- xkeyboard-config-2.23.1-150000.3.12.1 updated

- xz-5.2.3-150000.4.7.1 updated

- zypper-1.14.52-150100.3.55.2 updated

Severity
Image Advisory ID : SUSE-IU-2022:814-1
Image Tags : suse-sles-15-sp1-chost-byos-v20220715-hvm-ssd-x86_64:20220715
Image Release :
Severity : critical
Type : security

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.