Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 11 articles for you...
219
security advisorydenial of serviceimportantRocky Linux 10 RLSA-2026-3344 Skopeo Significant DoS Vulnerabilities
Important: skopeo security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:3343", "synopsis": "Important: skopeo security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for skopeo.\nThis update affects Rocky Linux 10.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The skopeo command lets you inspect images from container image registries, get images and image layers, and use signatures to create and verify files. \n\nSecurity Fix(es):\n\n* crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate (CVE-2025-61729)\n\n* golang: net/url: Memory exhaustion in query parameter parsing in net/url (CVE-2025-61726)\n\n* crypto/tls: Unexpected session resumption in crypto/tls (CVE-2025-68121)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 10"], "fixes": [{"ticket": "2418462", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2418462", "description": ""}, {"ticket": "2437111", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2437111", "description": ""}, {"ticket": "2434432", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2434432", "description": ""}], "cves": [{"name": "CVE-2025-61726", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61726", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-770"}, {"name": "CVE-2025-61729", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61729", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5","cwe": "CWE-1050"}, {"name": "CVE-2025-68121", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-68121", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "cvss3BaseScore": "7.4", "cwe": null}], "references": [], "publishedAt": "2026-02-26T20:47:54.095478Z", "rpms": {"Rocky Linux 10": {"nvras": ["skopeo-debugsource-2:1.20.0-3.el10_1.s390x.rpm", "skopeo-debuginfo-2:1.20.0-3.el10_1.ppc64le.rpm", "skopeo-debugsource-2:1.20.0-3.el10_1.x86_64.rpm", "skopeo-2:1.20.0-3.el10_1.src.rpm", "skopeo-debuginfo-2:1.20.0-3.el10_1.s390x.rpm", "skopeo-tests-2:1.20.0-3.el10_1.x86_64.rpm", "skopeo-2:1.20.0-3.el10_1.x86_64.rpm", "skopeo-2:1.20.0-3.el10_1.aarch64.rpm", "skopeo-2:1.20.0-3.el10_1.s390x.rpm", "skopeo-debugsource-2:1.20.0-3.el10_1.aarch64.rpm", "skopeo-tests-2:1.20.0-3.el10_1.aarch64.rpm", "skopeo-tests-2:1.20.0-3.el10_1.ppc64le.rpm", "skopeo-2:1.20.0-3.el10_1.ppc64le.rpm", "skopeo-tests-2:1.20.0-3.el10_1.s390x.rpm", "skopeo-debuginfo-2:1.20.0-3.el10_1.aarch64.rpm", "skopeo-debuginfo-2:1.20.0-3.el10_1.x86_64.rpm", "skopeo-debugsource-2:1.20.0-3.el10_1.ppc64le.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Learn about the skopeo security update on Rocky Linux addressing important vulnerabilities and its solutions.. Rocky Linux security update, skopeo vulnerabilities, cybersecurity advisory, DoS risk, software security. . Severity: Important. LinuxSecurity.com Team
Feb 26, 2026
•Important
Rocky Linux
100
security advisorysecurity issueimportantSUSE: 2023:823-1 Important Security Update for Container Image
The container suse-sles-15-sp5-chost-byos-v20231113-hvm-ssd-x86_64 was updated. The following patches have been included in this update:. SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20231113-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:823-1 Image Tags : suse-sles-15-sp5-chost-byos-v20231113-hvm-ssd-x86_64:20231113 Image Release : Severity : important Type : security References : 1107342 1196647 1201300 1205767 1206480 1206684 1210335 1210557 1211427 1212101 1213915 1214052 1214460 1215215 1215265 1215286 1215313 1215323 1215434 1215891 1215935 1215936 1215968 1216123 1216174 1216268 1216378 CVE-2023-1829 CVE-2023-23559 CVE-2023-4039 CVE-2023-43804 CVE-2023-44487 CVE-2023-45853 CVE-2023-46228 CVE-2023-4692 CVE-2023-4693 CVE-2023-4813 ----------------------------------------------------------------- The container suse-sles-15-sp5-chost-byos-v20231113-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4105-1 Released: Wed Oct 18 08:15:40 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1215215 This update for openssl-1_1 fixes the following issues: - Displays 'fips' in the version string (bsc#1215215) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4108-1 Released: Wed Oct 18 11:51:12 2023 Summary: Security update for python-urllib3 Type: security Severity: moderate References: 1215968,CVE-2023-43804 This update for python-urllib3 fixes the following issues: - CVE-2023-43804: Fixed a potential cookie leak via HTTP redirect if the user manually set the corresponding header(bsc#1215968). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4110-1 Released: Wed Oct 18 12:35:26 2023 Summary: Security update for glibc Type: security Severity: important References: 1215286,1215891,CVE-2023-4813 This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-4813: Fixed a potential use-after-free in gaih_inet() (bsc#1215286, BZ #28931) Also a regression from a previous update was fixed: - elf: Align argument of __munmap to page size (bsc#1215891, BZ #28676) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4136-1 Released: Thu Oct 19 14:15:02 2023 Summary: Security update for suse-module-tools Type: security Severity: important References: 1205767,1210335,CVE-2023-1829,CVE-2023-23559 This update for suse-module-tools fixes the following issues: - Update to version 15.5.3: - CVE-2023-1829: Blacklisted the Linux kernel tcindex classifier module (bsc#1210335). - CVE-2023-23559: Blacklisted the Linux kernel RNDIS modules (bsc#1205767, jsc#PED-5731). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4138-1 Released: Thu Oct 19 17:15:38 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: moderate References: This update for systemd-rpm-macros fixes the following issues: - Switch to `systemd-hwdb` tool when updating the HW database. It's been introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4139-1 Released: Fri Oct 20 10:06:58 2023 Summary: Recommended update for containerd, runc Type: recommended Severity: moderate References: 1215323 This update for containerd, runc fixes the following issues: runc was updated to v1.1.9. Upstream changelog is available from https://github.com/opencontainers/runc/releases/tag/v1.1.9 containerd was updated to containerd v1.7.7 for Docker v24.0.6-ce. Upstream release notes: - https://github.com/containerd/containerd/releases/tag/v1.7.7 - https://github.com/containerd/containerd/releases/tag/v1.7.6 bsc#1215323 - Add `Provides: cri-runtime` to use containerd as container runtime in Factory Kubernetes packages ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4141-1 Released: Fri Oct 20 11:34:44 2023 Summary: Security update for grub2 Type: security Severity: important References: 1201300,1215935,1215936,CVE-2023-4692,CVE-2023-4693 This update for grub2 fixes the following issues: Security fixes: - CVE-2023-4692: Fixed an out-of-bounds write at fs/ntfs.c which may lead to unsigned code execution. (bsc#1215935) - CVE-2023-4693: Fixed an out-of-bounds read at fs/ntfs.c which may lead to leak sensitive information. (bsc#1215936) Other fixes: - Fix a boot delay issue in PowerPC PXE boot (bsc#1201300) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4153-1 Released: Fri Oct 20 19:27:58 2023 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1215313 This update for systemd fixes the following issues: - Fix mismatch of nss-resolve version in Package Hub (no source code changes) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4154-1 Released: Fri Oct 20 19:33:25 2023 Summary: Recommended update for aaa_base Type: recommended Severity: moderate References: 1107342,1215434 This update for aaa_base fixes the following issues: - Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4162-1 Released: Mon Oct 23 15:33:03 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052) - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone databaseprovided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. - Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:4194-1 Released: Wed Oct 25 11:01:41 2023 Summary: Feature update for python3 Type: feature Severity: low References: This feature update for python3 packages adds the following: - First batch of python3.11 modules (jsc#PED-68) - Rename sources of python3-kubernetes, python3-cryptography and python3-cryptography-vectors to accommodate the new 3.11 versions, this 3 packages have no code changes. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4200-1 Released: Wed Oct 25 12:04:29 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1216123,1216174,CVE-2023-44487 This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4215-1 Released: Thu Oct26 12:19:25 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4225-1 Released: Fri Oct 27 11:02:14 2023 Summary: Security update for zchunk Type: security Severity: important References: 1216268,CVE-2023-46228 This update for zchunk fixes the following issues: - CVE-2023-46228: Fixed a handle overflow errors in malformed zchunk files. (bsc#1216268) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4268-1 Released: Mon Oct 30 16:51:57 2023 Summary: Recommended update for pciutils Type: recommended Severity: important References: 1215265 This update for pciutils fixes the following issues: - Buffer overflow error that would cause lspci to crash on systems with complex topologies (bsc#1215265) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4310-1 Released: Tue Oct 31 14:10:47 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1196647 This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467) * binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage Update to 1.3.3: * Fix DoS vulnerability in libtirpc - replaces:0001-Fix-DoS-vulnerability-in-libtirpc.patch * _rpc_dtablesize: use portable system call * libtirpc: Fix use-after-free accessing the error number * Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch * rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch * Eliminate deadlocks in connects with an MT environment * clnt_dg_freeres() uncleared set active state may deadlock * thread safe clnt destruction * SUNRPC: mutexed access blacklist_read state variable * SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c Update to 1.3.2: * Replace the final SunRPC licenses with BSD licenses * blacklist: Add a few more well known ports * libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS Update to 1.3.1: * Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors. * svc_dg: Free xp_netid during destroy * Fix memory management issues of fd locks * libtirpc: replace array with list for per-fd locks * __svc_vc_dodestroy: fix double free of xp_ltaddr.buf * __rpc_dtbsize: rlim_cur instead of rlim_max * pkg-config: use the correct replacements for libdir/includedir The following package changes have been done: - aaa_base-84.87+git20180409.04c9dae-150300.10.6.2 updated - containerd-ctr-1.7.7-150000.100.1 updated - containerd-1.7.7-150000.100.1 updated - glibc-locale-base-2.31-150300.63.1 updated - glibc-locale-2.31-150300.63.1 updated - glibc-2.31-150300.63.1 updated - grub2-i386-pc-2.06-150500.29.8.1 updated - grub2-x86_64-efi-2.06-150500.29.8.1 updated - grub2-x86_64-xen-2.06-150500.29.8.1 updated - grub2-2.06-150500.29.8.1 updated - kernel-default-5.14.21-150500.55.36.1 updated - libgcc_s1-13.2.1+git7813-150000.1.3.3 updated - libnghttp2-14-1.40.0-150200.12.1 updated - libopenssl1_1-1.1.1l-150500.17.19.1 updated -libpci3-3.5.6-150300.13.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.3.3 updated - libsystemd0-249.16-150400.8.35.5 updated - libtirpc-netconfig-1.3.4-150300.3.20.1 updated - libtirpc3-1.3.4-150300.3.20.1 updated - libudev1-249.16-150400.8.35.5 updated - libz1-1.2.13-150500.4.3.1 updated - libzck1-1.1.16-150400.3.7.1 updated - openssl-1_1-1.1.1l-150500.17.19.1 updated - pciutils-3.5.6-150300.13.6.1 updated - python3-cryptography-3.3.2-150400.20.3 updated - python3-urllib3-1.25.10-150300.4.6.1 updated - runc-1.1.9-150000.52.2 updated - suse-module-tools-15.5.3-150500.3.6.1 updated - systemd-rpm-macros-14-150000.7.36.1 updated - systemd-sysvinit-249.16-150400.8.35.5 updated - systemd-249.16-150400.8.35.5 updated - udev-249.16-150400.8.35.5 updated . SUSE Container Image Security Notice outlines critical updates concerning security flaws in OpenSSH, Node.js, and Clang for the associated container images.. SUSE Update Advisory, Important Security Update, Container Patch. . Severity: Important. LinuxSecurity.com Team
Nov 15, 2023
•Important
SuSE
100
security advisorysecurity updatecriticalSUSE: 2023:611-1 Important Update For SLES 15 SP5 Container Image Security
The container suse-sles-15-sp5-chost-byos-v20230915-hvm-ssd-x86_64 was updated. The following patches have been included in this update:. SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20230915-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:611-1 Image Tags : suse-sles-15-sp5-chost-byos-v20230915-hvm-ssd-x86_64:20230915 Image Release : Severity : critical Type : security References : 1027519 1158763 1182142 1186606 1193412 1194609 1195391 1201519 1204844 1205161 1207778 1208194 1208574 1209741 1209998 1210070 1210419 1210702 1210740 1210797 1210996 1211256 1211257 1211461 1211576 1211757 1212368 1212434 1212684 1213120 1213185 1213212 1213229 1213231 1213240 1213500 1213557 1213575 1213582 1213607 1213616 1213673 1213826 1213873 1213940 1213951 1214006 1214025 1214071 1214081 1214082 1214083 1214107 1214108 1214109 1214140 1214248 1214290 CVE-2021-30560 CVE-2022-40982 CVE-2023-2004 CVE-2023-20569 CVE-2023-20593 CVE-2023-2426 CVE-2023-2609 CVE-2023-2610 CVE-2023-26112 CVE-2023-28840 CVE-2023-28841 CVE-2023-28842 CVE-2023-4016 CVE-2023-4156 ----------------------------------------------------------------- The container suse-sles-15-sp5-chost-byos-v20230915-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:2548-1 Released: Tue Jul 26 13:48:28 2022 Summary: Critical update for python-cssselect Type: recommended Severity: critical References: This update for python-cssselect implements packages to the unrestrictied repository. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:557-1 Released: TueFeb 28 09:29:15 2023 Summary: Security update for libxslt Type: security Severity: important References: 1208574,CVE-2021-30560 This update for libxslt fixes the following issues: - CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:2898-1 Released: Thu Jul 20 09:15:33 2023 Summary: Recommended update for python-instance-billing-flavor-check Type: feature Severity: critical References: This update for python-instance-billing-flavor-check fixes the following issues: - Include PAYG checker package in SLE (jsc#PED-4791) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3369-1 Released: Tue Aug 22 11:12:02 2023 Summary: Security update for python-configobj Type: security Severity: low References: 1210070,CVE-2023-26112 This update for python-configobj fixes the following issues: - CVE-2023-26112: Fixed regular expression denial of service vulnerability in validate.py (bsc#1210070). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3371-1 Released: Tue Aug 22 13:30:18 2023 Summary: Recommended update for liblognorm Type: recommended Severity: moderate References: This update for liblognorm fixes the following issues: - Update to liblognorm v2.0.6 (jsc#PED-4883) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3372-1 Released: Tue Aug 22 13:44:38 2023 Summary: Recommended update for rsyslog Type: recommended Severity: moderate References: 1211757,1213212 This update for rsyslog fixes the following issues: - Fix removal of imfile state files (bsc#1213212) - Fix segfaults in modExit() of imklog.c (bsc#1211757) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3393-1 Released: Wed Aug 23 17:41:55 2023 Summary: Recommended update for dracut Type: recommended Severity: important References: 1214081 This update for dracut fixes the following issues: - Protect against broken links pointing to themselves - Exit if resolving executable dependencies fails (bsc#1214081) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3410-1 Released: Thu Aug 24 06:56:32 2023 Summary: Recommended update for audit Type: recommended Severity: moderate References: 1201519,1204844 This update for audit fixes the following issues: - Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519) - Fix rules not loaded when restarting auditd.service (bsc#1204844) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3440-1 Released: Mon Aug 28 08:57:10 2023 Summary: Security update for gawk Type: security Severity: low References: 1214025,CVE-2023-4156 This update for gawk fixes the following issues: - CVE-2023-4156: Fix a heap out of bound read by validating the index into argument list. (bsc#1214025) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3447-1 Released: Mon Aug 28 10:57:05 2023 Summary: Security update for xen Type: security Severity: moderate References: 1027519,1212684,1213616,1214082,1214083,CVE-2022-40982,CVE-2023-20569,CVE-2023-20593 This update for xen fixes the following issues: - CVE-2023-20569: Fixed side channel attack Inception or RAS Poisoning. (bsc#1214082, XSA-434) - CVE-2022-40982: Fixed transient execution attack called 'Gather Data Sampling'. (bsc#1214083, XSA-435) - CVE-2023-20593: Fixed a ZenBleed issue in 'Zen 2' CPUs that could allow an attacker to potentially access sensitive information. (bsc#1213616, XSA-433) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3451-1 Released: Mon Aug 28 12:15:22 2023 Summary: Recommended update for systemd Type: recommended Severity: moderate References: 1186606,1194609,1208194,1209741,1210702,1211576,1212434,1213185,1213575,1213873 This update for systemd fixes the following issues: - Fix reboot and shutdown issues by getting only active MD arrays (bsc#1211576, bsc#1212434, bsc#1213575) - Decrease devlink priority for iso disks (bsc#1213185) - Do not ignore mount point paths longer than 255 characters (bsc#1208194) - Refuse hibernation if there's no possible way to resume (bsc#1186606) - Update 'korean' and 'arabic' keyboard layouts (bsc#1210702) - Drop some entries no longer needed by YaST (bsc#1194609) - The 'systemd --user' instances get their own session keyring instead of the user default one (bsc#1209741) - Dynamically allocate receive buffer to handle large amount of mounts (bsc#1213873) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3452-1 Released: Mon Aug 28 12:41:11 2023 Summary: Recommended update for supportutils-plugin-suse-public-cloud Type: recommended Severity: moderate References: 1213951 This update for supportutils-plugin-suse-public-cloud fixes the following issues: - Update from version 1.0.7 to 1.0.8 (bsc#1213951) - Capture CSP billing adapter config and log - Accept upper case Amazon string in DMI table ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3454-1 Released: Mon Aug 28 13:43:18 2023 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1214248 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248) Added: - Atos TrustedRoot Root CA ECC G2 2020 - Atos TrustedRoot Root CA ECC TLS 2021 - Atos TrustedRoot Root CA RSA G2 2020 - Atos TrustedRoot Root CA RSA TLS 2021 - BJCA Global Root CA1 - BJCA Global Root CA2 - LAWtrust Root CA2 (4096) - Sectigo Public Email Protection Root E46 - Sectigo Public Email ProtectionRoot R46 - Sectigo Public Server Authentication Root E46 - Sectigo Public Server Authentication Root R46 - SSL.com Client ECC Root CA 2022 - SSL.com Client RSA Root CA 2022 - SSL.com TLS ECC Root CA 2022 - SSL.com TLS RSA Root CA 2022 Removed CAs: - Chambers of Commerce Root - E-Tugra Certification Authority - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - Hongkong Post Root CA 1 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3461-1 Released: Mon Aug 28 17:25:09 2023 Summary: Security update for freetype2 Type: security Severity: moderate References: 1210419,CVE-2023-2004 This update for freetype2 fixes the following issues: - CVE-2023-2004: Fixed integer overflow in tt_hvadvance_adjust (bsc#1210419). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3465-1 Released: Tue Aug 29 07:30:00 2023 Summary: Recommended update for samba Type: recommended Severity: moderate References: 1213607,1213826,1213940 This update for samba fixes the following issues: - Fix DFS not working with widelinks enabled; (bsc#1213607) - Move libcluster-samba4.so from samba-libs to samba-client-libs (bsc#1213940) - net ads lookup with unspecified realm fails (bsc#1213826) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3468-1 Released: Tue Aug 29 09:22:18 2023 Summary: Recommended update for python3 Type: recommended Severity: low References: This update for python3 fixes the following issue: - Rename sources in preparation of python3.11 (jsc#PED-68) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3470-1 Released: Tue Aug 29 10:49:33 2023 Summary: Recommended update for parted Type: recommended Severity: low References: 1182142,1193412 This update for parted fixes the following issues: - fix null pointer dereference (bsc#1193412) - update mkpartoptions in manpage (bsc#1182142) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3472-1 Released: Tue Aug 29 10:55:16 2023 Summary: Security update for procps Type: security Severity: low References: 1214290,CVE-2023-4016 This update for procps fixes the following issues: - CVE-2023-4016: Fixed ps buffer overflow (bsc#1214290). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3485-1 Released: Tue Aug 29 14:20:56 2023 Summary: Recommended update for lvm2 Type: recommended Severity: moderate References: 1214071 This update for lvm2 fixes the following issues: - blkdeactivate calls wrong mountpoint cmd (bsc#1214071) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3497-1 Released: Wed Aug 30 21:25:05 2023 Summary: Security update for vim Type: security Severity: important References: 1210996,1211256,1211257,1211461,CVE-2023-2426,CVE-2023-2609,CVE-2023-2610 This update for vim fixes the following issues: Updated to version 9.0 with patch level 1572. - CVE-2023-2426: Fixed Out-of-range Pointer Offset use (bsc#1210996). - CVE-2023-2609: Fixed NULL Pointer Dereference (bsc#1211256). - CVE-2023-2610: Fixed nteger Overflow or Wraparound (bsc#1211257). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3514-1 Released: Fri Sep 1 15:48:52 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1158763,1210740,1213231,1213557,1213673 This update for libzypp, zypper fixes the following issues: - Fix occasional isue with downloading very small files (bsc#1213673) - Fix negative ZYPP_LOCK_TIMEOUT not waiting forever (bsc#1213231) - Fix OES synchronization issues when cookie file has mode 0600 (bsc#1158763) - Don't cleanup orphaned dirs if read-only mode was promised (bsc#1210740) - Revised explanation of --force-resolution in manpage (bsc#1213557) - Print summary hint if policies were violated due to --force-resolution (bsc#1213557) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3521-1 Released: Tue Sep 5 08:56:45 2023 Summary: Recommended update for python-iniconfig Type: recommended Severity: moderate References: 1213582 This update for python-iniconfig provides python3-iniconfig to SUSE Linux Enterprise Micro 5.2. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3536-1 Released: Tue Sep 5 15:00:27 2023 Summary: Security update for docker Type: security Severity: moderate References: 1210797,1212368,1213120,1213229,1213500,1214107,1214108,1214109,CVE-2023-28840,CVE-2023-28841,CVE-2023-28842 This update for docker fixes the following issues: - Update to Docker 24.0.5-ce. See upstream changelong online at bsc#1213229 - Update to Docker 24.0.4-ce. See upstream changelog online at . bsc#1213500 - Update to Docker 24.0.3-ce. See upstream changelog online at . bsc#1213120 - Recommend docker-rootless-extras instead of Require(ing) it, given it's an additional functionality and not inherently required for docker to function. - Add docker-rootless-extras subpackage (https://docs.docker.com/engine/security/rootless/) - Update to Docker 24.0.2-ce. See upstream changelog online at . bsc#1212368 * Includes the upstreamed fix for the mount table pollution issue. bsc#1210797 - Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as being provided by this package. - was rebuilt against current GO compiler. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3543-1 Released: Wed Sep 6 08:27:22 2023 Summary: Recommended update for protobuf-c Type: recommended Severity: moderate References: 1214006 This update for protobuf-c fixes the following issues: - Add missing Provides/Obsoletes after package merge(bsc#1214006) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3577-1 Released: Mon Sep 11 15:04:01 2023 Summary: Recommended update for crypto-policies Type: recommended Severity: low References: 1209998 This update for crypto-policies fixes the following issues: - Update update-crypto-policies(8) man pages and README.SUSE to mention the supported back-end policies. (bsc#1209998) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3611-1 Released: Fri Sep 15 09:28:36 2023 Summary: Recommended update for sysuser-tools Type: recommended Severity: moderate References: 1195391,1205161,1207778,1213240,1214140 This update for sysuser-tools fixes the following issues: - Update to version 3.2 - Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240) - Add 'quilt setup' friendly hint to %sysusers_requires usage - Use append so if a pre file already exists it isn't overridden - Invoke bash for bash scripts (bsc#1195391) - Remove all systemd requires not supported on SLE15 (bsc#1214140) The following package changes have been done: - audit-3.0.6-150400.4.13.1 updated - ca-certificates-mozilla-2.62-150200.30.1 updated - crypto-policies-20210917.c9d86d1-150400.3.3.1 updated - docker-24.0.5_ce-150000.185.1 updated - dracut-055+suse.369.gde6c81bf-150500.3.9.1 updated - gawk-4.2.1-150000.3.3.1 updated - libaudit1-3.0.6-150400.4.13.1 updated - libauparse0-3.0.6-150400.4.13.1 updated - libdevmapper1_03-2.03.16_1.02.185-150500.7.6.1 updated - libfreetype6-2.10.4-150000.4.15.1 updated - liblognorm5-2.0.6-150000.3.3.1 updated - libparted0-3.2-150300.21.3.1 updated - libprocps7-3.3.15-150000.7.34.1 updated - libprotobuf-c1-1.3.2-150200.3.9.1 updated - libsystemd0-249.16-150400.8.33.1 updated - libudev1-249.16-150400.8.33.1 updated - libxslt1-1.1.34-150400.3.3.1 added - libzypp-17.31.20-150400.3.40.1 updated - parted-3.2-150300.21.3.1 updated -procps-3.3.15-150000.7.34.1 updated - python-instance-billing-flavor-check-0.0.2-150000.1.3.1 added - python3-configobj-5.0.6-150000.3.3.1 updated - python3-cssselect-1.0.3-150000.3.3.1 added - python3-iniconfig-1.1.1-150000.1.11.1 updated - python3-lxml-4.9.1-150500.1.2 added - python3-more-itertools-8.10.0-150400.5.69 updated - python3-ordered-set-4.0.2-150400.8.34 updated - python3-pyOpenSSL-21.0.0-150400.7.62 updated - rsyslog-module-relp-8.2306.0-150400.5.18.1 updated - rsyslog-8.2306.0-150400.5.18.1 updated - samba-client-libs-4.17.9+git.387.ca59f91f61-150500.3.8.1 updated - supportutils-plugin-suse-public-cloud-1.0.8-150000.3.17.1 updated - system-group-audit-3.0.6-150400.4.13.1 updated - systemd-sysvinit-249.16-150400.8.33.1 updated - systemd-249.16-150400.8.33.1 updated - sysuser-shadow-3.2-150400.3.5.3 updated - udev-249.16-150400.8.33.1 updated - vim-data-common-9.0.1632-150500.20.3.1 updated - vim-9.0.1632-150500.20.3.1 updated - xen-libs-4.17.2_02-150500.3.6.1 updated - xen-tools-domU-4.17.2_02-150500.3.6.1 updated - zypper-1.14.63-150400.3.29.1 updated - samba-libs-4.17.9+git.367.dae41ffdd1f-150500.3.5.1 removed . Essential security enhancements and fixes for SUSE SLES 15 SP5 Docker image improve overall system integrity and robustness.. SUSE Container Images, Security Updates, System Patches, SLE Security Advisory. . Severity: Critical. LinuxSecurity.com Team
Sep 18, 2023
•Critical
SuSE
100
security advisorydenial of servicesecurity updateSUSE: 2023:348-1 Critical: Security Update for Container Image
The container suse-sles-15-sp3-chost-byos-v20230613-hvm-ssd-x86_64 was updated. The following patches have been included in this update:. SUSE Image Update Advisory: suse-sles-15-sp3-chost-byos-v20230613-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:348-1 Image Tags : suse-sles-15-sp3-chost-byos-v20230613-hvm-ssd-x86_64:20230613 Image Release : Severity : critical Type : security References : 1065270 1127591 1168481 1173115 1176785 1178233 1185232 1185261 1185441 1185621 1186449 1186870 1187071 1187260 1187810 1189036 1191467 1191525 1193282 1195175 1195633 1198438 1198458 1198458 1198932 1199132 1199282 1199282 1199756 1200321 1200441 1200710 1201066 1201234 1201490 1202120 1202353 1203201 1203248 1203249 1203331 1203332 1203355 1203446 1203599 1203715 1203746 1204356 1204548 1204585 1204662 1204929 1204956 1205128 1205200 1205375 1205554 1205570 1205588 1205636 1206065 1206103 1206235 1206351 1206483 1206513 1206781 1206949 1206992 1207014 1207022 1207051 1207064 1207088 1207168 1207416 1207560 1207571 1207575 1207773 1207780 1207795 1207843 1207845 1207875 1207957 1207975 1207992 1208023 1208036 1208137 1208153 1208179 1208212 1208329 1208358 1208423 1208426 1208471 1208598 1208599 1208601 1208700 1208741 1208776 1208777 1208787 1208816 1208828 1208828 1208837 1208843 1208845 1208929 1208957 1208959 1208962 1208971 1209008 1209017 1209018 1209019 1209026 1209042 1209052 1209122 1209165 1209187 1209188 1209188 1209209 1209210 1209211 1209212 1209214 1209234 1209256 1209288 1209289 1209290 12092911209361 1209362 1209366 1209372 1209406 1209481 1209483 1209485 1209532 1209533 1209547 1209549 1209624 1209634 1209635 1209636 1209667 1209672 1209683 1209687 1209713 1209714 1209739 1209777 1209778 1209785 1209871 1209873 1209878 1209884 1209888 1210135 1210164 1210202 1210203 1210298 1210301 1210328 1210329 1210336 1210337 1210382 1210411 1210412 1210414 1210418 1210434 1210453 1210469 1210498 1210506 1210507 1210593 1210629 1210640 1210647 1210649 1210870 1211144 1211231 1211232 1211233 1211339 1211430 1211604 1211605 1211606 1211607 1211643 1211661 1211795 1212187 CVE-2017-5753 CVE-2020-36691 CVE-2021-3541 CVE-2021-3923 CVE-2022-2196 CVE-2022-23471 CVE-2022-28737 CVE-2022-28737 CVE-2022-29217 CVE-2022-29824 CVE-2022-32746 CVE-2022-36109 CVE-2022-36280 CVE-2022-38096 CVE-2022-42331 CVE-2022-42332 CVE-2022-42333 CVE-2022-42334 CVE-2022-43945 CVE-2022-4744 CVE-2022-4899 CVE-2023-0045 CVE-2023-0225 CVE-2023-0461 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-0512 CVE-2023-0590 CVE-2023-0597 CVE-2023-0614 CVE-2023-0687 CVE-2023-0922 CVE-2023-1075 CVE-2023-1076 CVE-2023-1078 CVE-2023-1095 CVE-2023-1118 CVE-2023-1127 CVE-2023-1127 CVE-2023-1170 CVE-2023-1175 CVE-2023-1264 CVE-2023-1281 CVE-2023-1355 CVE-2023-1382 CVE-2023-1390 CVE-2023-1513 CVE-2023-1582 CVE-2023-1611 CVE-2023-1670 CVE-2023-1838 CVE-2023-1855 CVE-2023-1872 CVE-2023-1981 CVE-2023-1989 CVE-2023-1990 CVE-2023-1998 CVE-2023-2008 CVE-2023-2124 CVE-2023-2162 CVE-2023-2176 CVE-2023-22995 CVE-2023-22998 CVE-2023-23000 CVE-2023-23004CVE-2023-23006 CVE-2023-23559 CVE-2023-23916 CVE-2023-23931 CVE-2023-24329 CVE-2023-24593 CVE-2023-25012 CVE-2023-25153 CVE-2023-25173 CVE-2023-25180 CVE-2023-25809 CVE-2023-2650 CVE-2023-26545 CVE-2023-27533 CVE-2023-27534 CVE-2023-27535 CVE-2023-27536 CVE-2023-27538 CVE-2023-27561 CVE-2023-28320 CVE-2023-28321 CVE-2023-28322 CVE-2023-28327 CVE-2023-28328 CVE-2023-28464 CVE-2023-28466 CVE-2023-28484 CVE-2023-28486 CVE-2023-28487 CVE-2023-28642 CVE-2023-28772 CVE-2023-29383 CVE-2023-29469 CVE-2023-29491 CVE-2023-2953 CVE-2023-30630 CVE-2023-30772 CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067 CVE-2023-32324 ----------------------------------------------------------------- The container suse-sles-15-sp3-chost-byos-v20230613-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2020:2917-1 Released: Wed Oct 14 11:29:48 2020 Summary: Recommended update for mokutil Type: recommended Severity: moderate References: 1173115 This update for mokutil fixes the following issue: - Add options for CA and kernel keyring checks (bsc#1173115) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2638-1 Released: Wed Aug 3 10:35:14 2022 Summary: Security update for mokutil Type: security Severity: moderate References: 1198458 This update for mokutil fixes the following issues: - Adds SBAT revocation support to mokutil. (bsc#1198458) New options added (see manpage): - mokutil --sbat List all entries in SBAT. - mokutil --set-sbat-policy (latest | previous | delete) To set the SBAT acceptance policy. - mokutil --list-sbat-revocations To list the current SBATrevocations. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:776-1 Released: Thu Mar 16 17:29:23 2023 Summary: Recommended update for gcc12 Type: recommended Severity: moderate References: This update for gcc12 fixes the following issues: This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products. SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes This update ship the GCC 12 compiler suite and its base libraries. The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones. The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools. To use gcc12 compilers use: - install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages. - override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages. For a full changelog with all new GCC12 features, check out https://gcc.gnu.org/gcc-12/changes.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:780-1 Released: Thu Mar 16 18:06:30 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1186449,1195175,1198438,1203331,1203332,1204356,1204662,1206103,1206351,1207051,1207575,1207773,1207795,1207845,1207875,1208023,1208153,1208212,1208700,1208741,1208776,1208816,1208837,1208845,1208971,CVE-2022-36280,CVE-2022-38096,CVE-2023-0045,CVE-2023-0590,CVE-2023-0597,CVE-2023-1118,CVE-2023-22995,CVE-2023-22998,CVE-2023-23000,CVE-2023-23006,CVE-2023-23559,CVE-2023-26545 The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2022-36280: Fixed out-of-bounds memory access vulnerability found in vmwgfx driver (bsc#1203332). - CVE-2022-38096: Fixed NULL-ptr deref in vmw_cmd_dx_define_query()(bsc#1203331). - CVE-2023-0045: Fixed missing Flush IBP in ib_prctl_set (bsc#1207773). - CVE-2023-0590: Fixed race condition in qdisc_graft() (bsc#1207795). - CVE-2023-0597: Fixed lack of randomization of per-cpu entry area in x86/mm (bsc#1207845). - CVE-2023-1118: Fixed a use-after-free bugs caused by ene_tx_irqsim() in media/rc (bsc#1208837). - CVE-2023-22995: Fixed lacks of certain platform_device_put and kfree in drivers/usb/dwc3/dwc3-qcom.c (bsc#1208741). - CVE-2023-22998: Fixed NULL vs IS_ERR checking in virtio_gpu_object_shmem_init (bsc#1208776). - CVE-2023-23000: Fixed return value of tegra_xusb_find_port_node function phy/tegra (bsc#1208816). - CVE-2023-23006: Fixed NULL vs IS_ERR checking in dr_domain_init_resources (bsc#1208845). - CVE-2023-23559: Fixed integer overflow in rndis_wlan that leads to a buffer overflow (bsc#1207051). - CVE-2023-26545: Fixed double free in net/mpls/af_mpls.c upon an allocation failure (bsc#1208700). The following non-security bugs were fixed: - cifs: fix use-after-free caused by invalid pointer `hostname` (bsc#1208971). - genirq: Provide new interfaces for affinity hints (bsc#1208153). - mm/slub: fix panic in slab_alloc_node() (bsc#1208023). - module: Do not wait for GOING modules (bsc#1196058, bsc#1186449, bsc#1204356, bsc#1204662). - net: mana: Assign interrupts to CPUs based on NUMA nodes (bsc#1208153). - net: mana: Fix IRQ name - add PCI and queue number (bsc#1207875). - net: mana: Fix accessing freed irq affinity_hint (bsc#1208153). - refresh patches.kabi/scsi-kABI-fix-for-eh_should_retry_cmd (bsc#1206351). The former kABI fix only move the newly added member to scsi_host_template to the end of the struct. But that is usually allocated statically, even by 3rd party modules relying on kABI. Before we use the member we need to signalize that it is to be expected. As we only expect it to be allocated by in-tree modules that we can control, we can use a space in the bitfield to signalize that. - s390/kexec: fix ipl report address for kdump (bsc#1207575). - scsi:qla2xxx: Add option to disable FC2 Target support (bsc#1198438 bsc#1206103). - update suse/net-mlx5-Allocate-individual-capability (bsc#1195175). - update suse/net-mlx5-Dynamically-resize-flow-counters-query-buff (bsc#1195175). - update suse/net-mlx5-Fix-flow-counters-SF-bulk-query-len (bsc#1195175). - update suse/net-mlx5-Reduce-flow-counters-bulk-query-buffer-size (bsc#1195175). - update suse/net-mlx5-Reorganize-current-and-maximal-capabilities (bsc#1195175). - update suse/net-mlx5-Use-order-0-allocations-for-EQs (bsc#1195175). Fixed bugzilla reference. - vmxnet3: move rss code block under eop descriptor (bsc#1208212). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:781-1 Released: Thu Mar 16 19:07:00 2023 Summary: Security update for vim Type: security Severity: important References: 1207780,1208828,1208957,1208959,CVE-2023-0512,CVE-2023-1127,CVE-2023-1170,CVE-2023-1175 This update for vim fixes the following issues: - CVE-2023-0512: Fixed a divide By Zero (bsc#1207780). - CVE-2023-1175: vim: an incorrect calculation of buffer size (bsc#1208957). - CVE-2023-1170: Fixed a heap-based Buffer Overflow (bsc#1208959). - CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828). Updated to version 9.0 with patch level 1386. - https://github.com/vim/vim/compare/v9.0.1234...v9.0.1386 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:784-1 Released: Thu Mar 16 19:33:52 2023 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: 1205200,1205554 This update for grub2 fixes the following issues: - Remove zfs modules (bsc#1205554) - Make grub.cfg invariant to efi and legacy platforms (bsc#1205200) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:786-1 Released: Thu Mar 16 19:36:09 2023 Summary: Recommended update for libsolv, libzypp, zypper Type: recommended Severity: important References: 1178233,1203248,1203249,1203715,1204548,1204956,1205570,1205636,1206949 This update for libsolv, libzypp, zypper fixes the following issues: libsolv: - Do not autouninstall SUSE PTF packages - Ensure 'duplinvolvedmap_all' is reset when a solver is reused - Fix 'keep installed' jobs not disabling 'best update' rules - New '-P' and '-W' options for `testsolv` - New introspection interface for weak dependencies similar to ruleinfos - Ensure special case file dependencies are written correctly in the testcase writer - Support better info about alternatives - Support decision reason queries - Support merging of related decisions - Support stringification of multiple solvables - Support stringification of ruleinfo, decisioninfo and decision reasons libzypp: - Avoid calling getsockopt when we know the info already. This patch should fix logging on WSL, getsockopt seems to not be fully supported but the code required it when accepting new socket connections (bsc#1178233) - Avoid redirecting 'history.logfile=/dev/null' into the target - Create '.no_auto_prune' in the package cache dir to prevent auto cleanup of orphaned repositories (bsc#1204956) - Enhance yaml-cpp detection - Improve download of optional files - MultiCurl: Make sure to reset the progress function when falling back. - Properly reset range requests (bsc#1204548) - Removing a PTF without enabled repos should always fail (bsc#1203248) Without enabled repos, the dependent PTF-packages would be removed (not replaced!) as well. To remove a PTF `zypper install -- -PTF` or a dedicated `zypper removeptf PTF` should be used. This will update the installed PTF packages to theit latest version. - Skip media.1/media download for http repo status calc. This patch allows zypp to skip a extra media.1/media download to calculate if a repository needs to be refreshed. This optimisation only takes place if the repo does specify only downloading base urls. - Use a dynamic fallback for BLKSIZE in downloads. When not receiving a blocklist via metalinkfile from the server MediaMultiCurl used to fallback to a fixed, relatively small BLKSIZE. This patch changes the fallback into a dynamic value based on the filesize using a similar metric as the MirrorCache implementation on the server side. - ProgressData: enforce reporting the INIT||END state (bsc#1206949) - ps: fix service detection on newer Tumbleweed systems (bsc#1205636) zypper: - Allow to (re)add a service with the same URL (bsc#1203715) - Bump dependency requirement to libzypp-devel 17.31.7 or greater - Explain outdatedness of repositories - patterns: Avoid dispylaing superfluous @System entries (bsc#1205570) - Provide `removeptf` command (bsc#1203249) A remove command which prefers replacing dependant packages to removing them as well. A PTF is typically removed as soon as the fix it provides is applied to the latest official update of the dependant packages. However it is not desired for the dependant packages to be removed together with the PTF, which is what the remove command would do. The `removeptf` command however will aim to replace the dependant packages by their official update versions. - Update man page and explain '.no_auto_prune' (bsc#1204956) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:794-1 Released: Fri Mar 17 08:42:12 2023 Summary: Security update for python-PyJWT Type: security Severity: critical References: 1176785,1199282,1199756,CVE-2022-29217 This update for python-PyJWT fixes the following issues: - CVE-2022-29217: Fixed Key confusion through non-blocklisted public key formats (bsc#1199756). - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Update to 2.4.0 (bsc#1199756) - Explicit check the key for ECAlgorithm - Don't use implicit optionals - documentation fix: show correct scope - fix: Update copyright information - Don't mutate options dictionary in .decode_complete() - Add support for Python 3.10 - api_jwk: Add PyJWKSet.__getitem__ - Updateusage.rst - Docs: mention performance reasons for reusing RSAPrivateKey when encoding - Fixed typo in usage.rst - Add detached payload support for JWS encoding and decoding - Replace various string interpolations with f-strings by ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:795-1 Released: Fri Mar 17 09:13:12 2023 Summary: Security update for docker Type: security Severity: moderate References: 1205375,1206065,CVE-2022-36109 This update for docker fixes the following issues: Docker was updated to 20.10.23-ce. See upstream changelog at https://docs.docker.com/engine/release-notes/25.0/ Docker was updated to 20.10.21-ce (bsc#1206065) See upstream changelog at https://docs.docker.com/engine/release-notes/25.0/ Security issues fixed: - CVE-2022-36109: Fixed supplementary group permissions bypass (bsc#1205375) - Fix wrong After: in docker.service, fixes bsc#1188447 - Add apparmor-parser as a Recommends to make sure that most users will end up with it installed even if they are primarily running SELinux. - Allow to install container-selinux instead of apparmor-parser. - Change to using systemd-sysusers ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:847-1 Released: Tue Mar 21 13:27:57 2023 Summary: Security update for xen Type: security Severity: important References: 1209017,1209018,1209019,1209188,CVE-2022-42331,CVE-2022-42332,CVE-2022-42333,CVE-2022-42334 This update for xen fixes the following issues: - CVE-2022-42332: Fixed use-after-free in x86 shadow plus log-dirty mode (bsc#1209017). - CVE-2022-42333,CVE-2022-42334: Fixed x86/HVM pinned cache attributes mis-handling (bsc#1209018). - CVE-2022-42331: Fixed speculative vulnerability in 32bit SYSCALL path on x86 (bsc#1209019). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:868-1 Released: Wed Mar 22 09:41:01 2023 Summary: Security update forpython3 Type: security Severity: important References: 1203355,1208471,CVE-2023-24329 This update for python3 fixes the following issues: - CVE-2023-24329: Fixed a blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471). The following non-security bug was fixed: - Eliminate unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1586-1 Released: Mon Mar 27 13:02:52 2023 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1200710,1203746,1206781,1207022,1207843 This update for nfs-utils fixes the following issues: - Rename all drop-in options.conf files as 10-options.conf This makes it easier for other packages to over-ride with a drop-in with a later sequence number (bsc#1207843) - Avoid modprobe errors when sysctl is not installed (bsc#1200710 bsc#1207022 bsc#1206781) - Add '-S scope' option to rpc.nfsd to simplify fail-over cluster configuration (bsc#1203746) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1628-1 Released: Tue Mar 28 12:28:51 2023 Summary: Security update for containerd Type: security Severity: important References: 1206235,CVE-2022-23471 This update for containerd fixes the following issues: - CVE-2022-23471: Fixed host memory exhaustion through Terminal resize goroutine leak (bsc#1206235). - Re-build containerd to use updated golang-packaging (jsc#1342). - Update to containerd v1.6.16 for Docker v23.0.0-ce. * https://github.com/containerd/containerd/releases/tag/v1.6.16 ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1687-1 Released: Wed Mar 29 17:52:28 2023 Summary: Security update for ldb, samba Type: security Severity: important References: 1201490,1207416,1209481,1209483,1209485,CVE-2022-32746,CVE-2023-0225,CVE-2023-0614,CVE-2023-0922 This update for ldb, samba fixes the following issues: ldb: - CVE-2022-32746: Fixed an use-after-free issue in the database audit logging module (bsc#1201490). - CVE-2023-0614: Fixed discovering of access controlled AD LDAP attributes (bso#15270) (bsc#1209485). samba: - CVE-2023-0922: Fixed cleartext password sending by AD DC admin tool (bso#15315) (bsc#1209481). - CVE-2023-0225: Fixed deletion of AD DC 'dnsHostname' attribute by unprivileged authenticated users (bso#15276) (bsc#1209483). - CVE-2023-0614: Fixed discovering of access controlled AD LDAP attributes (bso#15270) (bsc#1209485). The following non-security bug was fixed: - Prevent use after free of messaging_ctdb_fde_ev structs (bso#15293) (bsc#1207416). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1691-1 Released: Thu Mar 30 09:51:28 2023 Summary: Security update for grub2 Type: security Severity: moderate References: 1209188 This update of grub2 fixes the following issues: - rebuild the package with the new secure boot key (bsc#1209188). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1698-1 Released: Thu Mar 30 12:16:57 2023 Summary: Security update for sudo Type: security Severity: moderate References: 1203201,1206483,1209361,1209362,CVE-2023-28486,CVE-2023-28487 This update for sudo fixes the following issue: Security fixes: - CVE-2023-28486: Fixed missing control characters escaping in log messages (bsc#1209362). - CVE-2023-28487: Fixed missing control characters escaping in sudoreplay output (bsc#1209361). Other fixes: - Fix a situation where 'sudo -U otheruser -l' would dereference a NULL pointer (bsc#1206483). - Do not re-enable the reader when flushing the buffers as part of pty_finish() (bsc#1203201). ----------------------------------------------------------------- Advisory ID:SUSE-SU-2023:1702-1 Released: Thu Mar 30 15:23:23 2023 Summary: Security update for shim Type: security Severity: important References: 1185232,1185261,1185441,1185621,1187071,1187260,1193282,1198458,1201066,1202120,1205588,CVE-2022-28737 This update for shim fixes the following issues: - Updated shim signature after shim 15.7 be signed back: signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458) - Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable the NX compatibility flag when using post-process-pe because grub2 is not ready. (bsc#1205588) - Enable the NX compatibility flag by default. (jsc#PED-127) Update to 15.7 (bsc#1198458) (jsc#PED-127): - Make SBAT variable payload introspectable - Reference MokListRT instead of MokList - Add a link to the test plan in the readme. - [V3] Enable TDX measurement to RTMR register - Discard load-options that start with a NUL - Fixed load_cert_file bugs - Add -malign-double to IA32 compiler flags - pe: Fix image section entry-point validation - make-archive: Build reproducible tarball - mok: remove MokListTrusted from PCR 7 Other fixes: - Support enhance shim measurement to TD RTMR. (jsc#PED-1273) - shim-install: ensure grub.cfg created is not overwritten after installing grub related files - Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066) - Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120) - Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282) Update to 15.6 (bsc#1198458): - MokManager: removed Locate graphic output protocol fail error message - shim: implement SBAT verification for the shim_lock protocol - post-process-pe: Fix a missing return code check - Update github actions matrix to be more useful - post-process-pe: Fix format string warnings on 32-bit platforms - Allow MokListTrusted to be enabled by default - Re-add ARM AArch64 support - Use ASCII as fallback if UnicodeBox Drawing characters fail - make: don't treat cert.S specially - shim: use SHIM_DEVEL_VERBOSE when built in devel mode - Break out of the inner sbat loop if we find the entry. - Support loading additional certificates - Add support for NX (W^X) mitigations. - Fix preserve_sbat_uefi_variable() logic - SBAT Policy latest should be a one-shot - pe: Fix a buffer overflow when SizeOfRawData > VirtualSize - pe: Perform image verification earlier when loading grub - Update advertised sbat generation number for shim - Update SBAT generation requirements for 05/24/22 - Also avoid CVE-2022-28737 in verify_image() by @vathpela Update to 15.5 (bsc#1198458): - Broken ia32 relocs and an unimportant submodule change. - mok: allocate MOK config table as BootServicesData - Don't call QueryVariableInfo() on EFI 1.10 machines (bsc#1187260) - Relax the check for import_mok_state() (bsc#1185261) - SBAT.md: trivial changes - shim: another attempt to fix load options handling - Add tests for our load options parsing. - arm/aa64: fix the size of .rela* sections - mok: fix potential buffer overrun in import_mok_state - mok: relax the maximum variable size check - Don't unhook ExitBootServices when EBS protection is disabled - fallback: find_boot_option() needs to return the index for the boot entry in optnum - httpboot: Ignore case when checking HTTP headers- Fallback allocation errors- shim: avoid BOOTx64.EFI in message on other architectures - str: remove duplicate parameter check - fallback: add compile option FALLBACK_NONINTERACTIVE - Test mok mirror - Modify sbat.md to help with readability. - csv: detect end of csv file correctly - Specify that the .sbat section is ASCII not UTF-8 - tests: add 'include-fixed' GCC directory to include directories - pe: simplify generate_hash() - Don't make shim abort when TPM log event fails (RHBZ #2002265) - Fallback to default loader if parsed one does not exist - fallback: Fix for BootOrder crash when index returned - Better console checks - docs: update SBAT UEFI variable name - Don'tparse load options if invoked from removable media path - fallback: fix fallback not passing arguments of the first boot option - shim: Don't stop forever at 'Secure Boot not enabled' notification - Allocate mokvar table in runtime memory. - Remove post-process-pe on 'make clean' - pe: missing perror argument - CVE-2022-28737: Fixed a buffer overflow when SizeOfRawData > VirtualSize (bsc#1198458) - Add mokutil command to post script for setting sbat policy to latest mode when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. (bsc#1198458) - Updated vendor dbx binary and script (bsc#1198458) - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list. - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment. - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file which includes all .der for testing environment. - avoid buffer overflow when copying data to the MOK config table (bsc#1185232) - Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261) - ignore the odd LoadOptions length (bsc#1185232) - shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist - relax the maximum variable size check for u-boot (bsc#1185621) - handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071) - Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261) + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1711-1 Released: Fri Mar 31 13:33:04 2023 Summary: Security update forcurl Type: security Severity: moderate References: 1207992,1209209,1209210,1209211,1209212,1209214,CVE-2023-23916,CVE-2023-27533,CVE-2023-27534,CVE-2023-27535,CVE-2023-27536,CVE-2023-27538 This update for curl fixes the following issues: - CVE-2023-27533: Fixed TELNET option IAC injection (bsc#1209209). - CVE-2023-27534: Fixed SFTP path ~ resolving discrepancy (bsc#1209210). - CVE-2023-27535: Fixed FTP too eager connection reuse (bsc#1209211). - CVE-2023-27536: Fixed GSS delegation too eager connection reuse (bsc#1209212). - CVE-2023-27538: Fixed SSH connection too eager reuse still (bsc#1209214). - CVE-2023-23916: Fixed HTTP multi-header compression denial of service (bsc#1207992). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1718-1 Released: Fri Mar 31 15:47:34 2023 Summary: Security update for glibc Type: security Severity: moderate References: 1207571,1207957,1207975,1208358,CVE-2023-0687 This update for glibc fixes the following issues: Security issue fixed: - CVE-2023-0687: Fix allocated buffer overflow in gmon (bsc#1207975) Other issues fixed: - Fix avx2 strncmp offset compare condition check (bsc#1208358) - elf: Allow dlopen of filter object to work (bsc#1207571) - powerpc: Fix unrecognized instruction errors with recent GCC - x86: Cache computation for AMD architecture (bsc#1207957) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1753-1 Released: Tue Apr 4 11:55:00 2023 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: This update for systemd-presets-common-SUSE fixes the following issue: - Enable systemd-pstore.service by default (jsc#PED-2663) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1763-1 Released: Tue Apr 4 14:35:52 2023 Summary: Security update for python-cryptography Type: security Severity: moderate References: 1208036,CVE-2023-23931 This update for python-cryptography fixes the following issues: - CVE-2023-23931: Fixed memory corruption in Cipher.update_into (bsc#1208036). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1790-1 Released: Thu Apr 6 15:36:15 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1209624,1209873,1209878,CVE-2023-0464,CVE-2023-0465,CVE-2023-0466 This update for openssl-1_1 fixes the following issues: - CVE-2023-0464: Fixed excessive Resource Usage Verifying X.509 Policy Constraints (bsc#1209624). - CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored (bsc#1209878). - CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1805-1 Released: Tue Apr 11 10:12:41 2023 Summary: Recommended update for timezone Type: recommended Severity: important References: This update for timezone fixes the following issues: - Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1810-1 Released: Tue Apr 11 12:06:13 2023 Summary: Recommended update for cups Type: recommended Severity: moderate References: 1191467,1191525,1198932,1200321,1201234,1203446 This update for cups fixes the following issues: - Fix print jobs on cups.sock return with EAGAIN (Resource temporarily unavailable) (bsc#1191525) - Fix '/usr/bin/lpr: Error - The printer or class does not exist (bsc#1203446) - Improveslogging on 'IPP_STATUS_ERROR_NOT_FOUND' error (bsc#1191467, bsc#1198932) - Add 'After=network.target sssd.service' to the systemd unit (bsc#1201234, bsc#1200321) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1811-1 Released: Tue Apr 11 12:11:23 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1207168,1207560,1208137,1208179,1208598,1208599,1208601,1208777,1208787,1208843,1209008,1209052,1209256,1209288,1209289,1209290,1209291,1209366,1209532,1209547,1209549,1209634,1209635,1209636,1209672,1209683,1209778,1209785,CVE-2017-5753,CVE-2021-3923,CVE-2022-4744,CVE-2023-0461,CVE-2023-1075,CVE-2023-1076,CVE-2023-1078,CVE-2023-1095,CVE-2023-1281,CVE-2023-1382,CVE-2023-1390,CVE-2023-1513,CVE-2023-1582,CVE-2023-23004,CVE-2023-25012,CVE-2023-28327,CVE-2023-28328,CVE-2023-28464,CVE-2023-28466,CVE-2023-28772 The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2017-5753: Fixed spectre V1 vulnerability on netlink (bsc#1209547). - CVE-2017-5753: Fixed spectre vulnerability in prlimit (bsc#1209256). - CVE-2021-3923: Fixed stack information leak vulnerability that could lead to kernel protection bypass in infiniband RDMA (bsc#1209778). - CVE-2022-4744: Fixed double-free that could lead to DoS or privilege escalation in TUN/TAP device driver functionality (bsc#1209635). - CVE-2023-0461: Fixed use-after-free in icsk_ulp_data (bsc#1208787). - CVE-2023-1075: Fixed a type confusion in tls_is_tx_ready (bsc#1208598). - CVE-2023-1076: Fixed incorrect UID assigned to tun/tap sockets (bsc#1208599). - CVE-2023-1078: Fixed a heap out-of-bounds write in rds_rm_zerocopy_callback (bsc#1208601). - CVE-2023-1095: Fixed a NULL pointer dereference in nf_tables due to zeroed list head (bsc#1208777). - CVE-2023-1281: Fixed use after free that could lead to privilege escalation in tcindex (bsc#1209634). - CVE-2023-1382: Fixed denial of service intipc_conn_close (bsc#1209288). - CVE-2023-1390: Fixed remote DoS vulnerability in tipc_link_xmit() (bsc#1209289). - CVE-2023-1513: Fixed an uninitialized portions of the kvm_debugregs structure that could be copied to userspace, causing an information leak (bsc#1209532). - CVE-2023-1582: Fixed soft lockup in __page_mapcount (bsc#1209636). - CVE-2023-23004: Fixed misinterpretation of get_sg_table return value (bsc#1208843). - CVE-2023-25012: Fixed a use-after-free in bigben_set_led() (bsc#1207560). - CVE-2023-28327: Fixed DoS in in_skb in unix_diag_get_exact() (bsc#1209290). - CVE-2023-28328: Fixed a denial of service issue in az6027 driver in drivers/media/usb/dev-usb/az6027.c (bsc#1209291). - CVE-2023-28464: Fixed user-after-free that could lead to privilege escalation in hci_conn_cleanup in net/bluetooth/hci_conn.c (bsc#1209052). - CVE-2023-28466: Fixed race condition that could lead to use-after-free or NULL pointer dereference in do_tls_getsockopt in net/tls/tls_main.c (bsc#1209366). - CVE-2023-28772: Fixed buffer overflow in seq_buf_putmem_hex in lib/seq_buf.c (bsc#1209549). The following non-security bugs were fixed: - Do not sign the vanilla kernel (bsc#1209008). - PCI: hv: Add a per-bus mutex state_lock (bsc#1209785). - PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic (bsc#1209785). - PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev (bsc#1209785). - PCI: hv: fix a race condition bug in hv_pci_query_relations() (bsc#1209785). - Revert 'PCI: hv: Fix a timing issue which causes kdump to fail occasionally' (bsc#1209785). - ipv6: raw: Deduct extension header length in rawv6_push_pending_frames (bsc#1207168). - kernel-module-subpackage: Fix expansion with -b parameter (bsc#1208179). - net: ena: optimize data access in fast-path code (bsc#1208137). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1827-1 Released: Thu Apr 13 10:18:16 2023 Summary: Security update for containerd Type: security Severity: moderate References: 1208423,1208426,CVE-2023-25153,CVE-2023-25173 This update for containerd fixes the following issues: Update to containerd v1.6.19: Security fixes: - CVE-2023-25153: Fixed OCI image importer memory exhaustion (bnc#1208423). - CVE-2023-25173: Fixed supplementary groups not set up properly (bnc#1208426). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1886-1 Released: Tue Apr 18 11:15:49 2023 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1204929,1208929 This update for dracut fixes the following issues: - Update to version 049.1+suse.251.g0b8dad5: * omission updates in conf files (bsc#1208929) * chown using rpc default group (bsc#1204929) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1920-1 Released: Wed Apr 19 16:22:58 2023 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issues: - Update pci, usb and vendor ids ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1932-1 Released: Thu Apr 20 18:40:58 2023 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: 1187810,1189036,1207064,1209165,1209234,1209372,1209667 This update for grub2 fixes the following issues: - Fix aarch64 kiwi image's file not found due to '/@' prepended to path in btrfs filesystem. (bsc#1209165) - Make grub more robust against storage race condition causing system boot failures (bsc#1189036) - Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064, bsc#1209234) - Fix installation over serial console ends up in infinite boot loop (bsc#1187810, bsc#1209667, bsc#1209372) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1945-1 Released: Fri Apr 21 14:13:27 2023 Summary: Recommended update forelfutils Type: recommended Severity: moderate References: 1203599 This update for elfutils fixes the following issues: - go1.19 builds created debuginfo that was not extractable using rpm / elfutils 0.177. (bsc#1203599) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1993-1 Released: Tue Apr 25 13:50:58 2023 Summary: Security update for avahi Type: security Severity: moderate References: 1210328,CVE-2023-1981 This update for avahi fixes the following issues: - CVE-2023-1981: Fixed crash in avahi-daemon (bsc#1210328). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2003-1 Released: Tue Apr 25 18:05:42 2023 Summary: Security update for runc Type: security Severity: important References: 1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642 This update for runc fixes the following issues: Update to runc v1.1.5: Security fixes: - CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884). - CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962). - CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888). Other fixes: - Fix the inability to use `/dev/null` when inside a container. - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481). - Fix rare runc exec/enter unshare error on older kernels. - nsexec: Check for errors in `write_log()`. - Drop version-specific Go requirement. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2048-1 Released: Wed Apr 26 21:05:45 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1065270,1199132,1204585,1210411,1210412,CVE-2021-3541,CVE-2022-29824,CVE-2023-28484,CVE-2023-29469 This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed inconsistent result whenhashing empty strings (bsc#1210412). - CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411). - CVE-2022-29824: Fixed integer overflow leading to out-of-bounds write in buf.c (bsc#1199132). The following non-security bugs were fixed: - Added W3C conformance tests to the testsuite (bsc#1204585). - Fixed NULL pointer dereference when parsing invalid data (glgo#libxml2!15) (bsc#1065270) . ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2070-1 Released: Fri Apr 28 13:56:33 2023 Summary: Security update for shadow Type: security Severity: moderate References: 1210507,CVE-2023-29383 This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn (bsc#1210507). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2074-1 Released: Fri Apr 28 17:02:25 2023 Summary: Security update for zstd Type: security Severity: moderate References: 1209533,CVE-2022-4899 This update for zstd fixes the following issues: - CVE-2022-4899: Fixed buffer overrun in util.c (bsc#1209533). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2076-1 Released: Fri Apr 28 17:35:05 2023 Summary: Security update for glib2 Type: security Severity: moderate References: 1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180 This update for glib2 fixes the following issues: - CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714). - CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713). The following non-security bug was fixed: - Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2084-1 Released: Tue May 2 13:31:52 2023 Summary: Security update for shim Type: security Severity: important References: 1210382,CVE-2022-28737 This update for shim fixes the following issues: - CVE-2022-28737 was missing as reference previously. - Upgrade shim-install for bsc#1210382 After closing Leap-gap project since Leap 15.3, openSUSE Leap direct uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, so all files in /boot/efi/EFI/boot are not updated. Logic was added that is using ID field in os-release for checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2103-1 Released: Thu May 4 20:05:44 2023 Summary: Security update for vim Type: security Severity: moderate References: 1208828,1209042,1209187,CVE-2023-1127,CVE-2023-1264,CVE-2023-1355 This update for vim fixes the following issues: Updated to version 9.0 with patch level 1443, fixes the following security problems - CVE-2023-1264: Fixed NULL Pointer Dereference (bsc#1209042). - CVE-2023-1355: Fixed NULL Pointer Dereference (bsc#1209187). - CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2104-1 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1209122 This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2111-1 Released: Fri May 5 14:34:00 2023 Summary: Security update for ncurses Type: security Severity: moderate References: 1210434,CVE-2023-29491 This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memorycorruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2131-1 Released: Tue May 9 13:35:24 2023 Summary: Recommended update for openssh Type: recommended Severity: important References: 1207014 This update for openssh fixes the following issues: - Remove some patches that cause invalid environment assignments (bsc#1207014). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2133-1 Released: Tue May 9 13:37:10 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1206513 This update for zlib fixes the following issues: - Add DFLTCC support for using inflate() with a small window (bsc#1206513) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2148-1 Released: Tue May 9 17:05:48 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1202353,1205128,1206992,1207088,1209687,1209739,1209777,1209871,1210202,1210203,1210301,1210329,1210336,1210337,1210414,1210453,1210469,1210498,1210506,1210629,1210647,CVE-2020-36691,CVE-2022-2196,CVE-2022-43945,CVE-2023-1611,CVE-2023-1670,CVE-2023-1838,CVE-2023-1855,CVE-2023-1872,CVE-2023-1989,CVE-2023-1990,CVE-2023-1998,CVE-2023-2008,CVE-2023-2124,CVE-2023-2162,CVE-2023-2176,CVE-2023-30772 The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2023-2124: Fixed an out of bound access in the XFS subsystem that could have lead to denial-of-service or potentially privilege escalation (bsc#1210498). - CVE-2023-1872:Fixed a use after free vulnerability in the io_uring subsystem, which could lead to local privilege escalation (bsc#1210414). - CVE-2022-2196: Fixed a regression related to KVM that allowed for speculative execution attacks (bsc#1206992). - CVE-2023-1670: Fixed ause after free in the Xircom 16-bit PCMCIA Ethernet driver. A local user could use this flaw to crash the system or potentially escalate their privileges on the system (bsc#1209871). - CVE-2023-2162: Fixed an use-after-free flaw in iscsi_sw_tcp_session_create (bsc#1210647). - CVE-2023-2176: A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege (bsc#1210629). - CVE-2023-1998: Fixed a use after free during login when accessing the shost ipaddress (bsc#1210506). - CVE-2023-30772: Fixed a race condition and resultant use-after-free in da9150_charger_remove (bsc#1210329). - CVE-2023-2008: A flaw was found in the fault handler of the udmabuf device driver. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code (bsc#1210453). - CVE-2023-1855: Fixed a use after free in xgene_hwmon_remove (bsc#1210202). - CVE-2020-36691: Fixed a denial of service vulnerability via a nested Netlink policy with a back reference (bsc#1209777). - CVE-2023-1990: Fixed a use after free in ndlc_remove (bsc#1210337). - CVE-2023-1989: Fixed a use after free in btsdio_remove (bsc#1210336). - CVE-2022-43945: Fixed a buffer overflow in the NFSD implementation (bsc#1205128). - CVE-2023-1611: Fixed an use-after-free flaw in btrfs_search_slot (bsc#1209687). - CVE-2023-1838: Fixed an use-after-free flaw in virtio network subcomponent. This flaw could allow a local attacker to crash the system and lead to a kernel information leak problem. (bsc#1210203). The following non-security bugs were fixed: - Drivers: vmbus: Check for channel allocation before looking up relids (git-fixes). - cifs: fix negotiate context parsing (bsc#1210301). - keys: Fix linking a duplicate key to a keyring's assoc_array (bsc#1207088). - vmxnet3: use gro callback when UPT is enabled(bsc#1209739). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2166-1 Released: Wed May 10 20:18:51 2023 Summary: Recommended update for supportutils-plugin-suse-public-cloud Type: recommended Severity: moderate References: 1209026 This update for supportutils-plugin-suse-public-cloud fixes the following issues: - Update to version 1.0.7 (bsc#1209026) + Include information about the cached registration data + Collect the data that is sent to the update infrastructure during registration ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2215-1 Released: Tue May 16 11:24:41 2023 Summary: Security update for dmidecode Type: security Severity: moderate References: 1210418,CVE-2023-30630 This update for dmidecode fixes the following issues: - CVE-2023-30630: Fixed potential privilege escalation vulnerability via file overwrite (bsc#1210418). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2216-1 Released: Tue May 16 11:27:50 2023 Summary: Recommended update for python-packaging Type: recommended Severity: important References: 1186870,1199282 This update for python-packaging fixes the following issues: - Update in SLE-15 (bsc#1199282, jsc#PM-3243, jsc#SLE-24629) - Add patch to fix testsuite on big-endian targets - Ignore python3.6.2 since the test doesn't support it. - update to 21.3: * Add a pp3-none-any tag * Replace the blank pyparsing 3 exclusion with a 3.0.5 exclusion * Fix a spelling mistake - update to 21.2: * Update documentation entry for 21.1. * Update pin to pyparsing to exclude 3.0.0. * PEP 656: musllinux support * Drop support for Python 2.7, Python 3.4 and Python 3.5 * Replace distutils usage with sysconfig * Add support for zip files * Use cached hash attribute to short-circuit tag equality comparisons * Specify the default value for the 'specifier' argument to 'SpecifierSet' *Proper keyword-only 'warn' argument in packaging.tags * Correctly remove prerelease suffixes from ~= check * Fix type hints for 'Version.post' and 'Version.dev' * Use typing alias 'UnparsedVersion' * Improve type inference * Tighten the return typeo - Add Provides: for python*dist(packaging). (bsc#1186870) - add no-legacyversion-warning.patch to restore compatibility with 20.4 - update to 20.9: * Add support for the ``macosx_10_*_universal2`` platform tags * Introduce ``packaging.utils.parse_wheel_filename()`` and ``parse_sdist_filename()`` - update to 20.8: * Revert back to setuptools for compatibility purposes for some Linux distros * Do not insert an underscore in wheel tags when the interpreter version number is more than 2 digits * Fix flit configuration, to include LICENSE files * Make `intel` a recognized CPU architecture for the `universal` macOS platform tag * Add some missing type hints to `packaging.requirements` * Officially support Python 3.9 * Deprecate the ``LegacyVersion`` and ``LegacySpecifier`` classes * Handle ``OSError`` on non-dynamic executables when attempting to resolve the glibc version string. - update to 20.4: * Canonicalize version before comparing specifiers. * Change type hint for ``canonicalize_name`` to return ``packaging.utils.NormalizedName``. This enables the use of static typing tools (like mypy) to detect mixing of normalized and un-normalized names. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2227-1 Released: Wed May 17 09:57:41 2023 Summary: Security update for curl Type: security Severity: important References: 1211231,1211232,1211233,1211339,CVE-2023-28320,CVE-2023-28321,CVE-2023-28322 This update for curl fixes the following issues: - CVE-2023-28320: Fixed siglongjmp race condition (bsc#1211231). - CVE-2023-28321: Fixed IDN wildcard matching (bsc#1211232). - CVE-2023-28322: Fixed POST-after-PUT confusion(bsc#1211233). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2237-1 Released: Wed May 17 17:10:07 2023 Summary: Recommended update for vim Type: recommended Severity: moderate References: 1211144 This update for vim fixes the following issues: * Make xxd conflict with the previous vim packages to avoid a file conflict during migration (bsc#1211144) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2247-1 Released: Thu May 18 17:04:38 2023 Summary: Recommended update for libzypp, zypper Type: recommended Severity: moderate References: 1127591,1195633,1208329,1209406,1210870 This update for libzypp, zypper fixes the following issues: - Installing local RPM packages fails if /usr/bin/find is not installed (bsc#1195633) - multicurl: propagate ssl settings stored in repo url (bsc#1127591) - MediaCurl: Fix endless loop if wrong credentials are stored in credentials.cat (bsc#1210870) - zypp.conf: Introduce 'download.connect_timeout' [60 sec.] (bsc#1208329) - Teach MediaNetwork to retry on HTTP2 errors. - Fix selecting installed patterns from picklist (bsc#1209406) - man: better explanation of --priority ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2254-1 Released: Fri May 19 15:20:23 2023 Summary: Security update for containerd Type: security Severity: important References: 1210298 This update for containerd fixes the following issues: - Rebuild containerd with a current version of go to catch up on bugfixes and security fixes (bsc#1210298) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2256-1 Released: Fri May 19 15:26:43 2023 Summary: Security update for runc Type: security Severity: important References: 1200441 This update of runc fixes the following issues: - rebuild the package with the go 19.9 secure release(bsc#1200441). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2278-1 Released: Wed May 24 07:56:35 2023 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1210640 This update for dracut fixes the following issues: - Update to version 049.1+suse.253.g1008bf13: * fix(network-legacy): handle do_dhcp calls without arguments (bsc#1210640) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2313-1 Released: Tue May 30 09:29:25 2023 Summary: Security update for c-ares Type: security Severity: important References: 1211604,1211605,1211606,1211607,CVE-2023-31124,CVE-2023-31130,CVE-2023-31147,CVE-2023-32067 This update for c-ares fixes the following issues: Update to version 1.19.1: - CVE-2023-32067: 0-byte UDP payload causes Denial of Service (bsc#1211604) - CVE-2023-31147: Insufficient randomness in generation of DNS query IDs (bsc#1211605) - CVE-2023-31130: Buffer Underwrite in ares_inet_net_pton() (bsc#1211606) - CVE-2023-31124: AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607) - Fix uninitialized memory warning in test - ares_getaddrinfo() should allow a port of 0 - Fix memory leak in ares_send() on error - Fix comment style in ares_data.h - Fix typo in ares_init_options.3 - Sync ax_pthread.m4 with upstream - Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2333-1 Released: Wed May 31 09:01:28 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1210593 This update for zlib fixes the following issue: - Fix function calling order to avoid crashes (bsc#1210593) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2343-1 Released: Thu Jun 1 11:35:28 2023 Summary: Security update for openssl-1_1 Type: security Severity: important References: 1211430,CVE-2023-2650 This update for openssl-1_1 fixes the following issues: - CVE-2023-2650: Fixed possible denial of service translating ASN.1 object identifiers (bsc#1211430). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2347-1 Released: Thu Jun 1 14:33:10 2023 Summary: Security update for cups Type: security Severity: important References: 1211643,CVE-2023-32324 This update for cups fixes the following issues: - CVE-2023-32324: Fixed a buffer overflow in format_log_line() which could cause a denial-of-service (bsc#1211643). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2355-1 Released: Fri Jun 2 12:48:25 2023 Summary: Recommended update for librelp Type: recommended Severity: moderate References: 1210649 This update for librelp fixes the following issues: - update to librelp 1.11.0 (bsc#1210649) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2365-1 Released: Mon Jun 5 09:22:46 2023 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1210164 This update for util-linux fixes the following issues: - Add upstream patches (bsc#1210164, bsc#1210164, bsc#1210164) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2430-1 Released: Tue Jun 6 22:55:28 2023 Summary: Recommended update for supportutils-plugin-suse-public-cloud Type: recommended Severity: critical References: This update for supportutils-plugin-suse-public-cloud fixes the following issues: - This update will be delivered to SLE Micro. (SMO-219) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2484-1 Released: Mon Jun 12 08:49:58 2023 Summary: Security update for openldap2 Type: security Severity: moderate References: 1211795,CVE-2023-2953 Thisupdate for openldap2 fixes the following issues: - CVE-2023-2953: Fixed null pointer deref in ber_memalloc_x (bsc#1211795). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2497-1 Released: Tue Jun 13 15:37:25 2023 Summary: Recommended update for libzypp Type: recommended Severity: important References: 1211661,1212187 This update for libzypp fixes the following issues: - Fix 'Curl error 92' when synchronizing SUSE Manager repositories. [bsc#1212187] - Do not unconditionally release a medium if provideFile failed. [bsc#1211661] The following package changes have been done: - containerd-ctr-1.6.19-150000.90.3 updated - containerd-1.6.19-150000.90.3 updated - cups-config-2.2.7-150000.3.43.1 updated - curl-7.66.0-150200.4.57.1 updated - dmidecode-3.2-150100.9.16.1 updated - docker-20.10.23_ce-150000.175.1 updated - dracut-049.1+suse.253.g1008bf13-150200.3.69.1 updated - elfutils-0.177-150300.11.6.1 updated - glibc-locale-base-2.31-150300.46.1 updated - glibc-locale-2.31-150300.46.1 updated - glibc-2.31-150300.46.1 updated - grub2-i386-pc-2.04-150300.22.37.1 updated - grub2-x86_64-efi-2.04-150300.22.37.1 updated - grub2-x86_64-xen-2.04-150300.22.37.1 updated - grub2-2.04-150300.22.37.1 updated - hwdata-0.368-150000.3.57.1 updated - kernel-default-5.3.18-150300.59.121.2 updated - libasm1-0.177-150300.11.6.1 updated - libavahi-client3-0.7-150100.3.24.1 updated - libavahi-common3-0.7-150100.3.24.1 updated - libblkid1-2.36.2-150300.4.35.1 updated - libcares2-1.19.1-150000.3.23.1 updated - libcups2-2.2.7-150000.3.43.1 updated - libcurl4-7.66.0-150200.4.57.1 updated - libdw1-0.177-150300.11.6.1 updated - libebl-plugins-0.177-150300.11.6.1 updated - libelf1-0.177-150300.11.6.1 updated - libfdisk1-2.36.2-150300.4.35.1 updated - libgcc_s1-12.2.1+git416-150000.1.7.1 updated - libglib-2_0-0-2.62.6-150200.3.15.1 updated - libldap-2_4-2-2.4.46-150200.14.14.1 updated - libldap-data-2.4.46-150200.14.14.1 updated - libldb2-2.4.4-150300.3.23.1 updated -libmount1-2.36.2-150300.4.35.1 updated - libncurses6-6.1-150000.5.15.1 updated - libopenssl1_1-1.1.1d-150200.11.65.1 updated - libprocps7-3.3.15-150000.7.31.1 updated - libpython3_6m1_0-3.6.15-150300.10.45.1 updated - librelp0-1.11.0-150000.3.3.1 updated - libsmartcols1-2.36.2-150300.4.35.1 updated - libsolv-tools-0.7.24-150200.18.1 updated - libstdc++6-12.2.1+git416-150000.1.7.1 updated - libuuid1-2.36.2-150300.4.35.1 updated - libxml2-2-2.9.7-150000.3.57.1 updated - libz1-1.2.11-150000.3.45.1 updated - libzstd1-1.4.4-150000.1.9.1 updated - libzypp-17.31.13-150200.66.1 updated - login_defs-4.8.1-150300.4.6.1 updated - mokutil-0.4.0-150200.4.6.1 added - ncurses-utils-6.1-150000.5.15.1 updated - nfs-client-2.1.1-150100.10.32.1 updated - openssh-clients-8.4p1-150300.3.18.2 updated - openssh-common-8.4p1-150300.3.18.2 updated - openssh-server-8.4p1-150300.3.18.2 updated - openssh-8.4p1-150300.3.18.2 updated - openssl-1_1-1.1.1d-150200.11.65.1 updated - openssl-1.1.1d-1.46 added - procps-3.3.15-150000.7.31.1 updated - python3-PyJWT-2.4.0-150200.3.6.2 updated - python3-base-3.6.15-150300.10.45.1 updated - python3-cryptography-3.3.2-150200.19.1 updated - python3-packaging-21.3-150200.3.3.1 updated - python3-3.6.15-150300.10.45.1 updated - rsyslog-module-relp-8.2106.0-150200.4.35.1 added - runc-1.1.5-150000.43.1 updated - samba-client-libs-4.15.13+git.636.53d93c5b9d6-150300.3.52.1 updated - samba-libs-4.15.13+git.636.53d93c5b9d6-150300.3.52.1 updated - shadow-4.8.1-150300.4.6.1 updated - shim-15.7-150300.4.16.1 updated - sudo-1.9.5p2-150300.3.24.1 updated - supportutils-plugin-suse-public-cloud-1.0.7-150000.3.14.1 updated - systemd-presets-common-SUSE-15-150100.8.20.1 updated - terminfo-base-6.1-150000.5.15.1 updated - terminfo-6.1-150000.5.15.1 updated - timezone-2023c-150000.75.23.1 updated - util-linux-systemd-2.36.2-150300.4.35.1 updated - util-linux-2.36.2-150300.4.35.1 updated - vim-data-common-9.0.1443-150000.5.43.1 updated - vim-9.0.1443-150000.5.43.1 updated - xen-libs-4.14.5_12-150300.3.48.1 updated -xen-tools-domU-4.14.5_12-150300.3.48.1 updated - xxd-9.0.1443-150000.5.43.1 added - zypper-1.14.60-150200.51.1 updated - python3-ecdsa-0.13.3-3.7.1 removed . SUSE Container Image Patch Notice for the suse-sles-15-sp3-chost-byos-v20230701-hvm-nvme-x86_64 pertaining to essential updates.. SUSE Container Security, Image Update, Security Advisory. . Severity: Critical. LinuxSecurity.com Team
Jun 15, 2023
•Critical
SuSE
100
security advisorysecurity updatesoftware patchSUSE: 2023:318-1 Important: Container Image Security Update
The container suse-sles-15-sp4-chost-byos-v20230510-hvm-ssd-x86_64 was updated. The following patches have been included in this update:. SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20230510-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:318-1 Image Tags : suse-sles-15-sp4-chost-byos-v20230510-hvm-ssd-x86_64:20230510 Image Release : Severity : important Type : security References : 1065729 1109158 1142685 1155798 1168481 1171479 1174777 1187810 1189036 1189998 1189999 1191467 1191525 1193629 1194869 1194869 1198932 1200321 1201209 1201234 1202705 1202820 1203039 1203079 1203200 1203325 1203446 1204042 1206195 1206439 1206513 1206552 1206649 1206891 1206992 1207014 1207064 1207088 1207168 1207185 1207574 1207876 1208076 1208079 1208423 1208426 1208529 1208602 1208815 1208822 1208828 1208829 1208845 1208902 1208962 1209026 1209042 1209052 1209118 1209122 1209165 1209187 1209234 1209256 1209290 1209292 1209366 1209372 1209532 1209547 1209556 1209572 1209600 1209615 1209634 1209635 1209636 1209667 1209681 1209684 1209687 1209693 1209713 1209714 1209739 1209779 1209788 1209798 1209799 1209804 1209805 1209871 1209873 1209878 1209884 1209888 1209918 1209927 1209999 1210034 1210050 1210135 1210158 1210202 1210203 1210206 1210301 1210328 1210329 1210336 1210337 1210382 1210411 1210412 1210418 1210434 1210439 1210453 1210454 1210469 1210499 1210506 1210507 1210629 1210630 1210725 1210729 1210762 1210763 1210764 1210765 1210766 1210767 1210768 1210769 1210770 1210771 1210793 1210816 1210817 12108271210943 1210953 1210986 1211025 CVE-2017-5753 CVE-2020-12762 CVE-2022-2196 CVE-2022-28737 CVE-2022-4744 CVE-2023-0386 CVE-2023-0394 CVE-2023-0465 CVE-2023-0466 CVE-2023-1127 CVE-2023-1264 CVE-2023-1281 CVE-2023-1355 CVE-2023-1513 CVE-2023-1582 CVE-2023-1611 CVE-2023-1637 CVE-2023-1652 CVE-2023-1670 CVE-2023-1838 CVE-2023-1855 CVE-2023-1981 CVE-2023-1989 CVE-2023-1990 CVE-2023-1998 CVE-2023-2008 CVE-2023-2019 CVE-2023-2176 CVE-2023-2235 CVE-2023-23001 CVE-2023-23006 CVE-2023-24593 CVE-2023-25153 CVE-2023-25173 CVE-2023-25180 CVE-2023-25809 CVE-2023-27561 CVE-2023-28327 CVE-2023-28464 CVE-2023-28466 CVE-2023-28484 CVE-2023-28642 CVE-2023-29383 CVE-2023-29469 CVE-2023-29491 CVE-2023-30630 CVE-2023-30772 ----------------------------------------------------------------- The container suse-sles-15-sp4-chost-byos-v20230510-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1805-1 Released: Tue Apr 11 10:12:41 2023 Summary: Recommended update for timezone Type: recommended Severity: important References: This update for timezone fixes the following issues: - Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1809-1 Released: Tue Apr 11 11:47:44 2023 Summary: Recommended update forhaveged Type: recommended Severity: moderate References: 1203079 This update for haveged fixes the following issues: - Synchronize haveged instances during switching root (bsc#1203079) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1810-1 Released: Tue Apr 11 12:06:13 2023 Summary: Recommended update for cups Type: recommended Severity: moderate References: 1191467,1191525,1198932,1200321,1201234,1203446 This update for cups fixes the following issues: - Fix print jobs on cups.sock return with EAGAIN (Resource temporarily unavailable) (bsc#1191525) - Fix '/usr/bin/lpr: Error - The printer or class does not exist (bsc#1203446) - Improves logging on 'IPP_STATUS_ERROR_NOT_FOUND' error (bsc#1191467, bsc#1198932) - Add 'After=network.target sssd.service' to the systemd unit (bsc#1201234, bsc#1200321) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1827-1 Released: Thu Apr 13 10:18:16 2023 Summary: Security update for containerd Type: security Severity: moderate References: 1208423,1208426,CVE-2023-25153,CVE-2023-25173 This update for containerd fixes the following issues: Update to containerd v1.6.19: Security fixes: - CVE-2023-25153: Fixed OCI image importer memory exhaustion (bnc#1208423). - CVE-2023-25173: Fixed supplementary groups not set up properly (bnc#1208426). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1880-1 Released: Tue Apr 18 11:11:27 2023 Summary: Recommended update for systemd-rpm-macros Type: recommended Severity: low References: 1208079 This update for systemd-rpm-macros fixes the following issue: - Don't emit a warning when the flag file in /var/lib/systemd/migrated/ is not present as it's expected (bsc#1208079). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1882-1 Released: Tue Apr 18 11:13:49 2023 Summary: Recommended updatefor makedumpfile Type: recommended Severity: moderate References: 1201209 This update for makedumpfile fixes the following issues: - Fix memory leak issue in init_xen_crash_info (bsc#1201209) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1885-1 Released: Tue Apr 18 11:15:17 2023 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1206195,1206439 This update for dracut fixes the following issues: - Update to version 055+suse.335.gccf7fbc6: * Always include all drivers that LVM can use (bsc#1206195) * Require libopenssl1_1-hmac for dracut-fips (bsc#1206439) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1897-1 Released: Tue Apr 18 11:59:49 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1109158,1189998,1193629,1194869,1203200,1206552,1207168,1207185,1207574,1208602,1208815,1208829,1208902,1209052,1209118,1209256,1209290,1209292,1209366,1209532,1209547,1209556,1209572,1209600,1209634,1209635,1209636,1209681,1209684,1209687,1209779,1209788,1209798,1209799,1209804,1209805,1210050,1210203,CVE-2017-5753,CVE-2022-4744,CVE-2023-0394,CVE-2023-1281,CVE-2023-1513,CVE-2023-1582,CVE-2023-1611,CVE-2023-1637,CVE-2023-1652,CVE-2023-1838,CVE-2023-23001,CVE-2023-28327,CVE-2023-28464,CVE-2023-28466 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2023-1611: Fixed an use-after-free flaw in btrfs_search_slot (bsc#1209687). - CVE-2023-1838: Fixed an use-after-free flaw in virtio network subcomponent. This flaw could allow a local attacker to crash the system and lead to a kernel information leak problem. (bsc#1210203). - CVE-2023-0394: Fixed a null pointer dereference in the network subcomponent. This flaw could cause system crashes (bsc#1207168). - CVE-2023-1513: Fixed an uninitialized portions of thekvm_debugregs structure that could be copied to userspace, causing an information leak (bsc#1209532). - CVE-2017-5753: Fixed spectre V1 vulnerability on netlink (bsc#1209547). - CVE-2017-5753: Fixed spectre vulnerability in prlimit (bsc#1209256). - CVE-2023-28464: Fixed user-after-free that could lead to privilege escalation in hci_conn_cleanup in net/bluetooth/hci_conn.c (bsc#1209052). - CVE-2023-28466: Fixed race condition that could lead to use-after-free or NULL pointer dereference in do_tls_getsockopt in net/tls/tls_main.c (bsc#1209366). - CVE-2023-1637: Fixed vulnerability that could lead to unauthorized access to CPU memory after resuming CPU from suspend-to-RAM (bsc#1209779). - CVE-2023-1652: Fixed use-after-free that could lead to DoS and information leak in nfsd4_ssc_setup_dul in fs/nfsd/nfs4proc.c (bsc#1209788). - CVE-2022-4744: Fixed double-free that could lead to DoS or privilege escalation in TUN/TAP device driver functionality (bsc#1209635). - CVE-2023-1281: Fixed use after free that could lead to privilege escalation in tcindex (bsc#1209634). - CVE-2023-1582: Fixed soft lockup in __page_mapcount (bsc#1209636). - CVE-2023-28327: Fixed DoS in in_skb in unix_diag_get_exact() (bsc#1209290). - CVE-2023-23001: Fixed misinterpretation of regulator_get return value in drivers/scsi/ufs/ufs-mediatek.c (bsc#1208829). The following non-security bugs were fixed: - ACPI: x86: utils: Add Cezanne to the list for forcing StorageD3Enable (git-fixes). - alarmtimer: Prevent starvation by small intervals and SIG_IGN (git-fixes) - ALSA: asihpi: check pao in control_message() (git-fixes). - ALSA: hda: intel-dsp-config: add MTL PCI id (git-fixes). - ALSA: hda/ca0132: fixup buffer overrun at tuning_ctl_set() (git-fixes). - ALSA: hda/conexant: Partial revert of a quirk for Lenovo (git-fixes). - ALSA: hda/realtek: Add quirk for Clevo X370SNW (git-fixes). - ALSA: hda/realtek: Add quirk for Lenovo ZhaoYang CF4620Z (git-fixes). - ALSA: hda/realtek: Add quirks for some Clevo laptops (git-fixes). - ALSA: hda/realtek: fixmute/micmute LEDs do not work for a HP platform (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook (git-fixes). - ALSA: hda/realtek: Fix support for Dell Precision 3260 (git-fixes). - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book2 Pro (git-fixes). - ALSA: usb-audio: Fix recursive locking at XRUN during syncing (git-fixes). - ALSA: usb-audio: Fix regression on detection of Roland VS-100 (git-fixes). - ALSA: ymfpci: Fix BUG_ON in probe function (git-fixes). - arch: fix broken BuildID for arm64 and riscv (bsc#1209798). - ARM: dts: imx6sl: tolino-shine2hd: fix usbotg1 pinctrl (git-fixes). - ARM: dts: imx6sll: e60k02: fix usbotg1 pinctrl (git-fixes). - arm64: dts: freescale: Fix pca954x i2c-mux node names (git-fixes) - arm64: dts: imx8mm-nitrogen-r2: fix WM8960 clock name (git-fixes). - arm64: dts: imx8mn: specify #sound-dai-cells for SAI nodes (git-fixes). - arm64: dts: imx8mp-phycore-som: Remove invalid PMIC property (git-fixes) - arm64: dts: imx8mp: correct usb clocks (git-fixes) - arm64: dts: imx8mq: add mipi csi phy and csi bridge descriptions (git-fixes) - arm64: dts: imx8mq: fix mipi_csi bidirectional port numbers (git-fixes) - arm64: dts: qcom: sm8350: Mark UFS controller as cache coherent (git-fixes). - arm64/cpufeature: Fix field sign for DIT hwcap detection (git-fixes) - ASoC: codecs: tx-macro: Fix for KASAN: slab-out-of-bounds (git-fixes). - atm: idt77252: fix kmemleak when rmmod idt77252 (git-fixes). - Bluetooth: btqcomsmd: Fix command timeout after setting BD address (git-fixes). - Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work (git-fixes). - Bluetooth: L2CAP: Fix responding with wrong PDU type (git-fixes). - ca8210: fix mac_len negative array access (git-fixes). - ca8210: Fix unsigned mac_len comparison with zero in ca8210_skb_tx() (git-fixes). - can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write (git-fixes). - can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events (git-fixes). - can: j1939:j1939_tp_tx_dat_new(): fix out-of-bounds memory access (git-fixes). - cifs: append path to open_enter trace event (bsc#1193629). - cifs: avoid race conditions with parallel reconnects (bsc#1193629). - cifs: avoid races in parallel reconnects in smb1 (bsc#1193629). - cifs: check only tcon status on tcon related functions (bsc#1193629). - cifs: do not poll server interfaces too regularly (bsc#1193629). - cifs: double lock in cifs_reconnect_tcon() (git-fixes). - cifs: dump pending mids for all channels in DebugData (bsc#1193629). - cifs: empty interface list when server does not support query interfaces (bsc#1193629). - cifs: fix dentry lookups in directory handle cache (bsc#1193629). - cifs: fix DFS traversal oops without CONFIG_CIFS_DFS_UPCALL (bsc#1193629). - cifs: fix missing unload_nls() in smb2_reconnect() (bsc#1193629). - cifs: Fix smb2_set_path_size() (git-fixes). - cifs: fix use-after-free bug in refresh_cache_worker() (bsc#1193629). - cifs: generate signkey for the channel that's reconnecting (bsc#1193629). - cifs: get rid of dead check in smb2_reconnect() (bsc#1193629). - cifs: lock chan_lock outside match_session (bsc#1193629). - cifs: Move the in_send statistic to __smb_send_rqst() (git-fixes). - cifs: prevent infinite recursion in CIFSGetDFSRefer() (bsc#1193629). - cifs: print session id while listing open files (bsc#1193629). - cifs: return DFS root session id in DebugData (bsc#1193629). - cifs: set DFS root session in cifs_get_smb_ses() (bsc#1193629). - cifs: use DFS root session instead of tcon ses (bsc#1193629). - clocksource/drivers/mediatek: Optimize systimer irq clear flow on shutdown (git-fixes). - debugfs: add debugfs_lookup_and_remove() (git-fixes). - drivers/base: Fix unsigned comparison to -1 in CPUMAP_FILE_MAX_BYTES (bsc#1208815). - drivers/base: fix userspace break from using bin_attributes for cpumap and cpulist (bsc#1208815). - drm/amd/display: Add DSC Support for Synaptics Cascaded MST Hub (git-fixes). - drm/amd/display: fix shift-out-of-bounds in CalculateVMAndRowBytes (git-fixes). -drm/amdkfd: Fix an illegal memory access (git-fixes). - drm/bridge: lt8912b: return EPROBE_DEFER if bridge is not found (git-fixes). - drm/etnaviv: fix reference leak when mmaping imported buffer (git-fixes). - drm/i915: Do not use BAR mappings for ring buffers with LLC (git-fixes). - drm/i915: Do not use stolen memory for ring buffers with LLC (git-fixes). - drm/i915: Preserve crtc_state-> inherited during state clearing (git-fixes). - drm/i915: Remove unused bits of i915_vma/active api (git-fixes). - drm/i915/active: Fix missing debug object activation (git-fixes). - drm/i915/active: Fix misuse of non-idle barriers as fence trackers (git-fixes). - drm/i915/display: clean up comments (git-fixes). - drm/i915/display: Workaround cursor left overs with PSR2 selective fetch enabled (git-fixes). - drm/i915/display/psr: Handle plane and pipe restrictions at every page flip (git-fixes). - drm/i915/display/psr: Use drm damage helpers to calculate plane damaged area (git-fixes). - drm/i915/gt: perform uc late init after probe error injection (git-fixes). - drm/i915/psr: Use calculated io and fast wake lines (git-fixes). - drm/i915/tc: Fix the ICL PHY ownership check in TC-cold state (git-fixes). - drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path (git-fixes). - dt-bindings: serial: renesas,scif: Fix 4th IRQ for 4-IRQ SCIFs (git-fixes). - efi: sysfb_efi: Fix DMI quirks not working for simpledrm (git-fixes). - fbdev: au1200fb: Fix potential divide by zero (git-fixes). - fbdev: intelfb: Fix potential divide by zero (git-fixes). - fbdev: lxfb: Fix potential divide by zero (git-fixes). - fbdev: nvidia: Fix potential divide by zero (git-fixes). - fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks (git-fixes). - fbdev: tgafb: Fix potential divide by zero (git-fixes). - firmware: arm_scmi: Fix device node validation for mailbox transport (git-fixes). - fotg210-udc: Add missing completion handler (git-fixes). - ftrace: Fix invalid address access in lookup_rec() when index is 0 (git-fixes). -ftrace: Fix issue that 'direct-> addr' not restored in modify_ftrace_direct() (git-fixes). - ftrace: Mark get_lock_parent_ip() __always_inline (git-fixes). - gpio: davinci: Add irq chip flag to skip set wake (git-fixes). - gpio: GPIO_REGMAP: select REGMAP instead of depending on it (git-fixes). - HID: cp2112: Fix driver not registering GPIO IRQ chip as threaded (git-fixes). - HID: intel-ish-hid: ipc: Fix potential use-after-free in work function (git-fixes). - hwmon: fix potential sensor registration fail if of_node is missing (git-fixes). - i2c: hisi: Only use the completion interrupt to finish the transfer (git-fixes). - i2c: imx-lpi2c: check only for enabled interrupt flags (git-fixes). - i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer() (git-fixes). - iio: adc: ad7791: fix IRQ flags (git-fixes). - iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip (git-fixes). - iio: adis16480: select CONFIG_CRC32 (git-fixes). - iio: dac: cio-dac: Fix max DAC write value check for 12-bit (git-fixes). - iio: light: cm32181: Unregister second I2C client if present (git-fixes). - Input: alps - fix compatibility with -funsigned-char (bsc#1209805). - Input: focaltech - use explicitly signed char type (git-fixes). - Input: goodix - add Lenovo Yoga Book X90F to nine_bytes_report DMI table (git-fixes). - KABI FIX FOR: NFSv4: keep state manager thread active if swap is enabled (Never, kabi). - kABI workaround for xhci (git-fixes). - kABI: x86/msr: Remove .fixup usage (kabi). - kconfig: Update config changed flag before calling callback (git-fixes). - keys: Do not cache key in task struct if key is requested from kernel thread (git-fixes). - KVM: x86: fix sending PV IPI (git-fixes). - KVM: x86: fix sending PV IPI (git-fixes). - lan78xx: Add missing return code checks (git-fixes). - lan78xx: Fix exception on link speed change (git-fixes). - lan78xx: Fix memory allocation bug (git-fixes). - lan78xx: Fix partial packet errors on suspend/resume (git-fixes). - lan78xx: Fix race condition in disconnect handling(git-fixes). - lan78xx: Fix race conditions in suspend/resume handling (git-fixes). - lan78xx: Fix white space and style issues (git-fixes). - lan78xx: Remove unused pause frame queue (git-fixes). - lan78xx: Remove unused timer (git-fixes). - lan78xx: Set flow control threshold to prevent packet loss (git-fixes). - lockd: set file_lock start and end when decoding nlm4 testargs (git-fixes). - locking/rwbase: Mitigate indefinite writer starvation (bsc#1189998 (PREEMPT_RT prerequisite backports), bsc#1206552). - mm: memcg: fix swapcached stat accounting (bsc#1209804). - mm: mmap: remove newline at the end of the trace (git-fixes). - mmc: atmel-mci: fix race between stop command and start of next command (git-fixes). - mtd: rawnand: meson: fix bitmask for length in command word (git-fixes). - mtd: rawnand: meson: invalidate cache on polling ECC bit (git-fixes). - mtd: rawnand: stm32_fmc2: remove unsupported EDO mode (git-fixes). - mtd: rawnand: stm32_fmc2: use timings.mode instead of checking tRC_min (git-fixes). - mtdblock: tolerate corrected bit-flips (git-fixes). - net: asix: fix modprobe 'sysfs: cannot create duplicate filename' (git-fixes). - net: mdio: thunder: Add missing fwnode_handle_put() (git-fixes). - net: phy: dp83869: fix default value for tx-/rx-internal-delay (git-fixes). - net: phy: Ensure state transitions are processed from phy_stop() (git-fixes). - net: phy: nxp-c45-tja11xx: fix MII_BASIC_CONFIG_REV bit (git-fixes). - net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails (git-fixes). - net: qcom/emac: Fix use after free bug in emac_remove due to race condition (git-fixes). - net: usb: asix: remove redundant assignment to variable reg (git-fixes). - net: usb: cdc_mbim: avoid altsetting toggling for Telit FE990 (git-fixes). - net: usb: lan78xx: Limit packet length to skb-> len (git-fixes). - net: usb: qmi_wwan: add Telit 0x1080 composition (git-fixes). - net: usb: smsc75xx: Limit packet length to skb-> len (git-fixes). - net: usb: smsc75xx: Move packet length check to preventkernel panic in skb_pull (git-fixes). - net: usb: smsc95xx: Limit packet length to skb-> len (git-fixes). - net: usb: use eth_hw_addr_set() (git-fixes). - NFS: Fix an Oops in nfs_d_automount() (git-fixes). - NFS: fix disabling of swap (git-fixes). - NFS4trace: fix state manager flag printing (git-fixes). - NFSD: fix handling of readdir in v4root vs. mount upcall timeout (git-fixes). - NFSD: fix leaked reference count of nfsd4_ssc_umount_item (git-fixes). - NFSD: fix problems with cleanup on errors in nfsd4_copy (git-fixes). - NFSD: fix race to check ls_layouts (git-fixes). - NFSD: fix use-after-free in nfsd4_ssc_setup_dul() (git-fixes). - NFSD: Protect against filesystem freezing (git-fixes). - NFSD: shut down the NFSv4 state objects before the filecache (git-fixes). - NFSD: under NFSv4.1, fix double svc_xprt_put on rpc_create failure (git-fixes). - NFSD: zero out pointers after putting nfsd_files on COPY setup error (git-fixes). - NFSv4: Fix a credential leak in _nfs4_discover_trunking() (git-fixes). - NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn (git-fixes). - NFSv4: Fix hangs when recovering open state after a server reboot (git-fixes). - NFSv4: keep state manager thread active if swap is enabled (git-fixes). - NFSv4: provide mount option to toggle trunking discovery (git-fixes). - NFSv4: Fix initialisation of struct nfs4_label (git-fixes). - NFSv4: Fail client initialisation if state manager thread can't run (git-fixes). - nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() (git-fixes). - nilfs2: fix sysfs interface lifetime (git-fixes). - nvme-tcp: always fail a request when sending it failed (bsc#1208902). - PCI: hv: Add a per-bus mutex state_lock (bsc#1207185). - PCI: hv: fix a race condition bug in hv_pci_query_relations() (bsc#1207185). - PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic (bsc#1207185). - PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev (bsc#1207185). - PCI: hv: Use async probing to reduce boot time (bsc#1207185). -PCI/DPC: Await readiness of secondary bus after reset (git-fixes). - pinctrl: amd: Disable and mask interrupts on resume (git-fixes). - pinctrl: at91-pio4: fix domain name assignment (git-fixes). - pinctrl: ocelot: Fix alt mode for ocelot (git-fixes). - platform/chrome: cros_ec_chardev: fix kernel data leak from ioctl (git-fixes). - platform/x86: think-lmi: add debug_cmd (bsc#1210050). - platform/x86: think-lmi: add missing type attribute (git-fixes). - platform/x86: think-lmi: Add possible_values for ThinkStation (git-fixes). - platform/x86: think-lmi: Certificate authentication support (bsc#1210050). - platform/x86: think-lmi: certificate support clean ups (bsc#1210050). - platform/x86: think-lmi: Clean up display of current_value on Thinkstation (git-fixes). - platform/x86: think-lmi: Fix memory leak when showing current settings (git-fixes). - platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings (git-fixes). - platform/x86: think-lmi: Move kobject_init() call into tlmi_create_auth() (bsc#1210050). - platform/x86: think-lmi: only display possible_values if available (git-fixes). - platform/x86: think-lmi: Opcode support (bsc#1210050). - platform/x86: think-lmi: Prevent underflow in index_store() (bsc#1210050). - platform/x86: think-lmi: Simplify tlmi_analyze() error handling a bit (bsc#1210050). - platform/x86: think-lmi: use correct possible_values delimiters (git-fixes). - platform/x86: think-lmi: Use min_t() for comparison and assignment (bsc#1210050). - platform/x86: thinkpad_acpi: Accept ibm_init_struct.init() returning -ENODEV (bsc#1210050). - platform/x86: thinkpad_acpi: Add a s2idle resume quirk for a number of laptops (bsc#1210050). - platform/x86: thinkpad_acpi: Add dual fan probe (bsc#1210050). - platform/x86: thinkpad_acpi: Add dual-fan quirk for T15g (2nd gen) (bsc#1210050). - platform/x86: thinkpad_acpi: Add hotkey_notify_extended_hotkey() helper (bsc#1210050). - platform/x86: thinkpad_acpi: Add LED_RETAIN_AT_SHUTDOWN to led_class_devs (bsc#1210050). - platform/x86:thinkpad_acpi: Add lid_logo_dot to the list of safe LEDs (bsc#1210050). - platform/x86: thinkpad_acpi: Add PSC mode support (bsc#1210050). - platform/x86: thinkpad_acpi: Add quirk for ThinkPads without a fan (bsc#1210050). - platform/x86: thinkpad_acpi: clean up dytc profile convert (bsc#1210050). - platform/x86: thinkpad_acpi: Cleanup dytc_profile_available (bsc#1210050). - platform/x86: thinkpad_acpi: consistently check fan_get_status return (bsc#1210050). - platform/x86: thinkpad_acpi: Convert btusb DMI list to quirks (bsc#1210050). - platform/x86: thinkpad_acpi: Convert platform driver to use dev_groups (bsc#1210050). - platform/x86: thinkpad_acpi: Correct dual fan probe (bsc#1210050). - platform/x86: thinkpad_acpi: do not use PSC mode on Intel platforms (bsc#1210050). - platform/x86: thinkpad_acpi: Do not use test_bit on an integer (bsc#1210050). - platform/x86: thinkpad_acpi: Enable s2idle quirk for 21A1 machine type (bsc#1210050). - platform/x86: thinkpad_acpi: Explicitly set to balanced mode on startup (bsc#1210050). - platform/x86: thinkpad_acpi: Fix a memory leak of EFCH MMIO resource (bsc#1210050). - platform/x86: thinkpad_acpi: Fix coccinelle warnings (bsc#1210050). - platform/x86: thinkpad_acpi: Fix compiler warning about uninitialized err variable (bsc#1210050). - platform/x86: thinkpad_acpi: Fix incorrect use of platform profile on AMD platforms (bsc#1210050). - platform/x86: thinkpad_acpi: Fix max_brightness of thinklight (bsc#1210050). - platform/x86: thinkpad_acpi: Fix profile mode display in AMT mode (bsc#1210050). - platform/x86: thinkpad_acpi: Fix profile modes on Intel platforms (bsc#1210050). - platform/x86: thinkpad_acpi: Fix reporting a non present second fan on some models (bsc#1210050). - platform/x86: thinkpad_acpi: Fix the hwmon sysfs-attr showing up in the wrong place (bsc#1210050). - platform/x86: thinkpad_acpi: Fix thermal_temp_input_attr sorting (bsc#1210050). - platform/x86: thinkpad_acpi: Fix thinklight LED brightness returning 255 (bsc#1210050). - platform/x86: thinkpad_acpi:Get privacy-screen / lcdshadow ACPI handles only once (bsc#1210050). - platform/x86: thinkpad_acpi: Make *_init() functions return -ENODEV instead of 1 (bsc#1210050). - platform/x86: thinkpad_acpi: Properly indent code in tpacpi_dytc_profile_init() (bsc#1210050). - platform/x86: thinkpad_acpi: Register tpacpi_pdriver after subdriver init (bsc#1210050). - platform/x86: thinkpad_acpi: Remove 'goto err_exit' from hotkey_init() (bsc#1210050). - platform/x86: thinkpad_acpi: Remove unused sensors_pdev_attrs_registered flag (bsc#1210050). - platform/x86: thinkpad_acpi: Restore missing hotkey_tablet_mode and hotkey_radio_sw sysfs-attr (bsc#1210050). - platform/x86: thinkpad_acpi: Simplify dytc_version handling (bsc#1210050). - platform/x86: thinkpad_acpi: Switch to common use of attributes (bsc#1210050). - platform/x86: thinkpad_acpi: tpacpi_attr_group contains driver attributes not device attrs (bsc#1210050). - platform/x86: thinkpad_acpi: Use backlight helper (bsc#1210050). - platform/x86: thinkpad_acpi: use strstarts() (bsc#1210050). - platform/x86: thinkpad-acpi: Add support for automatic mode transitions (bsc#1210050). - platform/x86: thinkpad-acpi: Enable AMT by default on supported systems (bsc#1210050). - platform/x86: thinkpad-acpi: profile capabilities as integer (bsc#1210050). - platform/x86/intel/pmc: Alder Lake PCH slp_s0_residency fix (git-fixes). - pNFS/filelayout: Fix coalescing test for single DS (git-fixes). - power: supply: da9150: Fix use after free bug in da9150_charger_remove due to race condition (git-fixes). - powerpc: Remove linker flag from KBUILD_AFLAGS (bsc#1194869). - powerpc/64s/interrupt: Fix interrupt exit race with security mitigation switch (bsc#1194869). - powerpc/btext: add missing of_node_put (bsc#1065729). - powerpc/ioda/iommu/debugfs: Generate unique debugfs entries (bsc#1194869). - powerpc/iommu: Add missing of_node_put in iommu_init_early_dart (bsc#1194869). - powerpc/iommu: fix memory leak with using debugfs_lookup() (bsc#1194869). - powerpc/kcsan: Exclude udelay to preventrecursive instrumentation (bsc#1194869). - powerpc/kexec_file: fix implicit decl error (bsc#1194869). - powerpc/powernv: fix missing of_node_put in uv_init() (bsc#1194869). - powerpc/powernv/ioda: Skip unallocated resources when mapping to PE (bsc#1065729). - powerpc/pseries/lpar: add missing RTAS retry status handling (bsc#1109158 ltc#169177 git-fixes). - powerpc/pseries/lparcfg: add missing RTAS retry status handling (bsc#1065729). - powerpc/rtas: ensure 4KB alignment for rtas_data_buf (bsc#1065729). - powerpc/vmlinux.lds: Define RUNTIME_DISCARD_EXIT (bsc#1194869). - powerpc/vmlinux.lds: Do not discard .comment (bsc#1194869). - powerpc/vmlinux.lds: Do not discard .rela* for relocatable builds (bsc#1194869). - powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds (bsc#1194869). - ppc64le: HWPOISON_INJECT=m (bsc#1209572). - pwm: cros-ec: Explicitly set .polarity in .get_state() (git-fixes). - pwm: sprd: Explicitly set .polarity in .get_state() (git-fixes). - r8169: fix RTL8168H and RTL8107E rx crc error (git-fixes). - rcu: Fix rcu_torture_read ftrace event (git-fixes). - regulator: Handle deferred clk (git-fixes). - ring-buffer: Fix race while reader and writer are on the same page (git-fixes). - ring-buffer: Handle race between rb_move_tail and rb_check_pages (git-fixes). - ring-buffer: remove obsolete comment for free_buffer_page() (git-fixes). - rpm/constraints.in: increase the disk size for armv6/7 to 24GB It grows and the build fails recently on SLE15-SP4/5. - s390/boot: simplify and fix kernel memory layout setup (bsc#1209600). - s390/dasd: fix no record found for raw_track_access (bsc#1207574). - s390/vfio-ap: fix memory leak in vfio_ap device driver (git-fixes). - sbitmap: Avoid lockups when waker gets preempted (bsc#1209118). - sched/psi: Fix use-after-free in ep_remove_wait_queue() (bsc#1209799). - scsi: qla2xxx: Synchronize the IOCB count to be in order (bsc#1209292 bsc#1209684 bsc#1209556). - sctp: sctp_sock_filter(): avoid list_entry() on possibly empty list (bsc#1208602, git-fixes). - serial:8250: ASPEED_VUART: select REGMAP instead of depending on it (git-fixes). - serial: 8250: SERIAL_8250_ASPEED_VUART should depend on ARCH_ASPEED (git-fixes). - serial: fsl_lpuart: Fix comment typo (git-fixes). - smb3: fix unusable share after force unmount failure (bsc#1193629). - smb3: lower default deferred close timeout to address perf regression (bsc#1193629). - struct dwc3: mask new member (git-fixes). - SUNRPC: ensure the matching upcall is in-flight upon downcall (git-fixes). - SUNRPC: Fix a server shutdown leak (git-fixes). - SUNRPC: Fix missing release socket in rpc_sockname() (git-fixes). - thunderbolt: Add missing UNSET_INBOUND_SBTX for retimer access (git-fixes). - thunderbolt: Call tb_check_quirks() after initializing adapters (git-fixes). - thunderbolt: Disable interrupt auto clear for rings (git-fixes). - thunderbolt: Rename shadowed variables bit to interrupt_bit and auto_clear_bit (git-fixes). - thunderbolt: Use const qualifier for `ring_interrupt_index` (git-fixes). - thunderbolt: Use scale field when allocating USB3 bandwidth (git-fixes). - timers: Prevent union confusion from unexpected (git-fixes) - trace/hwlat: Do not start per-cpu thread if it is already running (git-fixes). - trace/hwlat: Do not wipe the contents of per-cpu thread data (git-fixes). - trace/hwlat: make use of the helper function kthread_run_on_cpu() (git-fixes). - tracing: Add NULL checks for buffer in ring_buffer_free_read_page() (git-fixes). - tracing: Add trace_array_puts() to write into instance (git-fixes). - tracing: Check field value in hist_field_name() (git-fixes). - tracing: Do not let histogram values have some modifiers (git-fixes). - tracing: Fix wrong return in kprobe_event_gen_test.c (git-fixes). - tracing: Free error logs of tracing instances (git-fixes). - tracing: Have tracing_snapshot_instance_cond() write errors to the appropriate instance (git-fixes). - tracing: Make splice_read available again (git-fixes). - tracing: Make tracepoint lockdep check actually test something (git-fixes). - tracing/hwlat:Replace sched_setaffinity with set_cpus_allowed_ptr (git-fixes). - tty: serial: fsl_lpuart: avoid checking for transfer complete when UARTCTRL_SBK is asserted in lpuart32_tx_empty (git-fixes). - tty: serial: fsl_lpuart: skip waiting for transmission complete when UARTCTRL_SBK is asserted (git-fixes). - tty: serial: sh-sci: Fix Rx on RZ/G2L SCI (git-fixes). - tty: serial: sh-sci: Fix transmit end interrupt handler (git-fixes). - uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2 (git-fixes). - USB: cdns3: Fix issue with using incorrect PCI device function (git-fixes). - USB: cdnsp: changes PCI Device ID to fix conflict with CNDS3 driver (git-fixes). - USB: cdnsp: Fixes error: uninitialized symbol 'len' (git-fixes). - USB: cdnsp: Fixes issue with redundant Status Stage (git-fixes). - USB: chipdea: core: fix return -EINVAL if request role is the same with current role (git-fixes). - USB: chipidea: fix memory leak with using debugfs_lookup() (git-fixes). - USB: dwc2: fix a devres leak in hw_enable upon suspend resume (git-fixes). - USB: dwc3: Fix a typo in field name (git-fixes). - USB: dwc3: fix memory leak with using debugfs_lookup() (git-fixes). - USB: dwc3: gadget: Add 1ms delay after end transfer command without IOC (git-fixes). - USB: fix memory leak with using debugfs_lookup() (git-fixes). - USB: fotg210: fix memory leak with using debugfs_lookup() (git-fixes). - USB: gadget: bcm63xx_udc: fix memory leak with using debugfs_lookup() (git-fixes). - USB: gadget: gr_udc: fix memory leak with using debugfs_lookup() (git-fixes). - USB: gadget: lpc32xx_udc: fix memory leak with using debugfs_lookup() (git-fixes). - USB: gadget: pxa25x_udc: fix memory leak with using debugfs_lookup() (git-fixes). - USB: gadget: pxa27x_udc: fix memory leak with using debugfs_lookup() (git-fixes). - USB: gadget: u_audio: do not let userspace block driver unbind (git-fixes). - USB: isp116x: fix memory leak with using debugfs_lookup() (git-fixes). - USB: isp1362: fix memory leak with using debugfs_lookup() (git-fixes). - USB:sl811: fix memory leak with using debugfs_lookup() (git-fixes). - USB: typec: altmodes/displayport: Fix configure initial pin assignment (git-fixes). - USB: typec: tcpm: fix warning when handle discover_identity message (git-fixes). - USB: ucsi: Fix NULL pointer deref in ucsi_connector_change() (git-fixes). - USB: ucsi: Fix ucsi-> connector race (git-fixes). - USB: uhci: fix memory leak with using debugfs_lookup() (git-fixes). - USB: xhci: tegra: fix sleep in atomic call (git-fixes). - vdpa_sim: set last_used_idx as last_avail_idx in vdpasim_queue_ready (git-fixes). - wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta (git-fixes). - wifi: mac80211: fix qos on mesh interfaces (git-fixes). - wireguard: ratelimiter: use hrtimer in selftest (git-fixes) - x86: Annotate call_on_stack() (git-fixes). - x86: Annotate call_on_stack() (git-fixes). - x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments (bsc#1203200). - x86/bug: Merge annotate_reachable() into _BUG_FLAGS() asm (git-fixes). - x86/bug: Merge annotate_reachable() into _BUG_FLAGS() asm (git-fixes). - x86/fpu: Cache xfeature flags from CPUID (git-fixes). - x86/fpu: Remove unused supervisor only offsets (git-fixes). - x86/fpu: Remove unused supervisor only offsets (git-fixes). - x86/fpu/xsave: Handle compacted offsets correctly with supervisor states (git-fixes). - x86/fpu/xsave: Handle compacted offsets correctly with supervisor states (git-fixes). - x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation (git-fixes). - x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation (git-fixes). - x86/kvm: Do not use pv tlb/ipi/sched_yield if on 1 vCPU (git-fixes). - x86/kvm: Do not use pv tlb/ipi/sched_yield if on 1 vCPU (git-fixes). - x86/mce: Allow instrumentation during task work queueing (git-fixes). - x86/mce: Allow instrumentation during task work queueing (git-fixes). - x86/mce: Mark mce_end() noinstr (git-fixes). - x86/mce: Mark mce_end() noinstr (git-fixes). - x86/mce: Mark mce_panic() noinstr (git-fixes). -x86/mce: Mark mce_panic() noinstr (git-fixes). - x86/mce: Mark mce_read_aux() noinstr (git-fixes). - x86/mce: Mark mce_read_aux() noinstr (git-fixes). - x86/mce/inject: Avoid out-of-bounds write when setting flags (git-fixes). - x86/mce/inject: Avoid out-of-bounds write when setting flags (git-fixes). - x86/mm: Flush global TLB when switching to trampoline page-table (git-fixes). - x86/mm: Flush global TLB when switching to trampoline page-table (git-fixes). - x86/msr: Remove .fixup usage (git-fixes). - x86/sgx: Free backing memory after faulting the enclave page (git-fixes). - x86/sgx: Free backing memory after faulting the enclave page (git-fixes). - x86/sgx: Silence softlockup detection when releasing large enclaves (git-fixes). - x86/sgx: Silence softlockup detection when releasing large enclaves (git-fixes). - x86/uaccess: Move variable into switch case statement (git-fixes). - x86/uaccess: Move variable into switch case statement (git-fixes). - xfs: convert ptag flags to unsigned (git-fixes). - xfs: do not assert fail on perag references on teardown (git-fixes). - xfs: do not leak btree cursor when insrec fails after a split (git-fixes). - xfs: pass the correct cursor to xfs_iomap_prealloc_size (git-fixes). - xfs: remove xfs_setattr_time() declaration (git-fixes). - xfs: zero inode fork buffer at allocation (git-fixes). - xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu (git-fixes). - xhci: Free the command allocated for setting LPM if we return early (git-fixes). - xirc2ps_cs: Fix use after free bug in xirc2ps_detach (git-fixes). - xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1911-1 Released: Wed Apr 19 13:02:33 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1209873,1209878,CVE-2023-0465,CVE-2023-0466 This update for openssl-1_1 fixes the following issues: - CVE-2023-0465: Invalid certificate policiesin leaf certificates were silently ignored (bsc#1209878). - CVE-2023-0466: Certificate policy check were not enabled (bsc#1209873). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1915-1 Released: Wed Apr 19 16:17:38 2023 Summary: Recommended update for kexec-tools Type: recommended Severity: moderate References: 1202820 This update for kexec-tools fixes the following issues: - kexec-bootloader: Add -a argument to load using kexec_load_file() when available (bsc#1202820). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1916-1 Released: Wed Apr 19 16:17:58 2023 Summary: Recommended update for sles-release Type: recommended Severity: low References: 1208529 This update for sles-release fixes the following issue: - Filter libhogweed4 and libnettle6 so they dont get orphaned on system upgrades. (bsc#1208529) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1920-1 Released: Wed Apr 19 16:22:58 2023 Summary: Recommended update for hwdata Type: recommended Severity: moderate References: This update for hwdata fixes the following issues: - Update pci, usb and vendor ids ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1947-1 Released: Fri Apr 21 14:14:41 2023 Summary: Security update for dmidecode Type: security Severity: moderate References: 1210418,CVE-2023-30630 This update for dmidecode fixes the following issues: - CVE-2023-30630: Fixed potential privilege escalation vulnerability via file overwrite (bsc#1210418). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1963-1 Released: Mon Apr 24 15:03:10 2023 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: 1187810,1189036,1207064,1209165,1209234,1209372,1209667 This update for grub2 fixes the following issues: - Fixaarch64 kiwi image's file not found due to '/@' prepended to path in btrfs filesystem. (bsc#1209165) - Make grub more robust against storage race condition causing system boot failures (bsc#1189036) - Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064, bsc#1209234) - Fix installation over serial console ends up in infinite boot loop (bsc#1187810, bsc#1209667, bsc#1209372) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1994-1 Released: Tue Apr 25 13:53:25 2023 Summary: Security update for avahi Type: security Severity: moderate References: 1210328,CVE-2023-1981 This update for avahi fixes the following issues: - CVE-2023-1981: Fixed crash in avahi-daemon (bsc#1210328). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2003-1 Released: Tue Apr 25 18:05:42 2023 Summary: Security update for runc Type: security Severity: important References: 1168481,1208962,1209884,1209888,CVE-2023-25809,CVE-2023-27561,CVE-2023-28642 This update for runc fixes the following issues: Update to runc v1.1.5: Security fixes: - CVE-2023-25809: Fixed rootless `/sys/fs/cgroup` is writable when cgroupns isn't unshared (bnc#1209884). - CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962). - CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888). Other fixes: - Fix the inability to use `/dev/null` when inside a container. - Fix changing the ownership of host's `/dev/null` caused by fd redirection (bsc#1168481). - Fix rare runc exec/enter unshare error on older kernels. - nsexec: Check for errors in `write_log()`. - Drop version-specific Go requirement. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2040-1 Released: Wed Apr 26 11:44:03 2023 Summary: Recommended update for suseconnect-ng Type: recommended Severity: moderate References: 1202705,1207876 Thisupdate for suseconnect-ng fixes the following issues: - Update to version 1.1.0~git0.e3c41e60892e * Added MemTotal detection for HwInfo * Make keepalive on SUMA systems exit without error (bsc#1207876) * Add deactivate API to ruby bindings (bsc#1202705) * Allow non-root users to use --version * Update Dockerfile.yast * Use openssl go for SLE and Leap 15.5+ builds ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2053-1 Released: Thu Apr 27 11:31:08 2023 Summary: Security update for libxml2 Type: security Severity: moderate References: 1209918,1210411,1210412,CVE-2023-28484,CVE-2023-29469 This update for libxml2 fixes the following issues: - CVE-2023-29469: Fixed inconsistent result when hashing empty strings (bsc#1210412). - CVE-2023-28484: Fixed NULL pointer dereference in xmlSchemaFixupComplexType (bsc#1210411). The following non-security bug was fixed: - Remove unneeded dependency (bsc#1209918). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2060-1 Released: Thu Apr 27 17:04:25 2023 Summary: Security update for glib2 Type: security Severity: moderate References: 1209713,1209714,1210135,CVE-2023-24593,CVE-2023-25180 This update for glib2 fixes the following issues: - CVE-2023-24593: Fixed a denial of service caused by handling a malicious text-form variant (bsc#1209714). - CVE-2023-25180: Fixed a denial of service caused by malicious serialised variant (bsc#1209713). The following non-security bug was fixed: - Fixed regression on s390x (bsc#1210135, glgo#GNOME/glib!2978). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2066-1 Released: Fri Apr 28 13:54:17 2023 Summary: Security update for shadow Type: security Severity: moderate References: 1210507,CVE-2023-29383 This update for shadow fixes the following issues: - CVE-2023-29383: Fixed apparent /etc/shadow manipulation via chfn(bsc#1210507). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2084-1 Released: Tue May 2 13:31:52 2023 Summary: Security update for shim Type: security Severity: important References: 1210382,CVE-2022-28737 This update for shim fixes the following issues: - CVE-2022-28737 was missing as reference previously. - Upgrade shim-install for bsc#1210382 After closing Leap-gap project since Leap 15.3, openSUSE Leap direct uses shim from SLE. So the ca_string is 'SUSE Linux Enterprise Secure Boot CA1', not 'openSUSE Secure Boot CA1'. It causes that the update_boot=no, so all files in /boot/efi/EFI/boot are not updated. Logic was added that is using ID field in os-release for checking Leap distro and set ca_string to 'SUSE Linux Enterprise Secure Boot CA1'. Then /boot/efi/EFI/boot/* can also be updated. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2103-1 Released: Thu May 4 20:05:44 2023 Summary: Security update for vim Type: security Severity: moderate References: 1208828,1209042,1209187,CVE-2023-1127,CVE-2023-1264,CVE-2023-1355 This update for vim fixes the following issues: Updated to version 9.0 with patch level 1443, fixes the following security problems - CVE-2023-1264: Fixed NULL Pointer Dereference (bsc#1209042). - CVE-2023-1355: Fixed NULL Pointer Dereference (bsc#1209187). - CVE-2023-1127: Fixed divide by zero in scrolldown() (bsc#1208828). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2104-1 Released: Thu May 4 21:05:30 2023 Summary: Recommended update for procps Type: recommended Severity: moderate References: 1209122 This update for procps fixes the following issue: - Allow - as leading character to ignore possible errors on systctl entries (bsc#1209122) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2111-1 Released: Fri May 5 14:34:002023 Summary: Security update for ncurses Type: security Severity: moderate References: 1210434,CVE-2023-29491 This update for ncurses fixes the following issues: - CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2131-1 Released: Tue May 9 13:35:24 2023 Summary: Recommended update for openssh Type: recommended Severity: important References: 1207014 This update for openssh fixes the following issues: - Remove some patches that cause invalid environment assignments (bsc#1207014). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2133-1 Released: Tue May 9 13:37:10 2023 Summary: Recommended update for zlib Type: recommended Severity: moderate References: 1206513 This update for zlib fixes the following issues: - Add DFLTCC support for using inflate() with a small window (bsc#1206513) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2135-1 Released: Tue May 9 13:38:11 2023 Summary: Security update for libfastjson Type: security Severity: important References: 1171479,CVE-2020-12762 This update for libfastjson fixes the following issues: - CVE-2020-12762: Fixed an integer overflow and out-of-bounds write via a large JSON file (bsc#1171479). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2140-1 Released: Tue May 9 14:28:34 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1142685,1155798,1174777,1189999,1194869,1203039,1203325,1204042,1206649,1206891,1206992,1207088,1208076,1208822,1208845,1209615,1209693,1209739,1209871,1209927,1209999,1210034,1210158,1210202,1210206,1210301,1210329,1210336,1210337,1210439,1210453,1210454,1210469,1210499,1210506,1210629,1210630,1210725,1210729,1210762,1210763,1210764,1210765,1210766,1210767,1210768,1210769,1210770,1210771,1210793,1210816,1210817,1210827,1210943,1210953,1210986,1211025,CVE-2022-2196,CVE-2023-0386,CVE-2023-1670,CVE-2023-1855,CVE-2023-1989,CVE-2023-1990,CVE-2023-1998,CVE-2023-2008,CVE-2023-2019,CVE-2023-2176,CVE-2023-2235,CVE-2023-23006,CVE-2023-30772 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2023-2235: A use-after-free vulnerability in the Performance Events system can be exploited to achieve local privilege escalation (bsc#1210986). - CVE-2022-2196: Fixed a regression related to KVM that allowed for speculative execution attacks (bsc#1206992). - CVE-2023-23006: Fixed NULL checking against IS_ERR in dr_domain_init_resources (bsc#1208845). - CVE-2023-1670: Fixed a use after free in the Xircom 16-bit PCMCIA Ethernet driver. A local user could use this flaw to crash the system or potentially escalate their privileges on the system (bsc#1209871). - CVE-2023-2176: A vulnerability was found in compare_netdev_and_ip in drivers/infiniband/core/cma.c in RDMA. The improper cleanup results in out-of-boundary read, where a local user can utilize this problem to crash the system or escalation of privilege (bsc#1210629). - CVE-2023-0386: A flaw was found where unauthorized access to the execution of the setuid file with capabilities was found in the OverlayFS subsystem, when a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allowed a local user to escalate their privileges on the system (bsc#1209615). - CVE-2023-1998: Fixed a use after free during login when accessing the shost ipaddress (bsc#1210506). -CVE-2023-1855: Fixed a use after free in xgene_hwmon_remove (bsc#1210202). - CVE-2023-30772: Fixed a race condition and resultant use-after-free in da9150_charger_remove (bsc#1210329). - CVE-2023-2019: A flaw was found in the netdevsim device driver, more specifically within the scheduling of events. This issue results from the improper management of a reference count and may lead to a denial of service (bsc#1210454). - CVE-2023-2008: A flaw was found in the fault handler of the udmabuf device driver. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code (bsc#1210453). - CVE-2023-1989: Fixed a use after free in btsdio_remove (bsc#1210336). - CVE-2023-1990: Fixed a use after free in ndlc_remove (bsc#1210337). The following non-security bugs were fixed: - ACPI: CPPC: Disable FIE if registers in PCC regions (bsc#1210953). - ACPI: VIOT: Initialize the correct IOMMU fwspec (git-fixes). - ACPI: resource: Add Medion S17413 to IRQ override quirk (git-fixes). - ALSA: emu10k1: do not create old pass-through playback device on Audigy (git-fixes). - ALSA: emu10k1: fix capture interrupt handler unlinking (git-fixes). - ALSA: firewire-tascam: add missing unwind goto in snd_tscm_stream_start_duplex() (git-fixes). - ALSA: hda/cirrus: Add extra 10 ms delay to allow PLL settle and lock (git-fixes). - ALSA: hda/realtek: Add quirks for Lenovo Z13/Z16 Gen2 (git-fixes). - ALSA: hda/realtek: Enable mute/micmute LEDs and speaker support for HP Laptops (git-fixes). - ALSA: hda/realtek: Remove specific patch for Dell Precision 3260 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook (git-fixes). - ALSA: hda/realtek: fix speaker, mute/micmute LEDs not work on a HP platform (git-fixes). - ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard (git-fixes). - ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards (git-fixes). - ALSA: hda: cs35l41: Enable Amp High Pass Filter (git-fixes). - ALSA: hda: patch_realtek: add quirk for Asus N7601ZM (git-fixes). -ALSA: i2c/cs8427: fix iec958 mixer control deactivation (git-fixes). - ARM: 9290/1: uaccess: Fix KASAN false-positives (git-fixes). - ARM: dts: exynos: fix WM8960 clock name in Itop Elite (git-fixes). - ARM: dts: gta04: fix excess dma channel usage (git-fixes). - ARM: dts: qcom: ipq4019: Fix the PCI I/O port range (git-fixes). - ARM: dts: rockchip: fix a typo error for rk3288 spdif node (git-fixes). - ARM: dts: s5pv210: correct MIPI CSIS clock name (git-fixes). - ASN.1: Fix check for strdup() success (git-fixes). - ASoC: cs35l41: Only disable internal boost (git-fixes). - ASoC: es8316: Handle optional IRQ assignment (git-fixes). - ASoC: fsl_asrc_dma: fix potential null-ptr-deref (git-fixes). - ASoC: fsl_mqs: move of_node_put() to the correct location (git-fixes). - Bluetooth: Fix race condition in hidp_session_thread (git-fixes). - Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} (git-fixes). - Drivers: vmbus: Check for channel allocation before looking up relids (git-fixes). - IB/mlx5: Add support for 400G_8X lane speed (git-fixes) - Input: hp_sdc_rtc - mark an unused function as __maybe_unused (git-fixes). - Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe (git-fixes). - KEYS: Add missing function documentation (git-fixes). - KEYS: Create static version of public_key_verify_signature (git-fixes). - NFS: Cleanup unused rpc_clnt variable (git-fixes). - NFSD: Avoid calling OPDESC() with ops-> opnum == OP_ILLEGAL (git-fixes). - NFSD: callback request does not use correct credential for AUTH_SYS (git-fixes). - PCI/EDR: Clear Device Status after EDR error recovery (git-fixes). - PCI: dwc: Fix PORT_LINK_CONTROL update when CDM check enabled (git-fixes). - PCI: imx6: Install the fault handler only on compatible match (git-fixes). - PCI: loongson: Add more devices that need MRRS quirk (git-fixes). - PCI: loongson: Prevent LS7A MRRS increases (git-fixes). - PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock (git-fixes). - PCI: qcom: Fix the incorrect register usage in v2.7.0config (git-fixes). - RDMA/cma: Allow UD qp_type to join multicast only (git-fixes) - RDMA/core: Fix GID entry ref leak when create_ah fails (git-fixes) - RDMA/irdma: Add ipv4 check to irdma_find_listener() (git-fixes) - RDMA/irdma: Fix memory leak of PBLE objects (git-fixes) - RDMA/irdma: Increase iWARP CM default rexmit count (git-fixes) - Remove obsolete KMP obsoletes (bsc#1210469). - Revert 'Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work' (git-fixes). - Revert 'pinctrl: amd: Disable and mask interrupts on resume' (git-fixes). - USB: dwc3: fix runtime pm imbalance on probe errors (git-fixes). - USB: dwc3: fix runtime pm imbalance on unbind (git-fixes). - USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs (git-fixes). - USB: serial: option: add Quectel RM500U-CN modem (git-fixes). - USB: serial: option: add Telit FE990 compositions (git-fixes). - USB: serial: option: add UNISOC vendor and TOZED LT70C product (git-fixes). - amdgpu: disable powerpc support for the newer display engine (bsc#1194869). - arm64: dts: imx8mm-evk: correct pmic clock source (git-fixes). - arm64: dts: meson-g12-common: specify full DMC range (git-fixes). - arm64: dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node (git-fixes). - arm64: dts: qcom: ipq8074: Fix the PCI I/O port range (git-fixes). - arm64: dts: qcom: msm8994-kitakami: drop unit address from PMI8994 regulator (git-fixes). - arm64: dts: qcom: msm8994-msft-lumia-octagon: drop unit address from PMI8994 regulator (git-fixes). - arm64: dts: qcom: msm8996: Fix the PCI I/O port range (git-fixes). - arm64: dts: qcom: msm8998: Fix stm-stimulus-base reg name (git-fixes). - arm64: dts: qcom: msm8998: Fix the PCI I/O port range (git-fixes). - arm64: dts: qcom: sc7180-trogdor-lazor: correct trackpad supply (git-fixes). - arm64: dts: qcom: sdm845: Fix the PCI I/O port range (git-fixes). - arm64: dts: qcom: sm8250: Fix the PCI I/O port range (git-fixes). - arm64: dts: renesas: r8a774c0: Remove bogus voltages from OPP table(git-fixes). - arm64: dts: renesas: r8a77990: Remove bogus voltages from OPP table (git-fixes). - arm64: dts: ti: k3-j721e-main: Remove ti,strobe-sel property (git-fixes). - bluetooth: Perform careful capability checks in hci_sock_ioctl() (git-fixes). - cgroup/cpuset: Add cpuset_can_fork() and cpuset_cancel_fork() methods - cgroup/cpuset: Make cpuset_fork() handle CLONE_INTO_CGROUP properly - cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() (bsc#1210827). - cifs: fix negotiate context parsing (bsc#1210301). - clk: add missing of_node_put() in 'assigned-clocks' property parsing (git-fixes). - clk: at91: clk-sam9x60-pll: fix return value check (git-fixes). - clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent (git-fixes). - clk: sprd: set max_register according to mapping range (git-fixes). - clocksource/drivers/davinci: Fix memory leak in davinci_timer_register when init fails (git-fixes). - cpufreq: CPPC: Fix build error without CONFIG_ACPI_CPPC_CPUFREQ_FIE (bsc#1210953). - cpufreq: CPPC: Fix performance/frequency conversion (git-fixes). - cpumask: fix incorrect cpumask scanning result checks (bsc#1210943). - crypto: caam - Clear some memory in instantiate_rng (git-fixes). - crypto: drbg - Only fail when jent is unavailable in FIPS mode (git-fixes). - crypto: sa2ul - Select CRYPTO_DES (git-fixes). - crypto: safexcel - Cleanup ring IRQ workqueues on load failure (git-fixes). - driver core: Do not require dynamic_debug for initcall_debug probe timing (git-fixes). - drivers: staging: rtl8723bs: Fix locking in _rtw_join_timeout_handler() (git-fixes). - drivers: staging: rtl8723bs: Fix locking in rtw_scan_timeout_handler() (git-fixes). - drm/amd/display/dc/dce60/Makefile: Fix previous attempt to silence known override-init warnings (git-fixes). - drm/amd/display: Fix potential null dereference (git-fixes). - drm/amdgpu: Re-enable DCN for 64-bit powerpc (bsc#1194869). - drm/armada: Fix a potential double free in an error handling path (git-fixes). - drm/bridge: adv7533:Fix adv7533_mode_valid for adv7533 and adv7535 (git-fixes). - drm/bridge: lt8912b: Fix DSI Video Mode (git-fixes). - drm/bridge: lt9611: Fix PLL being unable to lock (git-fixes). - drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var (git-fixes). - drm/i915/dsi: fix DSS CTL register offsets for TGL+ (git-fixes). - drm/i915: Fix fast wake AUX sync len (git-fixes). - drm/i915: Make intel_get_crtc_new_encoder() less oopsy (git-fixes). - drm/i915: fix race condition UAF in i915_perf_add_config_ioctl (git-fixes). - drm/lima/lima_drv: Add missing unwind goto in lima_pdev_probe() (git-fixes). - drm/msm/adreno: drop bogus pm_runtime_set_active() (git-fixes). - drm/msm/disp/dpu: check for crtc enable rather than crtc active to release shared resources (git-fixes). - drm/msm: fix NULL-deref on snapshot tear down (git-fixes). - drm/nouveau/disp: Support more modes by checking with lower bpc (git-fixes). - drm/panel: otm8009a: Set backlight parent to panel device (git-fixes). - drm/probe-helper: Cancel previous job before starting new one (git-fixes). - drm/rockchip: Drop unbalanced obj unref (git-fixes). - drm/vgem: add missing mutex_destroy (git-fixes). - drm: msm: adreno: Disable preemption on Adreno 510 (git-fixes). - drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F (git-fixes). - drm: rcar-du: Fix a NULL vs IS_ERR() bug (git-fixes). - dt-bindings: arm: fsl: Fix copy-paste error in comment (git-fixes). - dt-bindings: iio: ti,tmp117: fix documentation link (git-fixes). - dt-bindings: mailbox: qcom,apcs-kpss-global: fix SDX55 'if' match (git-fixes). - dt-bindings: nvmem: qcom,spmi-sdam: fix example 'reg' property (git-fixes). - dt-bindings: remoteproc: stm32-rproc: Typo fix (git-fixes). - dt-bindings: soc: qcom: smd-rpm: re-add missing qcom,rpm-msm8994 (git-fixes). - e1000e: Disable TSO on i219-LM card to increase speed (git-fixes). - efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L (git-fixes). - ext4: Fix deadlock during directory rename (bsc#1210763). - ext4: Fix possible corruption whenmoving a directory (bsc#1210763). - ext4: fix RENAME_WHITEOUT handling for inline directories (bsc#1210766). - ext4: fix another off-by-one fsmap error on 1k block filesystems (bsc#1210767). - ext4: fix bad checksum after online resize (bsc#1210762 bsc#1208076). - ext4: fix cgroup writeback accounting with fs-layer encryption (bsc#1210765). - ext4: fix corruption when online resizing a 1K bigalloc fs (bsc#1206891). - ext4: fix incorrect options show of original mount_opt and extend mount_opt2 (bsc#1210764). - ext4: fix possible double unlock when moving a directory (bsc#1210763). - ext4: use ext4_journal_start/stop for fast commit transactions (bsc#1210793). - fbmem: Reject FB_ACTIVATE_KD_TEXT from userspace (git-fixes). - firmware: qcom_scm: Clear download bit during reboot (git-fixes). - firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe (git-fixes). - fpga: bridge: fix kernel-doc parameter description (git-fixes). - hwmon: (adt7475) Use device_property APIs when configuring polarity (git-fixes). - hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write (git-fixes). - hwmon: (pmbus/fsp-3y) Fix functionality bitmask in FSP-3Y YM-2151E (git-fixes). - i2c: cadence: cdns_i2c_master_xfer(): Fix runtime PM leak on error path (git-fixes). - i2c: hisi: Avoid redundant interrupts (git-fixes). - i2c: imx-lpi2c: clean rx/tx buffers upon new message (git-fixes). - i2c: ocores: generate stop condition after timeout in polling mode (git-fixes). - i915/perf: Replace DRM_DEBUG with driver specific drm_dbg call (git-fixes). - ice: avoid bonding causing auxiliary plug/unplug under RTNL lock (bsc#1210158). - iio: adc: at91-sama5d2_adc: fix an error code in at91_adc_allocate_trigger() (git-fixes). - iio: light: tsl2772: fix reading proximity-diodes from device tree (git-fixes). - ipmi: fix SSIF not responding under certain cond (git-fixes). - ipmi:ssif: Add send_retries increment (git-fixes). - k-m-s: Drop Linux 2.6 support - kABI: PCI: loongson: Prevent LS7A MRRS increases (kabi). - kABI: x86/msi: Fixmsi message data shadow struct (kabi). - kabi/severities: ignore KABI for NVMe target (bsc#1174777). - keys: Fix linking a duplicate key to a keyring's assoc_array (bsc#1207088). - locking/rwbase: Mitigate indefinite writer starvation. - media: av7110: prevent underflow in write_ts_to_decoder() (git-fixes). - media: dm1105: Fix use after free bug in dm1105_remove due to race condition (git-fixes). - media: max9286: Free control handler (git-fixes). - media: rc: gpio-ir-recv: Fix support for wake-up (git-fixes). - media: rkvdec: fix use after free bug in rkvdec_remove (git-fixes). - media: saa7134: fix use after free bug in saa7134_finidev due to race condition (git-fixes). - media: venus: dec: Fix handling of the start cmd (git-fixes). - memstick: fix memory leak if card device is never registered (git-fixes). - mm/filemap: fix page end in filemap_get_read_batch (bsc#1210768). - mm: page_alloc: skip regions with hugetlbfs pages when allocating 1G pages (bsc#1210034). - mm: take a page reference when removing device exclusive entries (bsc#1211025). - mmc: sdhci-of-esdhc: fix quirk to ignore command inhibit for data (git-fixes). - mmc: sdhci_am654: Set HIGH_SPEED_ENA for SDR12 and SDR25 (git-fixes). - mtd: core: fix error path for nvmem provider (git-fixes). - mtd: core: fix nvmem error reporting (git-fixes). - mtd: core: provide unique name for nvmem device, take two (git-fixes). - mtd: spi-nor: Fix a trivial typo (git-fixes). - net: phy: nxp-c45-tja11xx: add remove callback (git-fixes). - net: phy: nxp-c45-tja11xx: fix unsigned long multiplication overflow (git-fixes). - nfsd: call op_release, even when op_func returns an error (git-fixes). - nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() (git-fixes). - nilfs2: initialize unused bytes in segment summary blocks (git-fixes). - nvme initialize core quirks before calling nvme_init_subsystem (git-fixes). - nvme-auth: uninitialized variable in nvme_auth_transform_key() (git-fixes). - nvme-fcloop: fix 'inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage' (git-fixes). - nvme-hwmon: consistently ignore errors from nvme_hwmon_init (git-fixes). - nvme-hwmon: kmalloc the NVME SMART log buffer (git-fixes). - nvme-multipath: fix possible hang in live ns resize with ANA access (git-fixes). - nvme-pci: fix doorbell buffer value endianness (git-fixes). - nvme-pci: fix mempool alloc size (git-fixes). - nvme-pci: fix page size checks (git-fixes). - nvme-pci: fix timeout request state check (git-fixes). - nvme-rdma: fix possible hang caused during ctrl deletion (git-fixes). - nvme-tcp: fix possible circular locking when deleting a controller under memory pressure (git-fixes). - nvme-tcp: fix possible hang caused during ctrl deletion (git-fixes). - nvme-tcp: fix regression that causes sporadic requests to time out (git-fixes). - nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices (git-fixes). - nvme: add device name to warning in uuid_show() (git-fixes). - nvme: catch -ENODEV from nvme_revalidate_zones again (git-fixes). - nvme: copy firmware_rev on each init (git-fixes). - nvme: define compat_ioctl again to unbreak 32-bit userspace (git-fixes). - nvme: fix async event trace event (git-fixes). - nvme: fix handling single range discard request (git-fixes). - nvme: fix per-namespace chardev deletion (git-fixes). - nvme: fix the NVME_CMD_EFFECTS_CSE_MASK definition (git-fixes). - nvme: fix the read-only state for zoned namespaces with unsupposed features (git-fixes). - nvme: improve the NVME_CONNECT_AUTHREQ* definitions (git-fixes). - nvme: move nvme_multi_css into nvme.h (git-fixes). - nvme: return err on nvme_init_non_mdts_limits fail (git-fixes). - nvme: send Identify with CNS 06h only to I/O controllers (bsc#1209693). - nvme: set dma alignment to dword (git-fixes). - nvme: use command_id instead of req-> tag in trace_nvme_complete_rq() (git-fixes). - nvmet-auth: do not try to cancel a non-initialized work_struct (git-fixes). - nvmet-tcp: fix incomplete data digest send (git-fixes). - nvmet-tcp: fix regression in data_digest calculation(git-fixes). - nvmet: add helpers to set the result field for connect commands (git-fixes). - nvmet: avoid potential UAF in nvmet_req_complete() (git-fixes). - nvmet: do not defer passthrough commands with trivial effects to the workqueue (git-fixes). - nvmet: fix I/O Command Set specific Identify Controller (git-fixes). - nvmet: fix Identify Active Namespace ID list handling (git-fixes). - nvmet: fix Identify Controller handling (git-fixes). - nvmet: fix Identify Namespace handling (git-fixes). - nvmet: fix a memory leak (git-fixes). - nvmet: fix a memory leak in nvmet_auth_set_key (git-fixes). - nvmet: fix a use-after-free (git-fixes). - nvmet: fix invalid memory reference in nvmet_subsys_attr_qid_max_show (git-fixes). - nvmet: force reconnect when number of queue changes (git-fixes). - nvmet: looks at the passthrough controller when initializing CAP (git-fixes). - nvmet: only allocate a single slab for bvecs (git-fixes). - nvmet: use IOCB_NOWAIT only if the filesystem supports it (git-fixes). - perf/core: Fix perf_output_begin parameter is incorrectly invoked in perf_event_bpf_output (git fixes). - perf/core: Fix the same task check in perf_event_set_output (git fixes). - perf: Fix check before add_event_to_groups() in perf_group_detach() (git fixes). - perf: fix perf_event_context-> time (git fixes). - platform/x86 (gigabyte-wmi): Add support for A320M-S2H V2 (git-fixes). - platform/x86: gigabyte-wmi: add support for X570S AORUS ELITE (git-fixes). - power: supply: cros_usbpd: reclassify 'default case!' as debug (git-fixes). - power: supply: generic-adc-battery: fix unit scaling (git-fixes). - powerpc/64: Always build with 128-bit long double (bsc#1194869). - powerpc/64e: Fix amdgpu build on Book3E w/o AltiVec (bsc#1194869). - powerpc/hv-gpci: Fix hv_gpci event list (git fixes). - powerpc/papr_scm: Update the NUMA distance table for the target node (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 git-fixes). - powerpc/perf/hv-24x7: add missing RTAS retry status handling (git fixes). - powerpc/pseries:Consolidate different NUMA distance update code paths (bsc#1209999 ltc#202140 bsc#1142685 ltc#179509 git-fixes). - powerpc: declare unmodified attribute_group usages const (git-fixes). - regulator: core: Avoid lockdep reports when resolving supplies (git-fixes). - regulator: core: Consistently set mutex_owner when using ww_mutex_lock_slow() (git-fixes). - regulator: core: Shorten off-on-delay-us for always-on/boot-on by time since booted (git-fixes). - regulator: fan53555: Explicitly include bits header (git-fixes). - regulator: fan53555: Fix wrong TCS_SLEW_MASK (git-fixes). - regulator: stm32-pwr: fix of_iomap leak (git-fixes). - remoteproc: Harden rproc_handle_vdev() against integer overflow (git-fixes). - remoteproc: imx_rproc: Call of_node_put() on iteration error (git-fixes). - remoteproc: st: Call of_node_put() on iteration error (git-fixes). - remoteproc: stm32: Call of_node_put() on iteration error (git-fixes). - rtc: meson-vrtc: Use ktime_get_real_ts64() to get the current time (git-fixes). - rtc: omap: include header for omap_rtc_power_off_program prototype (git-fixes). - sched/fair: Fix imbalance overflow (bsc#1155798). - sched/fair: Limit sched slice duration (bsc#1189999). - sched/fair: Move calculate of avg_load to a better location (bsc#1155798). - sched/fair: Sanitize vruntime of entity being migrated (bsc#1203325). - sched/fair: sanitize vruntime of entity being placed (bsc#1203325). - sched/numa: Stop an exhastive search if an idle core is found (bsc#1189999). - sched_getaffinity: do not assume 'cpumask_size()' is fully initialized (bsc#1155798). - scsi: aic94xx: Add missing check for dma_map_single() (git-fixes). - scsi: core: Add BLIST_NO_VPD_SIZE for some VDASD (git-fixes bsc#1203039). - scsi: core: Add BLIST_SKIP_VPD_PAGES for SKhynix H28U74301AMR (git-fixes). - scsi: core: Fix a procfs host directory removal regression (git-fixes). - scsi: core: Fix a source code comment (git-fixes). - scsi: core: Remove the /proc/scsi/${proc_name} directory earlier (git-fixes). - scsi: hisi_sas: Checkdevm_add_action() return value (git-fixes). - scsi: hisi_sas: Set a port invalid only if there are no devices attached when refreshing port id (git-fixes). - scsi: ipr: Work around fortify-string warning (git-fixes). - scsi: iscsi_tcp: Check that sock is valid before iscsi_set_param() (git-fixes). - scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress (git-fixes). - scsi: iscsi_tcp: Fix UAF during logout when accessing the shost ipaddress (git-fixes). - scsi: kABI workaround for fc_host_fpin_rcv (git-fixes). - scsi: libsas: Remove useless dev_list delete in sas_ex_discover_end_dev() (git-fixes). - scsi: lpfc: Avoid usage of list iterator variable after loop (git-fixes). - scsi: lpfc: Check kzalloc() in lpfc_sli4_cgn_params_read() (git-fixes). - scsi: lpfc: Copyright updates for 14.2.0.11 patches (bsc#1210943). - scsi: lpfc: Correct used_rpi count when devloss tmo fires with no recovery (bsc#1210943). - scsi: lpfc: Defer issuing new PLOGI if received RSCN before completing REG_LOGIN (bsc#1210943). - scsi: lpfc: Drop redundant pci_enable_pcie_error_reporting() (bsc#1210943). - scsi: lpfc: Fix double word in comments (bsc#1210943). - scsi: lpfc: Fix ioremap issues in lpfc_sli4_pci_mem_setup() (bsc#1210943). - scsi: lpfc: Fix lockdep warning for rx_monitor lock when unloading driver (bsc#1210943). - scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow (bsc#1210943). - scsi: lpfc: Record LOGO state with discovery engine even if aborted (bsc#1210943). - scsi: lpfc: Reorder freeing of various DMA buffers and their list removal (bsc#1210943). - scsi: lpfc: Revise lpfc_error_lost_link() reason code evaluation logic (bsc#1210943). - scsi: lpfc: Silence an incorrect device output (bsc#1210943). - scsi: lpfc: Skip waiting for register ready bits when in unrecoverable state (bsc#1210943). - scsi: lpfc: Update lpfc version to 14.2.0.11 (bsc#1210943). - scsi: megaraid_sas: Fix crash after a double completion (git-fixes). - scsi: megaraid_sas: Update max supported LD IDs to 240 (git-fixes). -scsi: mpt3sas: Do not print sense pool info twice (git-fixes). - scsi: mpt3sas: Fix NULL pointer access in mpt3sas_transport_port_add() (git-fixes). - scsi: mpt3sas: Fix a memory leak (git-fixes). - scsi: qla2xxx: Fix memory leak in qla2x00_probe_one() (git-fixes). - scsi: qla2xxx: Perform lockless command completion in abort path (git-fixes). - scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate() (git-fixes). - scsi: scsi_transport_fc: Add an additional flag to fc_host_fpin_rcv() (bsc#1210943). - scsi: sd: Fix wrong zone_write_granularity value during revalidate (git-fixes). - scsi: ses: Do not attach if enclosure has no components (git-fixes). - scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses (git-fixes). - scsi: ses: Fix possible desc_ptr out-of-bounds accesses (git-fixes). - scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() (git-fixes). - scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() (git-fixes). - scsi: snic: Fix memory leak with using debugfs_lookup() (git-fixes). - seccomp: Move copy_seccomp() to no failure path (bsc#1210817). - selftests/kselftest/runner/run_one(): allow running non-executable files (git-fixes). - selftests: sigaltstack: fix -Wuninitialized (git-fixes). - selinux: ensure av_permissions.h is built when needed (git-fixes). - selinux: fix Makefile dependencies of flask.h (git-fixes). - serial: 8250: Add missing wakeup event reporting (git-fixes). - serial: 8250_bcm7271: Fix arbitration handling (git-fixes). - serial: 8250_exar: derive nr_ports from PCI ID for Acces I/O cards (git-fixes). - serial: exar: Add support for Sealevel 7xxxC serial cards (git-fixes). - signal handling: do not use BUG_ON() for debugging (bsc#1210439). - signal: Add SA_IMMUTABLE to ensure forced siganls do not get changed (bsc#1210816). - signal: Do not always set SA_IMMUTABLE for forced signals (bsc#1210816). - signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE (bsc#1210816). - soc: ti: pm33xx: Fix refcount leak in am33xx_pm_probe (git-fixes). - spi: cadence-quadspi:fix suspend-resume implementations (git-fixes). - spi: fsl-spi: Fix CPM/QE mode Litte Endian (git-fixes). - spi: qup: Do not skip cleanup in remove's error path (git-fixes). - staging: iio: resolver: ads1210: fix config mode (git-fixes). - staging: rtl8192e: Fix W_DISABLE# does not work after stop/start (git-fixes). - stat: fix inconsistency between struct stat and struct compat_stat (git-fixes). - sunrpc: only free unix grouplist after RCU settles (git-fixes). - tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH (git-fixes). - tty: serial: fsl_lpuart: adjust buffer length to the intended size (git-fixes). - udf: Check consistency of Space Bitmap Descriptor (bsc#1210771). - udf: Fix a slab-out-of-bounds write bug in udf_find_entry() (bsc#1206649). - udf: Support splicing to file (bsc#1210770). - usb: chipidea: fix missing goto in `ci_hdrc_probe` (git-fixes). - usb: chipidea: imx: avoid unnecessary probe defer (git-fixes). - usb: dwc3: gadget: Change condition for processing suspend event (git-fixes). - usb: dwc3: pci: add support for the Intel Meteor Lake-S (git-fixes). - usb: gadget: tegra-xudc: Fix crash in vbus_draw (git-fixes). - usb: gadget: udc: renesas_usb3: Fix use after free bug in renesas_usb3_remove due to race condition (git-fixes). - usb: host: xhci-rcar: remove leftover quirk handling (git-fixes). - virt/coco/sev-guest: Add throttling awareness (bsc#1209927). - virt/coco/sev-guest: Carve out the request issuing logic into a helper (bsc#1209927). - virt/coco/sev-guest: Check SEV_SNP attribute at probe time (bsc#1209927). - virt/coco/sev-guest: Convert the sw_exit_info_2 checking to a switch-case (bsc#1209927). - virt/coco/sev-guest: Do some code style cleanups (bsc#1209927). - virt/coco/sev-guest: Remove the disable_vmpck label in handle_guest_request() (bsc#1209927). - virt/coco/sev-guest: Simplify extended guest request handling (bsc#1209927). - virt/sev-guest: Return -EIO if certificate buffer is not large enough (bsc#1209927). - virtio_ring: do not update event idx on get_buf(git-fixes). - vmci_host: fix a race condition in vmci_host_poll() causing GPF (git-fixes). - vmxnet3: use gro callback when UPT is enabled (bsc#1209739). - wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list() (git-fixes). - wifi: ath6kl: minor fix for allocation size (git-fixes). - wifi: ath6kl: reduce WARN to dev_dbg() in callback (git-fixes). - wifi: ath9k: hif_usb: fix memory leak of remain_skbs (git-fixes). - wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() (git-fixes). - wifi: brcmfmac: support CQM RSSI notification with older firmware (git-fixes). - wifi: iwlwifi: debug: fix crash in __iwl_err() (git-fixes). - wifi: iwlwifi: fix duplicate entry in iwl_dev_info_table (git-fixes). - wifi: iwlwifi: fw: fix memory leak in debugfs (git-fixes). - wifi: iwlwifi: fw: move memset before early return (git-fixes). - wifi: iwlwifi: make the loop for card preparation effective (git-fixes). - wifi: iwlwifi: mvm: check firmware response size (git-fixes). - wifi: iwlwifi: mvm: do not set CHECKSUM_COMPLETE for unsupported protocols (git-fixes). - wifi: iwlwifi: mvm: fix mvmtxq-> stopped handling (git-fixes). - wifi: iwlwifi: mvm: initialize seq variable (git-fixes). - wifi: iwlwifi: trans: do not trigger d3 interrupt twice (git-fixes). - wifi: iwlwifi: yoyo: Fix possible division by zero (git-fixes). - wifi: iwlwifi: yoyo: skip dump correctly on hw error (git-fixes). - wifi: mac80211: adjust scan cancel comment/check (git-fixes). - wifi: mt76: add missing locking to protect against concurrent rx/status calls (git-fixes). - wifi: mt76: fix 6GHz high channel not be scanned (git-fixes). - wifi: mt76: handle failure of vzalloc in mt7615_coredump_work (git-fixes). - wifi: mwifiex: mark OF related data as maybe unused (git-fixes). - wifi: rt2x00: Fix memory leak when handling surveys (git-fixes). - wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_reg() (git-fixes). - wifi: rtlwifi: fix incorrect error codes in rtl_debugfs_set_write_rfreg() (git-fixes). - wifi: rtw88: mac: Returnthe original error from rtw_mac_power_switch() (git-fixes). - wifi: rtw88: mac: Return the original error from rtw_pwr_seq_parser() (git-fixes). - wifi: rtw89: fix potential race condition between napi_init and napi_enable (git-fixes). - writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs (bsc#1210769). - x86/MCE/AMD: Fix memory leak when threshold_create_bank() fails (git-fixes). - x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot (git-fixes). - x86/bug: Prevent shadowing in __WARN_FLAGS (git-fixes). - x86/bugs: Enable STIBP for IBPB mitigated RETBleed (git-fixes). - x86/entry: Avoid very early RET (git-fixes). - x86/entry: Do not call error_entry() for XENPV (git-fixes). - x86/entry: Move CLD to the start of the idtentry macro (git-fixes). - x86/entry: Move PUSH_AND_CLEAR_REGS out of error_entry() (git-fixes). - x86/entry: Switch the stack after error_entry() returns (git-fixes). - x86/fpu: Prevent FPU state corruption (git-fixes). - x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume (git-fixes). - x86/msi: Fix msi message data shadow struct (git-fixes). - x86/pci/xen: Disable PCI/MSI masking for XEN_HVM guests (git-fixes). - x86/traps: Use pt_regs directly in fixup_bad_iret() (git-fixes). - x86/tsx: Disable TSX development mode at boot (git-fixes). - x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 (git-fixes). - xhci: fix debugfs register accesses while suspended (git-fixes). kernel-default-base changed: - Do not ship on s390x (bsc#1210729) - Add exfat (bsc#1208822) - Add _diag modules for included socket types (bsc#1204042) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2166-1 Released: Wed May 10 20:18:51 2023 Summary: Recommended update for supportutils-plugin-suse-public-cloud Type: recommended Severity: moderate References: 1209026 This update for supportutils-plugin-suse-public-cloud fixes the following issues: - Update to version 1.0.7 (bsc#1209026) + Includeinformation about the cached registration data + Collect the data that is sent to the update infrastructure during registration The following package changes have been done: - containerd-ctr-1.6.19-150000.87.1 updated - containerd-1.6.19-150000.87.1 updated - cups-config-2.2.7-150000.3.40.1 updated - dmidecode-3.4-150400.16.8.1 updated - dracut-055+suse.335.gccf7fbc6-150400.3.19.1 updated - grub2-i386-pc-2.06-150400.11.30.1 updated - grub2-x86_64-efi-2.06-150400.11.30.1 updated - grub2-x86_64-xen-2.06-150400.11.30.1 updated - grub2-2.06-150400.11.30.1 updated - haveged-1.9.14-150400.3.3.1 updated - hwdata-0.368-150000.3.57.1 updated - kernel-default-5.14.21-150400.24.63.1 updated - kexec-tools-2.0.20-150400.16.6.1 updated - libavahi-client3-0.8-150400.7.3.1 updated - libavahi-common3-0.8-150400.7.3.1 updated - libcups2-2.2.7-150000.3.40.1 updated - libfastjson4-0.99.9-150400.3.3.1 updated - libglib-2_0-0-2.70.5-150400.3.8.1 updated - libhavege2-1.9.14-150400.3.3.1 updated - libncurses6-6.1-150000.5.15.1 updated - libopenssl1_1-1.1.1l-150400.7.34.1 updated - libprocps7-3.3.15-150000.7.31.1 updated - libxml2-2-2.9.14-150400.5.16.1 updated - libz1-1.2.11-150000.3.42.1 updated - login_defs-4.8.1-150400.10.6.1 updated - makedumpfile-1.7.0-150400.4.3.1 updated - ncurses-utils-6.1-150000.5.15.1 updated - openssh-clients-8.4p1-150300.3.18.2 updated - openssh-common-8.4p1-150300.3.18.2 updated - openssh-server-8.4p1-150300.3.18.2 updated - openssh-8.4p1-150300.3.18.2 updated - openssl-1_1-1.1.1l-150400.7.34.1 updated - procps-3.3.15-150000.7.31.1 updated - rsyslog-module-relp-8.2106.0-150400.5.11.1 added - runc-1.1.5-150000.41.1 updated - shadow-4.8.1-150400.10.6.1 updated - shim-15.7-150300.4.16.1 updated - sles-release-15.4-150400.58.7.3 updated - supportutils-plugin-suse-public-cloud-1.0.7-150000.3.12.1 updated - suseconnect-ng-1.1.0~git0.e3c41e60892e-150400.3.10.1 updated - systemd-rpm-macros-12-150000.7.30.1 updated - terminfo-base-6.1-150000.5.15.1 updated - terminfo-6.1-150000.5.15.1 updated -timezone-2023c-150000.75.23.1 updated - vim-data-common-9.0.1443-150000.5.40.1 updated - vim-9.0.1443-150000.5.40.1 updated - xxd-9.0.1443-150000.5.40.1 added . Delve into vital enhancements for SUSIE's container on SLES 15 SP4, highlighting essential security updates and software optimizations.. SUSE Linux, System Security, Image Update, Security Patches, Software Maintenance. . Severity: Important. LinuxSecurity.com Team
May 11, 2023
•Important
SuSE
98
security advisorymoderateRed HatRed Hat 2.5 RHSA-2023:0481-01 Moderate: Submariner Security Fix
Submariner 0.12.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.5. Red Hat Product Security has rated this update as having a security impact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Submariner 0.12.3 - security update and bug fix Advisory ID: RHSA-2023:0481-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2023:0481 Issue date: 2023-01-26 CVE Names: CVE-2022-32149 ==================================================================== 1. Summary: Submariner 0.12.3 packages that fix various bugs and add various enhancements that are now available for Red Hat Advanced Cluster Management for Kubernetes version 2.5. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. For more information about Submariner, see the Submariner open source community website at: https://submariner.io/. This advisory contains bug fixes and enhancements to the Submariner container images. Major bug addressed: ACM-2318: Submariner gateway node: Error updating load balancer with new hosts map Security fix: * CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags 3. Solution: For details on how to install Submariner, referto: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/add-ons/add-ons-overview#submariner-deploy-console and https://submariner.io/getting-started/ 4. Bugs fixed (https://bugzilla.redhat.com/): 2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags 5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects): ACM-2318 - Submariner gateway node: Error updating load balancer with new hosts map 6. References: https://access.redhat.com/security/cve/CVE-2022-32149 https://access.redhat.com/security/updates/classification#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY9L/+tzjgjWX9erEAQiAkBAAgFGVRsLKFwitm8caXqJWJO+vkYy7NHUW YUsJ8hSkTIo4JOD29ARdXZXabZnvNWogGZYfOXI+kTKyE1Ojz+PmXfSl5j4/iETo OZzxX03BpoetYwWf6Q2V/kT+jTR2+X63G0SNLIWiLrTuqdF0aJ6ZSs5ptPGW8ovq fsBtHua2002yBSqQ1SgSQGB/Lj980+A4lC580NbcmbeFYicaUTibr76NTYQXXmWf PSCs08wYZ8XaIOdQM5myr/6KOoYAzx3GGMnrRg8t6jJVp0ss4Yf6rMbKUFGrZbT6 ZKaU6kgOU1hCN8yuHn9OTtt/nibVzowzb0O545a9dZ8/cma5r9gr31pzrB5tty5O 1ah0pYPfb4YPHnXwSJiGjcmlpfdyhG+xG+9znbLme/Cf+aNE8bkxvZRGMPXQYQps 94N37bzFtf/Po3LrgM9RtpAHUIylQ5sLBgvhK5aOkdZR/D7Gufp/CbsEzDvNU82a kctOka+4GY65ZuT0zNi6XV87RYCGBV18eH81j+8KNHkseNRvHuegRV61BiOAqpom DWyp8UyQFksZwFR/u+MpjSgFWSBtABj4KoBBASm5+QKvXS18/9FnWjqLOEts9BXQ 0S8IR18iEZblEfkDcQPtXNqkq8fSlx9SIJVT8BcYRVVajFZw+7vWlU1Q5WwpmeBZ U5Wpzu1l6Ks=VmQk -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jan 26, 2023
•Important
Red Hat
98
security advisorymiddlewarecontainer imageRHEL-8: RHSA-2022:8964-01 Important Security Update for rh-sso-7/sso76
Updated rh-sso-7/sso76-openshift-rhel8 container image and rh-sso-7/sso7-rhel8-operator-bundle image is now available for RHEL-8 based Middleware Containers. Red Hat Product Security has rated this update as having a security impact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: updated rh-sso-7/sso76-openshift-rhel8 container and operator related images Advisory ID: RHSA-2022:8964-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2022:8964 Issue date: 2022-12-13 CVE Names: CVE-2016-3709 CVE-2022-1304 CVE-2022-3782 CVE-2022-3916 CVE-2022-22624 CVE-2022-22628 CVE-2022-22629 CVE-2022-22662 CVE-2022-26700 CVE-2022-26709 CVE-2022-26710 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-27404 CVE-2022-27405 CVE-2022-27406 CVE-2022-30293 CVE-2022-37434 CVE-2022-42898 ==================================================================== 1. Summary: Updated rh-sso-7/sso76-openshift-rhel8 container image and rh-sso-7/sso7-rhel8-operator-bundle image is now available for RHEL-8 based Middleware Containers. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The rh-sso-7/sso76-openshift-rhel8 container image and rh-sso-7/sso7-rhel8-operator operator has been updated for RHEL-8 based Middleware Containers to address the following security issues. Security Fix(es): * keycloak: path traversal via double URL encoding (CVE-2022-3782) * keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916) For more details about the securityissue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Users of rh-sso-7/sso76-openshift-rhel8 container images and rh-sso-7/sso7-rhel8-operator operator are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images. You can find images updated by this advisory in Red Hat Container Catalog (see References). 3. Solution: The RHEL-8 based Middleware Containers container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References). Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally. 4. Bugs fixed (https://bugzilla.redhat.com/): 2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding 2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens 5. JIRA issues fixed (https://issues.redhat.com/): CIAM-4412 - Build new OCP image for rh-sso-7/sso76-openshift-rhel8 CIAM-4413 - Generate new operator bundle image for this patch 6.References: https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-3782 https://access.redhat.com/security/cve/CVE-2022-3916 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-27404 https://access.redhat.com/security/cve/CVE-2022-27405 https://access.redhat.com/security/cve/CVE-2022-27406 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-42898 https://catalog.redhat.com/software/containers/registry/registry.access.redhat.com/repository/rh-sso-7/sso76-openshift-rhel8 https://access.redhat.com/security/updates/classification/#important 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBY5ipn9zjgjWX9erEAQjCiRAAi5ZA/JuXoVbFoEvce4VnkiwYj3R9YGSF xcRYfIxIULSq4rRxjOKZroVyzZUp4HCYHxiNVjSOfreCVCUOrdSEipedwuJIIqvx SbYkdr9H0nww4Sne6rCOJZxVtgGMwMFBCVvQqeqRQAJH6qLpkuHnIda1wt/9HKbV 6kgg4BeqmYVReLO4f0QEXaBl6xuUWTAh8hr4B2fiKJ19r5On05Ob+rXUnpfzqu2p tA204sSB4y5sL6cNxGHXzxDcazRdYyLJj6KkN+3ydLANjFruU5pq9nxZoqKRlT7p CDYGoEguuheLNyDkIXjVngHs7mtKCS6da2jqcJC3fh3N/+hhepeGXk642jyF8u1o RMr6M8HPNsVL4Vdg9d3CZtzfBkDFXSHKD5O6Mi6SkCTKWrY/K6UG1JQtcIpDOTzd PWKE1WkqvpyA3Ie8DRUI0ztEDdRhazPCd+03HYKEVWoD/a+Q5NqgCaBViSuLLxpU 9FIq9OPwaxE4wzEjfuyOBNY183f6eTbAA7RE4ynfitiQiXMUKAhO3jLkFUgsogkp y/N2xyYR/SjIKyRH8zkQXc6+FD5gDX+8exWYnqD+dd8ucmK/D49nwoprXca7X4fH 1cBIpjuFF1pXQTwnygAh7Nyd40bIjEOB81YjoiroOhoLzfsBfBywLfon14bElgu/ c6KgATBEAcE=oocq -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Dec 13, 2022
•Important
Red Hat
98
security advisorymoderatesecurity updateRed Hat: RHSA-2022:6024-01 Moderate: Ceph Image Update for Security Issues
A new container image for Red Hat Ceph Storage 5.2 is now available in the Red Hat Ecosystem Catalog. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: New container image for Red Hat Ceph Storage 5.2 Security update Advisory ID: RHSA-2022:6024-01 Product: Red Hat Ceph Storage Advisory URL: https://access.redhat.com/errata/RHSA-2022:6024 Issue date: 2022-08-09 CVE Names: CVE-2021-40528 CVE-2021-43813 CVE-2022-0670 CVE-2022-1292 CVE-2022-1586 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 CVE-2022-21673 CVE-2022-22576 CVE-2022-25313 CVE-2022-25314 CVE-2022-27774 CVE-2022-27776 CVE-2022-27782 CVE-2022-29824 ==================================================================== 1. Summary: A new container image for Red Hat Ceph Storage 5.2 is now available in the Red Hat Ecosystem Catalog. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. This new container image is based on Red Hat Ceph Storage 5.2 and Red Hat Enterprise Linux 8.6 and Red Hat Enterprise Linux 9. Space precludes documenting all of these changes in this advisory. Usersare directed to the Red Hat Ceph Storage Release Notes for information on the mostsignificant of these changes: https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.2/html-single/release_notes/index All users of Red Hat Ceph Storage are advised to pull these new images from the Red Hat Ecosystem catalog, which provides numerous enhancements and bug fixes. Security Fix(es): * grafana: Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673) * grafana: directory traversal vulnerability (CVE-2021-43813) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/2789521 For supported configurations, refer to: https://access.redhat.com/articles/1548993 4. Bugs fixed (https://bugzilla.redhat.com/): 2031228 - CVE-2021-43813 grafana: directory traversal vulnerability 2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources 2115198 - build ceph containers for RHCS 5.2 release 5.References: https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2021-43813 https://access.redhat.com/security/cve/CVE-2022-0670 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-21673 https://access.redhat.com/security/cve/CVE-2022-22576 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-27774 https://access.redhat.com/security/cve/CVE-2022-27776 https://access.redhat.com/security/cve/CVE-2022-27782 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYvL2atzjgjWX9erEAQjF3A//fZevm8agqHuMQe4UMKMXuZIbRYlfTqCP Skri3qnjnFQgnrsLeafIJoFsa43phL0yTgKP1ChX6ryNxCCZOKEwGuzY1xw7jNBL +xuVFPn/E+53m/o+QGdQ8bFIWblUXoJllZy/M1NaRdOJ0aRmJN+PN9m4fCX+JvOC /PLLcrRa2k8WMEycUh5Qrnh93sxdhJprA3qSOeSMacVQrhfKnREHF5xKTDV96AOd 6+r0fm5clTUV9pdl3+HWuQ5zDkx7lcy3BvVQp2x544gtcscPfDYOcMWiD0yGCDGO eLMoWLPu0DwM1hfSoO7sCPz9SlYHNzPfAxW/o9iKZzTuzmYPcy7xyWIpOJiwO3+E OpVv+EUpnXljvZNnODibGgCiKcKL199zy0sYy8s54gvItlpfjnTcAp1jcldo8kUp Im0K9pYwQL6z3S6oKit6s4YZfE6M6tp7+TNjhzUMaF/lzmY5NWv+j5sq5Y6Xcyou Qcy3FyErLbIU4/CqcA6VN/AFh6OFEEJz0DZR24lpXGWHlVtLzgvHsDFOcIVV5Dd8 3qHqWodK93cy0yfYiPiq2BL82Y1CA/IVITXG+P3Ux97FYgiq+4nJinAh9AzcirRn zVRZ9n+yckKERC8z0HA4gR+b0GNhjF5m36zUGH98sRJHux/1rFwXt73J85FuHiZ4 ikPZjUhytxs=HM3g -----END PGP SIGNATURE----- -- RHSA-announce mailinglist
Aug 09, 2022
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!