Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 16 articles for you...
100
security advisoryfile overwriteimportantSUSE Linux Micro Podman Important Security Update 2025-20116-1
An update that solves four vulnerabilities can now be installed.. # Security update for podman Announcement ID: SUSE-SU-2026:20116-1 Release Date: 2026-01-21T11:03:18Z Rating: important References: * bsc#1249154 * bsc#1252376 Cross-References: * CVE-2025-31133 * CVE-2025-52565 * CVE-2025-52881 * CVE-2025-9566 CVSS scores: * CVE-2025-31133 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-31133 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-31133 ( NVD ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2025-31133 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H * CVE-2025-52565 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-52565 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-52565 ( NVD ): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2025-52565 ( NVD ): 7.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H * CVE-2025-52881 ( SUSE ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-52881 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-52881 ( NVD ): 7.3 CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2025-52881 ( NVD ): 7.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H * CVE-2025-9566 ( SUSE ): 7.2 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2025-9566 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H * CVE-2025-9566 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H AffectedProducts: * SUSE Linux Micro 6.2 An update that solves four vulnerabilities can now be installed. ## Description: This update for podman fixes the following issues: * CVE-2025-31133,CVE-2025-52565,CVE-2025-52881: container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files (bsc#1252376). * CVE-2025-9566: kube play command may overwrite host files (bsc#1249154). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.2 zypper in -t patch SUSE-SL-Micro-6.2-161=1 ## Package List: * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64) * podmansh-5.4.2-160000.3.1 * podman-remote-debuginfo-5.4.2-160000.3.1 * podman-5.4.2-160000.3.1 * podman-remote-5.4.2-160000.3.1 * podman-debuginfo-5.4.2-160000.3.1 * SUSE Linux Micro 6.2 (noarch) * podman-docker-5.4.2-160000.3.1 ## References: * https://www.suse.com/security/cve/CVE-2025-31133.html * https://www.suse.com/security/cve/CVE-2025-52565.html * https://www.suse.com/security/cve/CVE-2025-52881.html * https://www.suse.com/security/cve/CVE-2025-9566.html * https://bugzilla.suse.com/show_bug.cgi?id=1249154 * https://bugzilla.suse.com/show_bug.cgi?id=1252376 . Important SUSE update fixes four vulnerabilities in podman, addressing container breakouts and file overwrite risks.. SUSE Linux Micro, Podman Security, Important Update, Container Security. . Severity: Important. LinuxSecurity.com Team
Jan 23, 2026
•Important
SuSE
100
security advisoryupdatelow severitySUSE: 2024:3324-1 Low Severity: runc File Creation Risk
* bsc#1230092 Cross-References: * CVE-2024-45310 . # Security update for runc Announcement ID: SUSE-SU-2024:3324-1 Rating: low References: * bsc#1230092 Cross-References: * CVE-2024-45310 CVSS scores: * CVE-2024-45310 ( SUSE ): 3.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Affected Products: * Containers Module 12 * SUSE Linux Enterprise High Performance Computing 12 SP2 * SUSE Linux Enterprise High Performance Computing 12 SP3 * SUSE Linux Enterprise High Performance Computing 12 SP4 * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 * SUSE Linux Enterprise Server 12 SP1 * SUSE Linux Enterprise Server 12 SP2 * SUSE Linux Enterprise Server 12 SP3 * SUSE Linux Enterprise Server 12 SP4 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 * SUSE Linux Enterprise Server for SAP Applications 12 SP1 * SUSE Linux Enterprise Server for SAP Applications 12 SP2 * SUSE Linux Enterprise Server for SAP Applications 12 SP3 * SUSE Linux Enterprise Server for SAP Applications 12 SP4 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 An update that solves one vulnerability can now be installed. ## Description: This update for runc fixes the following issues: * Update to runc v1.1.14 * CVE-2024-45310: Fixed an issue where runc can be tricked into creating empty files/directories on host. (bsc#1230092) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Containers Module 12 zypper in -t patch SUSE-SLE-Module-Containers-12-2024-3324=1 ## Package List: * Containers Module 12 (ppc64le s390x x86_64) * runc-debuginfo-1.1.14-16.55.1 * runc-1.1.14-16.55.1 ## References: * https://www.suse.com/security/cve/CVE-2024-45310.html * https://bugzilla.suse.com/show_bug.cgi?id=1230092 .Patch release for runc (SUSE-SU-2024:3325-2) classified as minimal. Addresses problem with file creation on host system. Apply patches immediately.. SUSE Security Advisory, runc Update, Low Severity, Container Security. . Severity: Low. LinuxSecurity.com Team
Sep 19, 2024
•Low
SuSE
100
security advisoryupdatecriticalSUSE: 2024:2801-2 Urgent: Vulnerabilities in Docker and Resolutions
* bsc#1214855 * bsc#1219267 * bsc#1219268 * bsc#1219438 * bsc#1221916 . # Security update for docker Announcement ID: SUSE-SU-2024:2801-1 Rating: critical References: * bsc#1214855 * bsc#1219267 * bsc#1219268 * bsc#1219438 * bsc#1221916 * bsc#1223409 * bsc#1228324 Cross-References: * CVE-2024-23651 * CVE-2024-23652 * CVE-2024-23653 * CVE-2024-41110 CVSS scores: * CVE-2024-23651 ( SUSE ): 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-23651 ( NVD ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2024-23652 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2024-23652 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H * CVE-2024-23653 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2024-23653 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2024-41110 ( SUSE ): 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Affected Products: * Containers Module 15-SP5 * Containers Module 15-SP6 * openSUSE Leap 15.5 * openSUSE Leap 15.6 * openSUSE Leap Micro 5.5 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise Micro 5.1 * SUSE Linux Enterprise Micro 5.2 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Micro for Rancher 5.2 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux EnterpriseReal Time 15 SP6 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 An update that solves four vulnerabilities and has three security fixes can now be installed. ## Description: This update for docker fixes the following issues: * CVE-2024-23651: Fixed arbitrary files write due to race condition on mounts (bsc#1219267) * CVE-2024-23652: Fixed insufficient validation of parent directory on mount (bsc#1219268) * CVE-2024-23653: Fixed insufficient validation on entitlement on container creation via buildkit (bsc#1219438) * CVE-2024-41110: A Authz zero length regression that could lead to authentication bypass was fixed (bsc#1228324) Other fixes: * Update to Docker 25.0.6-ce. See upstream changelog online at * Update to Docker 25.0.5-ce (bsc#1223409) * Fix BuildKit's symlink resolution logic to correctly handle non-lexical symlinks. (bsc#1221916) * Write volume options atomically so sudden system crashes won't result in future Docker starts failing due to empty files. (bsc#1214855) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap Micro 5.5 zypper in -t patch openSUSE-Leap-Micro-5.5-2024-2801=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2024-2801=1 *openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2024-2801=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2024-2801=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2024-2801=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2024-2801=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2024-2801=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2024-2801=1 * Containers Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Containers-15-SP5-2024-2801=1 * Containers Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Containers-15-SP6-2024-2801=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-2801=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-2801=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-2801=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-2801=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-2801=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-2801=1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-2801=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2024-2801=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2024-2801=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 zypper in -t patchSUSE-SLE-Product-SLES_SAP-15-SP4-2024-2801=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2024-2801=1 * SUSE Linux Enterprise Micro 5.1 zypper in -t patch SUSE-SUSE-MicroOS-5.1-2024-2801=1 * SUSE Linux Enterprise Micro 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-2801=1 * SUSE Linux Enterprise Micro for Rancher 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2024-2801=1 ## Package List: * openSUSE Leap Micro 5.5 (aarch64 s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * openSUSE Leap 15.5 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-rootless-extras-25.0.6_ce-150000.203.1 * docker-zsh-completion-25.0.6_ce-150000.203.1 * docker-fish-completion-25.0.6_ce-150000.203.1 * openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * openSUSE Leap 15.6 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-rootless-extras-25.0.6_ce-150000.203.1 * docker-zsh-completion-25.0.6_ce-150000.203.1 * docker-fish-completion-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 *docker-25.0.6_ce-150000.203.1 * Containers Module 15-SP5 (aarch64 ppc64le s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * Containers Module 15-SP5 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-rootless-extras-25.0.6_ce-150000.203.1 * Containers Module 15-SP6 (aarch64 ppc64le s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * Containers Module 15-SP6 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-rootless-extras-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-fish-completion-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-rootless-extras-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-rootless-extras-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64) *docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-fish-completion-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (aarch64 ppc64le s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-rootless-extras-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-fish-completion-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 * docker-rootless-extras-25.0.6_ce-150000.203.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Enterprise Storage 7.1 (noarch) * docker-bash-completion-25.0.6_ce-150000.203.1 *docker-fish-completion-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64) * docker-debuginfo-25.0.6_ce-150000.203.1 * docker-25.0.6_ce-150000.203.1 ## References: * https://www.suse.com/security/cve/CVE-2024-23651.html * https://www.suse.com/security/cve/CVE-2024-23652.html * https://www.suse.com/security/cve/CVE-2024-23653.html * https://www.suse.com/security/cve/CVE-2024-41110.html * https://bugzilla.suse.com/show_bug.cgi?id=1214855 * https://bugzilla.suse.com/show_bug.cgi?id=1219267 * https://bugzilla.suse.com/show_bug.cgi?id=1219268 * https://bugzilla.suse.com/show_bug.cgi?id=1219438 * https://bugzilla.suse.com/show_bug.cgi?id=1221916 * https://bugzilla.suse.com/show_bug.cgi?id=1223409 * https://bugzilla.suse.com/show_bug.cgi?id=1228324 . Essential security enhancement for Docker resolves various threats and boosts system reliability on SUSE platforms.. Docker Security Advisory, SUSE Security Update, Container Vulnerabilities, System Integrity. . Severity: Critical. LinuxSecurity.com Team
Aug 07, 2024
•Critical
SuSE
100
security advisoryupdatepatchSUSE: 2024:2246-1 Important: Kubevirt Container Security Issue
* bsc#1223965 Cross-References: * CVE-2024-33394 . # Security update for kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t Announcement ID: SUSE-SU-2024:2246-1 Rating: important References: * bsc#1223965 Cross-References: * CVE-2024-33394 CVSS scores: * CVE-2024-33394 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N Affected Products: * Containers Module 15-SP5 * openSUSE Leap 15.5 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 An update that solves one vulnerability can now be installed. ## Description: This update for kubevirt, virt-api-container, virt-controller-container, virt- exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator- container, virt-pr-helper-container fixes the following issues: * Collect component Role rules under operator Role instead of ClusterRole (bsc#1223965, CVE-2024-33394) * Ensure procps is installed (provides ps for tests) This update also rebuilds it against current go releases. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.5 zypper in -t patch SUSE-2024-2246=1 openSUSE-SLE-15.5-2024-2246=1 * SUSE Linux Enterprise Micro 5.5 zypper in -t patch SUSE-SLE-Micro-5.5-2024-2246=1 * Containers Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Containers-15-SP5-2024-2246=1 ## Package List: * openSUSE Leap 15.5 (x86_64) * kubevirt-virt-exportserver-1.1.1-150500.8.18.1 *kubevirt-pr-helper-conf-1.1.1-150500.8.18.1 * kubevirt-virt-exportserver-debuginfo-1.1.1-150500.8.18.1 * kubevirt-virt-handler-1.1.1-150500.8.18.1 * kubevirt-virt-handler-debuginfo-1.1.1-150500.8.18.1 * kubevirt-virt-launcher-debuginfo-1.1.1-150500.8.18.1 * kubevirt-manifests-1.1.1-150500.8.18.1 * kubevirt-virtctl-1.1.1-150500.8.18.1 * obs-service-kubevirt_containers_meta-1.1.1-150500.8.18.1 * kubevirt-tests-1.1.1-150500.8.18.1 * kubevirt-container-disk-1.1.1-150500.8.18.1 * kubevirt-virt-launcher-1.1.1-150500.8.18.1 * kubevirt-virt-exportproxy-1.1.1-150500.8.18.1 * kubevirt-tests-debuginfo-1.1.1-150500.8.18.1 * kubevirt-virt-exportproxy-debuginfo-1.1.1-150500.8.18.1 * kubevirt-virt-controller-debuginfo-1.1.1-150500.8.18.1 * kubevirt-container-disk-debuginfo-1.1.1-150500.8.18.1 * kubevirt-virt-api-1.1.1-150500.8.18.1 * kubevirt-virt-operator-1.1.1-150500.8.18.1 * kubevirt-virt-operator-debuginfo-1.1.1-150500.8.18.1 * kubevirt-virtctl-debuginfo-1.1.1-150500.8.18.1 * kubevirt-virt-controller-1.1.1-150500.8.18.1 * kubevirt-virt-api-debuginfo-1.1.1-150500.8.18.1 * SUSE Linux Enterprise Micro 5.5 (x86_64) * kubevirt-virtctl-1.1.1-150500.8.18.1 * kubevirt-manifests-1.1.1-150500.8.18.1 * kubevirt-virtctl-debuginfo-1.1.1-150500.8.18.1 * Containers Module 15-SP5 (x86_64) * kubevirt-virtctl-1.1.1-150500.8.18.1 * kubevirt-manifests-1.1.1-150500.8.18.1 * kubevirt-virtctl-debuginfo-1.1.1-150500.8.18.1 ## References: * https://www.suse.com/security/cve/CVE-2024-33394.html * https://bugzilla.suse.com/show_bug.cgi?id=1223965 . Critical security enhancement for kubevirt and associated containers responding to CVE-2024-33394 flaws.. Container Security Updates, Kubevirt Patches, SUSE Container Issues. . Severity: Important. LinuxSecurity.com Team
Jul 01, 2024
•Important
SuSE
217
security advisorykernel fiximportant updateOracle Linux 8 ELSA-2024-12275 Important: KVM Container Issue Fix
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2024-12275 https://linux.oracle.com/errata/ELSA-2024-12275.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: kernel-uek-container-5.4.17-2136.330.7.1.el8.x86_64.rpm kernel-uek-container-debug-5.4.17-2136.330.7.1.el8.x86_64.rpm SRPMS: https://oss.oracle.com:443/ol8/SRPMS-updates//kernel-uek-container-5.4.17-2136.330.7.1.el8.src.rpm Related CVEs: CVE-2024-2201 CVE-2024-0607 CVE-2024-0340 CVE-2024-1086 Description of changes: [5.4.17-2136.330.7.1.el8] - KVM: x86: Add BHI_NO (Daniel Sneddon) [Orabug: 36384803] {CVE-2024-2201} - x86/bhi: Mitigate KVM by default (Pawan Gupta) [Orabug: 36384803] {CVE-2024-2201} - x86/bhi: Add BHI mitigation knob (Pawan Gupta) [Orabug: 36384803] {CVE-2024-2201} - x86/bhi: Enumerate Branch History Injection (BHI) bug (Pawan Gupta) [Orabug: 36384803] {CVE-2024-2201} - x86/bhi: Define SPEC_CTRL_BHI_DIS_S (Daniel Sneddon) [Orabug: 36384803] {CVE-2024-2201} - x86/bhi: Add support for clearing branch history at syscall entry (Pawan Gupta) [Orabug: 36384803] {CVE-2024-2201} - x86/cpufeature: Add missing leaf enumeration (Daniel Sneddon) [Orabug: 36384803] {CVE-2024-2201} - KVM: x86: Use a switch statement and macros in __feature_translate() (Jim Mattson) [Orabug: 36384803] {CVE-2024-2201} - KVM: x86: Advertise CPUID.(EAX=7,ECX=2):EDX[5:0] to userspace (Jim Mattson) [Orabug: 36384803] {CVE-2024-2201} - KVM: x86: Update KVM-only leaf handling to allow for 100% KVM-only leafs (Sean Christopherson) [Orabug: 36384803] {CVE-2024-2201} - x86/bugs: Use sysfs_emit() (Borislav Petkov) [Orabug: 36384803] {CVE-2024-2201} - x86/speculation: Reorder SRSO and GDS functions (Alexandre Chartre) [Orabug: 36384803] {CVE-2024-2201} - KVM: x86: Mask off unsupported and unknown bits of IA32_ARCH_CAPABILITIES (Jim Mattson) [Orabug: 36384803] {CVE-2024-2201} - KVM: x86: Move reverseCPUID helpers to separate header file (Ricardo Koller) [Orabug: 36384803] {CVE-2024-2201} - KVM: x86: Fix implicit enum conversion goof in scattered reverse CPUID code (Sean Christopherson) [Orabug: 36384803] {CVE-2024-2201} - KVM: x86: Add support for reverse CPUID lookup of scattered features (Sean Christopherson) [Orabug: 36384803] {CVE-2024-2201} - x86/msr: Define new bits in TSX_FORCE_ABORT MSR (Pawan Gupta) [Orabug: 36384803] {CVE-2024-2201} - objtool: Add asm version of STACK_FRAME_NON_STANDARD (Josh Poimboeuf) [Orabug: 36384803] {CVE-2024-2201} - objtool: Only include valid definitions depending on source file type (Julien Thierry) [Orabug: 36384803] {CVE-2024-2201} [5.4.17-2136.330.7.el8] - Revert "x86/mm/ident_map: Use gbpages only where full GB page should be mapped." (Sherry Yang) [Orabug: 36409910] - arm64: dts: qcom: sdm845: fix USB DP/DM HS PHY interrupts (Johan Hovold) - arm64: dts: qcom: add PDC interrupt controller for SDM845 (Lina Iyer) - hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed (Shradha Gupta) - hv_netvsc: use netif_is_bond_master() instead of open code (Juhee Kang) - netfilter: nft_ct: fix l3num expectations with inet pseudo family (Florian Westphal) [5.4.17-2136.330.6.el8] - eVM: x86: Drop kvm SRCU lock in kvm_vcpu_update_apicv (Alejandro Jimenez) [Orabug: 36329600] - KVM: x86: Handle APICv updates for APIC "mode" changes via request (Sean Christopherson) [Orabug: 36329600] - blk-mq: fix system hang while doing cpu offline on domU (Shminderjit Singh) [Orabug: 36366420] [5.4.17-2136.330.5.el8] - afs: Fix endless loop in directory parsing (David Howells) - netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() (Ignat Korchagin) - netfilter: nf_tables: set dormant flag on hook register failure (Florian Westphal) - scsi: megaraid_sas: Correct value passed to scsi_device_lookup() (Guixin Liu) [Orabug: 36345168] [5.4.17-2136.330.4.el8] - Revert "crypto: api - Disallow identical driver names" (Saeed Mirzamohammadi) [Orabug:36361379] - Fix null ptr in rds_tcp_recv_path (Allison Henderson) [Orabug: 35587415] - net/rds: print PPID/COMM of process doing user reset on RDS connection (Juan Garcia) [Orabug: 36248461] [5.4.17-2136.330.3.el8] - uek: kabi: Add two new exported kABI symbols for ACFS and EDV (Saeed Mirzamohammadi) [Orabug: 36251861] - mm: avoid conflict between MADV_DOEXEC and upstream advice values (Anthony Yznaga) [Orabug: 36334309] [5.4.17-2136.330.2.el8] - LTS tag: v5.4.269 (Alok Tiwari) - bpf: Add map and need_defer parameters to .map_fd_put_ptr() (Hou Tao) - of: gpio unittest kfree() wrong object (Frank Rowand) - of: unittest: fix EXPECT text for gpio hog errors (Frank Rowand) - net: bcmgenet: Fix EEE implementation (Florian Fainelli) - Revert "Revert "mtd: rawnand: gpmi: Fix setting busy timeout setting"" (Max Krummenacher) - netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() (Dan Carpenter) - lsm: new security_file_ioctl_compat() hook (Alfred Piccioni) - drm/msm/dsi: Enable runtime PM (Konrad Dybcio) - PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend() (Douglas Anderson) - PM: runtime: add devm_pm_runtime_enable helper (Dmitry Baryshkov) - nilfs2: fix potential bug in end_buffer_async_write (Ryusuke Konishi) - sched/membarrier: reduce the ability to hammer on sys_membarrier (Linus Torvalds) - net: prevent mss overflow in skb_segment() (Eric Dumazet) - netfilter: ipset: Missing gc cancellations fixed (Jozsef Kadlecsik) - netfilter: ipset: fix performance regression in swap operation (Jozsef Kadlecsik) - KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache (Oliver Upton) - mips: Fix max_mapnr being uninitialized on early stages (Serge Semin) - arch, mm: remove stale mentions of DISCONIGMEM (Mike Rapoport) - bus: moxtet: Add spi device table (Sjoerd Simons) - tracing: Inform kmemleak of saved_cmdlines allocation (Steven Rostedt (Google)) - pmdomain: core: Move the unused cleanup to a _sync initcall (Konrad Dybcio) - can: j1939: Fix UAF inj1939_sk_match_filter during setsockopt(SO_J1939_FILTER) (Oleksij Rempel) - irqchip/irq-brcmstb-l2: Add write memory barrier before exit (Doug Berger) - nfp: flower: prevent re-adding mac index for bonded port (Daniel de Villiers) - nfp: use correct macro for LengthSelect in BAR config (Daniel Basilio) - nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() (Ryusuke Konishi) - nilfs2: fix data corruption in dsync block recovery for small block sizes (Ryusuke Konishi) - ALSA: hda/conexant: Add quirk for SWS JS201D (bo liu) - mmc: slot-gpio: Allow non-sleeping GPIO ro (Alexander Stein) - x86/mm/ident_map: Use gbpages only where full GB page should be mapped. (Steve Wahl) - x86/Kconfig: Transmeta Crusoe is CPU family 5, not 6 (Aleksander Mazur) - serial: max310x: improve crystal stable clock detection (Hugo Villeneuve) - serial: max310x: set default value when reading clock ready bit (Hugo Villeneuve) - ring-buffer: Clean ring_buffer_poll_wait() error return (Vincent Donnefort) - iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC (zhili.liu) - staging: iio: ad5933: fix type mismatch regression (David Schiller) - tracing: Fix wasted memory in saved_cmdlines logic (Steven Rostedt (Google)) - ext4: fix double-free of blocks due to wrong extents moved_len (Baokun Li) - misc: fastrpc: Mark all sessions as invalid in cb_remove (Ekansh Gupta) - binder: signal epoll threads of self-work (Carlos Llamas) - ALSA: hda/realtek: Enable headset mic on Vaio VJFE-ADL (Edson Juliano Drosdeck) - xen-netback: properly sync TX responses (Jan Beulich) - nfc: nci: free rx_data_reassembly skb on NCI device cleanup (Fedor Pchelkin) - kbuild: Fix changing ELF file type for output of gen_btf for big endian (Nathan Chancellor) - firewire: core: correct documentation of fw_csr_string() kernel API (Takashi Sakamoto) - scsi: Revert "scsi: fcoe: Fix potential deadlock on &fip-> ctlr_lock" (Lee Duncan) - i2c: i801: Fix block process call transactions (Jean Delvare) - i2c: i801: Remove i801_set_block_buffer_mode(Heiner Kallweit) - usb: f_mass_storage: forbid async queue when shutdown happen (yuan linyu) - USB: hub: check for alternate port before enabling A_ALT_HNP_SUPPORT (Oliver Neukum) - HID: wacom: Do not register input devices until after hid_hw_start (Jason Gerecke) - HID: wacom: generic: Avoid reporting a serial of '0' to userspace (Tatsunosuke Tobita) - mm/writeback: fix possible divide-by-zero in wb_dirty_limits(), again (Zach O'Keefe) - tracing/trigger: Fix to return error if failed to alloc snapshot (Masami Hiramatsu (Google)) - i40e: Fix waiting for queues of all VSIs to be disabled (Ivan Vecera) - MIPS: Add 'memory' clobber to csum_ipv6_magic() inline assembler (Guenter Roeck) - ASoC: rt5645: Fix deadlock in rt5645_jack_detect_work() (Alexey Khoroshilov) - spi: ppc4xx: Drop write-only variable (Uwe Kleine-König) - of: unittest: Fix compile in the non-dynamic case (Christian A. Ehrhardt) - of: unittest: add overlay gpio test to catch gpio hog problem (Frank Rowand) - btrfs: send: return EOPNOTSUPP on unknown flags (David Sterba) - btrfs: forbid deleting live subvol qgroup (Boris Burkov) - btrfs: forbid creating subvol qgroups (Boris Burkov) - netfilter: nft_set_rbtree: skip end interval element from gc (Pablo Neira Ayuso) - net: stmmac: xgmac: fix a typo of register name in DPP safety handling (Furong Xu) - net: stmmac: xgmac: use #define for string constants (Simon Horman) - vhost: use kzalloc() instead of kmalloc() followed by memset() (Prathu Baronia) - Input: atkbd - skip ATKBD_CMD_SETLEDS when skipping ATKBD_CMD_GETID (Hans de Goede) - USB: serial: cp210x: add ID for IMST iM871A-USB (Leonard Dallmayr) - USB: serial: qcserial: add new usb-id for Dell Wireless DW5826e (JackBB Wu) - net/af_iucv: clean up a try_then_request_module() (Julian Wiedmann) - netfilter: nft_ct: reject direction for ct id (Pablo Neira Ayuso) - netfilter: nft_compat: restrict match/target protocol to u16 (Pablo Neira Ayuso) - netfilter: nft_compat: reject unused compat flag (Pablo Neira Ayuso) - ppp_async: limit MRU to 64K (EricDumazet) - tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() (Shigeru Yoshida) - rxrpc: Fix response to PING RESPONSE ACKs to a dead call (David Howells) - inet: read sk-> sk_family once in inet_recv_error() (Eric Dumazet) - hwmon: (coretemp) Fix bogus core_id to attr name mapping (Zhang Rui) - hwmon: (coretemp) Fix out-of-bounds memory access (Zhang Rui) - hwmon: (aspeed-pwm-tacho) mutex for tach reading (Loic Prylli) - atm: idt77252: fix a memleak in open_card_ubr0 (Zhipeng Lu) - selftests: net: avoid just another constant wait (Paolo Abeni) - net: stmmac: xgmac: fix handling of DPP safety error for DMA channels (Furong Xu) - phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (Tony Lindgren) - dmaengine: fix is_slave_direction() return false when DMA_DEV_TO_DEV (Frank Li) - phy: renesas: rcar-gen3-usb2: Fix returning wrong error code (Yoshihiro Shimoda) - dmaengine: fsl-qdma: Fix a memory leak related to the queue command DMA (Christophe JAILLET) - dmaengine: fsl-qdma: Fix a memory leak related to the status queue DMA (Christophe JAILLET) - bonding: remove print in bond_verify_device_path (Zhengchao Shao) - HID: apple: Add 2021 magic keyboard FN key mapping (Benjamin Berg) - HID: apple: Swap the Fn and Left Control keys on Apple keyboards (free5lot) - HID: apple: Add support for the 2021 Magic Keyboard (Alex Henrie) - net: sysfs: Fix /sys/class/net/ path (Breno Leitao) - af_unix: fix lockdep positive in sk_diag_dump_icons() (Eric Dumazet) - net: ipv4: fix a memleak in ip_setup_cork (Zhipeng Lu) - netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations (Pablo Neira Ayuso) - netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger (Pablo Neira Ayuso) - llc: call sock_orphan() at release time (Eric Dumazet) - ipv6: Ensure natural alignment of const ipv6 loopback and router addresses (Helge Deller) - ixgbe: Fix an error handling path in ixgbe_read_iosf_sb_reg_x550() (Christophe JAILLET) - ixgbe: Refactor overtemp event handling (JedrzejJagielski) - ixgbe: Refactor returning internal error codes (Jedrzej Jagielski) - ixgbe: Remove non-inclusive language (Piotr Skajewski) - net: remove unneeded break (Tom Rix) - scsi: isci: Fix an error code problem in isci_io_request_build() (Su Hui) - wifi: cfg80211: fix RCU dereference in __cfg80211_bss_update (Edward Adam Davis) - perf: Fix the nr_addr_filters fix (Peter Zijlstra) - drm/amdgpu: Release 'adev-> pm.fw' before return in 'amdgpu_device_need_post()' (Srinivasan Shanmugam) - ceph: fix deadlock or deadcode of misusing dget() (Xiubo Li) - blk-mq: fix IO hang from sbitmap wakeup race (Ming Lei) - virtio_net: Fix "â%dâ directive writing between 1 and 11 bytes into a region of size 10" warnings (Zhu Yanjun) - libsubcmd: Fix memory leak in uniq() (Ian Rogers) - PCI/AER: Decode Requester ID when no error info found (Bjorn Helgaas) - fs/kernfs/dir: obey S_ISGID (Max Kellermann) - usb: hub: Replace hardcoded quirk value with BIT() macro (Hardik Gajjar) - PCI: switchtec: Fix stdev_release() crash after surprise hot remove (Daniel Stodden) - PCI: Only override AMD USB controller if required (Guilherme G. Piccoli) - mfd: ti_am335x_tscadc: Fix TI SoC dependencies (Peter Robinson) - i3c: master: cdns: Update maximum prescaler value for i2c clock (Harshit Shah) - um: net: Fix return type of uml_net_start_xmit() (Nathan Chancellor) - um: Don't use vfprintf() for os_info() (Benjamin Berg) - um: Fix naming clash between UML and scheduler (Anton Ivanov) - leds: trigger: panic: Don't register panic notifier if creating the trigger failed (Heiner Kallweit) - drm/amdgpu: Drop 'fence' check in 'to_amdgpu_amdkfd_fence()' (Srinivasan Shanmugam) - drm/amdgpu: Let KFD sync with VM fences (Felix Kuehling) - clk: mmp: pxa168: Fix memory leak in pxa168_clk_init() (Kuan-Wei Chiu) - clk: hi3620: Fix memory leak in hi3620_mmc_clk_init() (Kuan-Wei Chiu) - drm/msm/dpu: Ratelimit framedone timeout msgs (Rob Clark) - media: ddbridge: fix an error code problem in ddb_probe (Su Hui) - IB/ipoib: Fix mcast list locking (DanielVacek) - drm/exynos: Call drm_atomic_helper_shutdown() at shutdown/unbind time (Douglas Anderson) - ALSA: hda: Intel: add HDA_ARL PCI ID support (Pierre-Louis Bossart) - PCI: add INTEL_HDA_ARL to pci_ids.h (Pierre-Louis Bossart) - media: rockchip: rga: fix swizzling for RGB formats (Michael Tretter) - media: stk1160: Fixed high volume of stk1160_dbg messages (Ghanshyam Agrawal) - drm/mipi-dsi: Fix detach call without attach (Tomi Valkeinen) - drm/framebuffer: Fix use of uninitialized variable (Tomi Valkeinen) - drm/drm_file: fix use of uninitialized variable (Tomi Valkeinen) - RDMA/IPoIB: Fix error code return in ipoib_mcast_join (Jack Wang) - fast_dput(): handle underflows gracefully (Al Viro) - ASoC: doc: Fix undefined SND_SOC_DAPM_NOPM argument (Cristian Ciocaltea) - f2fs: fix to check return value of f2fs_reserve_new_block() (Chao Yu) - wifi: cfg80211: free beacon_ies when overridden from hidden BSS (Benjamin Berg) - wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() (Su Hui) - wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices (Zenm Chen) - arm64: dts: qcom: msm8998: Fix 'out-ports' is a required property (Mao Jinlong) - arm64: dts: qcom: msm8996: Fix 'in-ports' is a required property (Mao Jinlong) - md: Whenassemble the array, consult the superblock of the freshest device (Alex Lyakas) - block: prevent an integer overflow in bvec_try_merge_hw_page (Christoph Hellwig) - ARM: dts: imx23/28: Fix the DMA controller node name (Fabio Estevam) - ARM: dts: imx23-sansa: Use preferred i2c-gpios properties (Fabio Estevam) - ARM: dts: imx27-apf27dev: Fix LED name (Fabio Estevam) - ARM: dts: imx25/27: Pass timing0 (Fabio Estevam) - ARM: dts: imx1: Fix sram node (Fabio Estevam) - ARM: dts: imx27: Fix sram node (Fabio Estevam) - ARM: dts: imx: Use flash@0,0 pattern (Fabio Estevam) - ARM: dts: imx25/27-eukrea: Fix RTC node name (Fabio Estevam) - ARM: dts: rockchip: fix rk3036 hdmi ports node (Johan Jonker) - scsi: libfc: Fix up timeout error in fc_fcp_rec_error() (Hannes Reinecke) - scsi: libfc: Don'tschedule abort twice (Hannes Reinecke) - wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() (Minsuk Kang) - ARM: dts: imx7s: Fix nand-controller #size-cells (Alexander Stein) - ARM: dts: imx7s: Fix lcdif compatible (Alexander Stein) - ARM: dts: imx7d: Fix coresight funnel ports (Alexander Stein) - bonding: return -ENOMEM instead of BUG in alb_upper_dev_walk (Zhengchao Shao) - PCI: Add no PM reset quirk for NVIDIA Spectrum devices (Ido Schimmel) - scsi: lpfc: Fix possible file string name overflow when updating firmware (Justin Tee) - selftests/bpf: Fix pyperf180 compilation failure with clang18 (Yonghong Song) - selftests/bpf: satisfy compiler by having explicit return in btf test (Andrii Nakryiko) - wifi: rt2x00: restart beacon queue when hardware reset (Shiji Yang) - ext4: avoid online resizing failures due to oversized flex bg (Baokun Li) - ext4: remove unnecessary check from alloc_flex_gd() (Baokun Li) - ext4: unify the type of flexbg_size to unsigned int (Baokun Li) - ext4: fix inconsistent between segment fstrim and full fstrim (Ye Bin) - ecryptfs: Reject casefold directory inodes (Gabriel Krisman Bertazi) - SUNRPC: Fix a suspicious RCU usage warning (Anna Schumaker) - KVM: s390: fix setting of fpc register (Heiko Carstens) - s390/ptrace: handle setting of fpc register correctly (Heiko Carstens) - jfs: fix array-index-out-of-bounds in diNewExt (Edward Adam Davis) - rxrpc_find_service_conn_rcu: fix the usage of read_seqbegin_or_lock() (Oleg Nesterov) - afs: fix the usage of read_seqbegin_or_lock() in afs_find_server*() (Oleg Nesterov) - crypto: stm32/crc32 - fix parsing list of devices (Thomas Bourgoin) - pstore/ram: Fix crash when setting number of cpus to an odd number (Weichen Chen) - jfs: fix uaf in jfs_evict_inode (Edward Adam Davis) - jfs: fix array-index-out-of-bounds in dbAdjTree (Manas Ghandat) - jfs: fix slab-out-of-bounds Read in dtSearch (Manas Ghandat) - UBSAN: array-index-out-of-bounds in dtSplitRoot (Osama Muhammad) - FS:JFS:UBSAN:array-index-out-of-bounds indbAdjTree (Osama Muhammad) - ACPI: extlog: fix NULL pointer dereference check (Prarit Bhargava) - PNP: ACPI: fix fortify warning (Dmitry Antipov) - ACPI: video: Add quirk for the Colorful X15 AT 23 Laptop (Yuluo Qiu) - audit: Send netlink ACK before setting connection in auditd_set (Chris Riches) - regulator: core: Only increment use_count when enable_count changes (Rui Zhang) - perf/core: Fix narrow startup race when creating the perf nr_addr_filters sysfs file (Greg KH) - x86/mce: Mark fatal MCE's page as poison to avoid panic in the kdump kernel (Zhiquan Li) - powerpc/lib: Validate size for vector operations (Naveen N Rao) - powerpc: pmd_move_must_withdraw() is only needed for CONFIG_TRANSPARENT_HUGEPAGE (Stephen Rothwell) - powerpc/mm: Fix build failures due to arch_reserved_kernel_pages() (Michael Ellerman) - powerpc: Fix build error due to is_valid_bugaddr() (Michael Ellerman) - powerpc/mm: Fix null-pointer dereference in pgtable_cache_add (Kunwu Chan) - x86/entry/ia32: Ensure s32 is sign extended to s64 (Richard Palethorpe) - tick/sched: Preserve number of idle sleeps across CPU hotplug events (Tim Chen) - mips: Call lose_fpu(0) before initializing fcr31 in mips_set_personality_nan (Xi Ruoyao) - spi: bcm-qspi: fix SFDP BFPT read by usig mspi read (Kamal Dasu) - gpio: eic-sprd: Clear interrupt after set the interrupt type (Wenhua Lin) - drm/exynos: gsc: minor fix for loop iteration in gsc_runtime_resume (Fedor Pchelkin) - drm/exynos: fix accidental on-stack copy of exynos_drm_plane (Arnd Bergmann) - drm/bridge: nxp-ptn3460: simplify some error checking (Dan Carpenter) - drm/bridge: nxp-ptn3460: fix i2c_master_send() error checking (Dan Carpenter) - drm: Don't unref the same fb many times by mistake due to deadlock handling (Ville Syrjälä) - gpiolib: acpi: Ignore touchpad wakeup on GPD G1619-04 (Mario Limonciello) - netfilter: nf_tables: reject QUEUE/DROP verdict parameters (Florian Westphal) - rbd: don't move requests to the running list on errors (Ilya Dryomov) - btrfs: defrag: reject unknown flagsof btrfs_ioctl_defrag_range_args (Qu Wenruo) - btrfs: don't warn if discard range is not aligned to sector (David Sterba) - btrfs: tree-checker: fix inline ref size in error messages (Chung-Chiang Cheng) - btrfs: ref-verify: free ref cache before clearing mount opt (Fedor Pchelkin) - net: fec: fix the unhandled context fault from smmu (Shenwei Wang) - fjes: fix memleaks in fjes_hw_setup (Zhipeng Lu) - netfilter: nf_tables: validate NFPROTO_* family (Pablo Neira Ayuso) - netfilter: nf_tables: restrict anonymous set and map names to 16 bytes (Florian Westphal) - net/mlx5e: fix a double-free in arfs_create_groups (Zhipeng Lu) - net/mlx5: Use kfree(ft-> g) in arfs_create_groups() (Denis Efremov) - net/mlx5: DR, Use the right GVMI number for drop action (Yevgeny Kliteynik) - netlink: fix potential sleeping issue in mqueue_flush_file (Zhengchao Shao) - tcp: Add memory barrier to tcp_push() (Salvatore Dipietro) - afs: Hide silly-rename files from userspace (David Howells) - tracing: Ensure visibility when inserting an element into tracing_map (Petr Pavlu) - net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv (Sharath Srinivasan) - llc: Drop support for ETH_P_TR_802_2. (Kuniyuki Iwashima) - llc: make llc_ui_sendmsg() more robust against bonding changes (Eric Dumazet) - vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING (Lin Ma) - net/smc: fix illegal rmb_desc access in SMC-D connection dump (Wen Gu) - x86/CPU/AMD: Fix disabling XSAVES on AMD family 0x17 due to erratum (Maciej S. Szmigiero) - powerpc: Use always instead of always-y in for crtsavres.o (Nathan Chancellor) - fs: move S_ISGID stripping into the vfs_*() helpers (Yang Xu) - fs: add mode_strip_sgid() helper (Yang Xu) - mtd: spinand: macronix: Fix MX35LFxGE4AD page size (JaimeLiao) - block: Remove special-casing of compound pages (Matthew Wilcox (Oracle)) - rename(): fix the locking of subdirectories (Al Viro) - ubifs: ubifs_symlink: Fix memleak of inode-> i_link in error path (Zhihao Cheng) - nouveau/vmm: don't set addr on the fail path toavoid warning (Dave Airlie) - mmc: core: Use mrq.sbc in close-ended ffu (Avri Altman) - arm64: dts: qcom: sdm845: fix USB wakeup interrupt types (Johan Hovold) - parisc/firmware: Fix F-extend for PDC addresses (Helge Deller) - rpmsg: virtio: Free driver_override when rpmsg_remove() (Xiaolei Wang) - hwrng: core - Fix page fault dead lock on mmap-ed hwrng (Herbert Xu) - PM: hibernate: Enforce ordering during image compression/decompression (Hongchen Zhang) - crypto: api - Disallow identical driver names (Herbert Xu) - ext4: allow for the last group to be marked as trimmed (Suraj Jitindar Singh) - serial: sc16is7xx: add check for unsupported SPI modes during probe (Hugo Villeneuve) - spi: introduce SPI_MODE_X_MASK macro (Oleksij Rempel) - serial: sc16is7xx: set safe default SPI clock frequency (Hugo Villeneuve) - units: add the HZ macros (Daniel Lezcano) - units: change from 'L' to 'UL' (Daniel Lezcano) - units: Add Watt units (Daniel Lezcano) - PCI: mediatek: Clear interrupt status before dispatching handler (qizhong cheng) [5.4.17-2136.330.1.el8] - mm: hwpoison: handle non-anonymous THP correctly (Yang Shi) [Orabug: 36223690] - mm,hwpoison: unify THP handling for hard and soft offline (Oscar Salvador) [Orabug: 36223690] - mm: hwpoison: remove the unnecessary THP check (Yang Shi) [Orabug: 36223690] _______________________________________________ El-errata mailing list
Apr 10, 2024
•Important
Oracle
100
security advisorydenial of servicecritical updateSUSE: 2024:254-2 critical: bci/python Security Flaw and Resource Exhaustion
The container bci/golang was updated. The following patches have been included in this update:. SUSE Container Update Advisory: bci/golang ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2024:253-1 Container Tags : bci/golang:1.20 , bci/golang:1.20-2.7.4 , bci/golang:oldstable , bci/golang:oldstable-2.7.4 Container Release : 7.4 Severity : important Type : security References : 1206346 1211188 1211190 1217000 1218126 1218186 1218209 1218475 CVE-2023-1667 CVE-2023-2283 CVE-2023-48795 CVE-2023-6004 CVE-2023-6918 CVE-2024-22365 ----------------------------------------------------------------- The container bci/golang was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:136-1 Released: Thu Jan 18 09:53:47 2024 Summary: Security update for pam Type: security Severity: moderate References: 1217000,1218475,CVE-2024-22365 This update for pam fixes the following issues: - CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475). - Check localtime_r() return value to fix crashing (bsc#1217000) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2024:140-1 Released: Thu Jan 18 11:34:58 2024 Summary: Security update for libssh Type: security Severity: important References: 1211188,1211190,1218126,1218186,1218209,CVE-2023-1667,CVE-2023-2283,CVE-2023-48795,CVE-2023-6004,CVE-2023-6918 This update for libssh fixes the following issues: Security fixes: - CVE-2023-6004: Fixed command injection using proxycommand (bsc#1218209) - CVE-2023-48795: Fixed potential downgrade attack using strict kex (bsc#1218126) - CVE-2023-6918: Fixed missing checks for return values of MD functions (bsc#1218186) - CVE-2023-1667: Fixed NULLdereference during rekeying with algorithm guessing (bsc#1211188) - CVE-2023-2283: Fixed possible authorization bypass in pki_verify_data_signature under low-memory conditions (bsc#1211190) Other fixes: - Update to version 0.9.8 - Allow @ in usernames when parsing from URI composes - Update to version 0.9.7 - Fix several memory leaks in GSSAPI handling code ----------------------------------------------------------------- Advisory ID: SUSE-RU-2024:142-1 Released: Thu Jan 18 11:40:23 2024 Summary: Recommended update for go1.20 Type: recommended Severity: moderate References: 1206346 This update for go1.20 fixes the following issues: - Update to version go1.20.13 (bsc#1206346) The following package changes have been done: - libssh-config-0.9.8-150400.3.3.1 updated - libssh4-0.9.8-150400.3.3.1 updated - pam-1.3.0-150000.6.66.1 updated - go1.20-doc-1.20.13-150000.1.38.1 updated - go1.20-1.20.13-150000.1.38.1 updated - go1.20-race-1.20.13-150000.1.38.1 updated - container:sles15-image-15.0.0-36.5.74 updated . Urgent security patches issued for bci/golang addressing critical flaws that lead to resource exhaustion issues.. SUSE Container Update,bci/golang security,critical updates. . Severity: Critical. LinuxSecurity.com Team
Jan 19, 2024
•Critical
SuSE
100
security advisorysecurityimportantSUSE: 2023:3750-1 Important: suse/pcp Container Security Update
The container suse/pcp was updated. The following patches have been included in this update:. SUSE Container Update Advisory: suse/pcp ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3750-1 Container Tags : suse/pcp:5 , suse/pcp:5-15.58 , suse/pcp:5.2 , suse/pcp:5.2-15.58 , suse/pcp:5.2.5 , suse/pcp:5.2.5-15.58 , suse/pcp:latest Container Release : 15.58 Severity : important Type : security References : 1206480 1206684 1210557 1211427 1212101 1213915 1214052 1214460 1215427 1216664 CVE-2023-4039 ----------------------------------------------------------------- The container suse/pcp was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4458-1 Released: Thu Nov 16 14:38:48 2023 Summary: Security update for gcc13 Type: security Severity: important References: 1206480,1206684,1210557,1211427,1212101,1213915,1214052,1214460,1215427,1216664,CVE-2023-4039 This update for gcc13 fixes the following issues: This update ship the GCC 13.2 compiler suite and its base libraries. The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones. The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module. The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories. To use gcc13 compilers use: - install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages. - override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages. For a full changelog with all new GCC13 features, check out https://gcc.gnu.org/gcc-13/changes.html Detailed changes: * CVE-2023-4039: Fixed -fstack-protector issues on aarch64 withvariable length stack allocations. (bsc#1214052) - Work around third party app crash during C++ standard library initialization. [bsc#1216664] - Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427) - Bump included newlib to version 4.3.0. - Update to GCC trunk head (r13-5254-g05b9868b182bb9) - Redo floatn fixinclude pick-up to simply keep what is there. - Turn cross compiler to s390x to a glibc cross. [bsc#1214460] - Also handle -static-pie in the default-PIE specs - Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101] - Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427] - Add new x86-related intrinsics (amxcomplexintrin.h). - RISC-V: Add support for inlining subword atomic operations - Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver. - Add cross-bpf packages. See for the general state of BPF with GCC. - Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing. - Bump included newlib to version 4.3.0. - Also package libhwasan_preinit.o on aarch64. - Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite. - Package libhwasan_preinit.o on x86_64. - Fixed unwinding on aarch64 with pointer signing. [bsc#1206684] - Enable PRU flavour for gcc13 - update floatn fixinclude pickup to check each header separately (bsc#1206480) - Redo floatn fixinclude pick-up to simply keep what is there. - Bump libgo SONAME to libgo22. - Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers. - Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15. - Depend on at least LLVM 13 for GCN cross compiler. -Update embedded newlib to version 4.2.0 - Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build. The following package changes have been done: - libgcc_s1-13.2.1+git7813-150000.1.6.1 updated - libstdc++6-13.2.1+git7813-150000.1.6.1 updated - container:bci-bci-init-15.5-15.5-10.33 updated . SUSE releases for suse/pcp container vulnerabilities involve critical updates and notices aimed at mitigating detected threats.. suse updates, container security patch, gcc security fixes. . Severity: Important. LinuxSecurity.com Team
Nov 17, 2023
•Important
SuSE
172
security advisorymoderate threatubuntuUbuntu 22.04 LTS USN-6170-1 Moderate: Podman Untrusted Image Issue
Podman could be made to pull an untrusted image.. =========================================================================Ubuntu Security Notice USN-6170-1 June 16, 2023 libpod vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS Summary: Podman could be made to pull an untrusted image. Software Description: - libpod: engine to run OCI-based containers in Pods Details: It was discovered that Podman incorrectly handled certain images. An attacker could possibly use this issue to pull an untrusted image. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: podman 3.4.4+ds1-1ubuntu1.22.04.1 podman-docker 3.4.4+ds1-1ubuntu1.22.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-6170-1 https://bugs.launchpad.net/ubuntu/+source/libpod/+bug/2007972 Package Information: https://launchpad.net/ubuntu/+source/libpod/3.4.4+ds1-1ubuntu1.22.04.1 . Security flaws in Podman can potentially enable unauthorized image retrievals in Ubuntu 22.04 LTS. Apply updates to safeguard your environment.. Podman Vulnerabilities, Ubuntu Security, Container Vulnerability Alert. . LinuxSecurity.com Team
Jun 19, 2023
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!