Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 8 articles for you...
100
security advisoryimportantsecurity patchSUSE: 2023:4572-2 Critical: bci/dotnet-runtime Security Update
The container bci/dotnet-runtime was updated. The following patches have been included in this update:. SUSE Container Update Advisory: bci/dotnet-runtime ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:3561-1 Container Tags : bci/dotnet-runtime:6.0 , bci/dotnet-runtime:6.0-16.1 , bci/dotnet-runtime:6.0.24 , bci/dotnet-runtime:6.0.24-16.1 Container Release : 16.1 Severity : important Type : security References : 1216123 1216174 1216378 CVE-2023-44487 CVE-2023-45853 ----------------------------------------------------------------- The container bci/dotnet-runtime was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4200-1 Released: Wed Oct 25 12:04:29 2023 Summary: Security update for nghttp2 Type: security Severity: important References: 1216123,1216174,CVE-2023-44487 This update for nghttp2 fixes the following issues: - CVE-2023-44487: Fixed HTTP/2 Rapid Reset attack. (bsc#1216174) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:4215-1 Released: Thu Oct 26 12:19:25 2023 Summary: Security update for zlib Type: security Severity: moderate References: 1216378,CVE-2023-45853 This update for zlib fixes the following issues: - CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378). The following package changes have been done: - libz1-1.2.13-150500.4.3.1 updated - libnghttp2-14-1.40.0-150200.12.1 updated - container:sles15-image-15.0.0-36.5.50 updated . SUSE Container Update Notification for bci/python-runtime features critical security patches for openssl and curl.. bci/dotnet-runtime,Container Updates,Security Patches. . Severity: Important. LinuxSecurity.com Team
Oct 27, 2023
•Important
SuSE
100
security advisoryimportantsuseSUSE: 2023:731-1 Important: Multiple Security Fixes for Containers
The container suse-sles-15-sp5-chost-byos-v20231013-x86_64-gen2 was updated. The following patches have been included in this update:. SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20231013-x86_64-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:731-1 Image Tags : suse-sles-15-sp5-chost-byos-v20231013-x86_64-gen2:20231013 Image Release : Severity : important Type : security References : 1023051 1120059 1152472 1157881 1177719 1181477 1188885 1193629 1194869 1196933 1200710 1201066 1202845 1203329 1203330 1204942 1205462 1205533 1206402 1206453 1206453 1206608 1207543 1207598 1208902 1208928 1208949 1209233 1209284 1209799 1209859 1209979 1210015 1210048 1210448 1210950 1211078 1211220 1211598 1211599 1211829 1212091 1212142 1212423 1212475 1212475 1212526 1212594 1212819 1212857 1212873 1212910 1212957 1213026 1213123 1213127 1213428 1213546 1213580 1213601 1213666 1213733 1213757 1213759 1213808 1213822 1213854 1213916 1213921 1213927 1213946 1213949 1213968 1213970 1213971 1214000 1214019 1214052 1214073 1214120 1214149 1214180 1214233 1214238 1214285 1214292 1214297 1214299 1214305 1214350 1214368 1214370 1214371 1214372 1214380 1214386 1214392 1214393 1214395 1214397 1214404 1214428 1214451 1214458 1214535 1214635 1214659 1214661 1214692 1214727 1214729 1214742 1214743 1214756 1214768 1214806 1214928 1214942 1214943 1214944 1214950 1214951 1214954 1214957 1214976 1214986 1214988 1214992 1214993 1215007 1215026 1215064 1215145 1215322 1215472 1215474 1215522 1215523 1215552 1215553 1215578 12155961215713 1215744 1215746 1215747 1215748 1215877 1215888 1215889 1215894 1215895 1215896 1215904 1215905 1215906 1215907 1215908 1215911 1215915 1215916 CVE-2022-38457 CVE-2022-40133 CVE-2022-45154 CVE-2023-1192 CVE-2023-1206 CVE-2023-1859 CVE-2023-2007 CVE-2023-20588 CVE-2023-20588 CVE-2023-2177 CVE-2023-22652 CVE-2023-30078 CVE-2023-30079 CVE-2023-32181 CVE-2023-3341 CVE-2023-34319 CVE-2023-34322 CVE-2023-34323 CVE-2023-34325 CVE-2023-34326 CVE-2023-34327 CVE-2023-34328 CVE-2023-35945 CVE-2023-3610 CVE-2023-37453 CVE-2023-3772 CVE-2023-38039 CVE-2023-38545 CVE-2023-38546 CVE-2023-3863 CVE-2023-39192 CVE-2023-39193 CVE-2023-39194 CVE-2023-3961 CVE-2023-39615 CVE-2023-40217 CVE-2023-40283 CVE-2023-4039 CVE-2023-4091 CVE-2023-4128 CVE-2023-4133 CVE-2023-4134 CVE-2023-4147 CVE-2023-4154 CVE-2023-4155 CVE-2023-4194 CVE-2023-42669 CVE-2023-42670 CVE-2023-4273 CVE-2023-42753 CVE-2023-42754 CVE-2023-4387 CVE-2023-4389 CVE-2023-4459 CVE-2023-4563 CVE-2023-4569 CVE-2023-4622 CVE-2023-4623 CVE-2023-4641 CVE-2023-4881 CVE-2023-4921 CVE-2023-5345 ----------------------------------------------------------------- The container suse-sles-15-sp5-chost-byos-v20231013-x86_64-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3661-1 Released: Mon Sep 18 21:44:09 2023 Summary: Security update for gcc12 Type: security Severity: important References: 1214052,CVE-2023-4039 This update for gcc12 fixes the following issues: - CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64(bsc#1214052). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3663-1 Released: Mon Sep 18 21:49:09 2023 Summary: Recommended update for perl-Bootloader Type: recommended Severity: important References: 1215064 This update for perl-Bootloader fixes the following issues: - bootloader_entry script can have an optional 'force-default' argument (bsc#1215064) - skip warning about unsupported options when in compat mode ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3666-1 Released: Mon Sep 18 21:52:18 2023 Summary: Security update for libxml2 Type: security Severity: important References: 1214768,CVE-2023-39615 This update for libxml2 fixes the following issues: - CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3717-1 Released: Thu Sep 21 06:51:51 2023 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1214458 This update for apparmor fixes the following issues: - Update zgrep profile to allow egrep helper use (bsc#1214458) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3780-1 Released: Tue Sep 26 10:58:21 2023 Summary: Recommended update hidapi Type: recommended Severity: moderate References: 1214535 This update for hidapi ships the missing libhidapi-raw0 library to SLE and Leap Micro 5.3 and 5.4. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3814-1 Released: Wed Sep 27 18:08:17 2023 Summary: Recommended update for glibc Type: recommended Severity: moderate References: 1211829,1212819,1212910 This update for glibc fixes the following issues: - nscd: Fix netlink cache invalidation if epoll is used (bsc#1212910, BZ #29415) - Restore lookup of IPv4 mapped addresses in filesdatabase (bsc#1212819, BZ #25457) - elf: Remove excessive p_align check on PT_LOAD segments (bsc#1211829, BZ #28688) - elf: Properly align PT_LOAD segments (bsc#1211829, BZ #28676) - ld.so: Always use MAP_COPY to map the first segment (BZ #30452) - add GB18030-2022 charmap (jsc#PED-4908, BZ #30243) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3817-1 Released: Wed Sep 27 18:31:14 2023 Summary: Security update for containerd Type: security Severity: important References: 1212475 This update of containerd fixes the following issues: - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3821-1 Released: Wed Sep 27 18:38:33 2023 Summary: Security update for bind Type: security Severity: important References: 1215472,CVE-2023-3341 This update for bind fixes the following issues: Update to release 9.16.44: - CVE-2023-3341: Fixed stack exhaustion flaw in control channel code may cause named to terminate unexpectedly (bsc#1215472). Update to release 9.16.43 * Processing already-queued queries received over TCP could cause an assertion failure, when the server was reconfigured at the same time or the cache was being flushed. This has been fixed. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3822-1 Released: Wed Sep 27 18:40:14 2023 Summary: Security update for supportutils Type: security Severity: moderate References: 1181477,1196933,1204942,1205533,1206402,1206608,1207543,1207598,1208928,1209979,1210015,1210950,1211598,1211599,1213127,CVE-2022-45154 This update for supportutils fixes the following issues: Security fixes: - CVE-2022-45154: Removed iSCSI passwords (bsc#1207598). Other Fixes: - Changes in version 3.1.26 + powerpc plugin to collect the slots and active memory (bsc#1210950) + A Cleartext Storage of Sensitive Informationvulnerability CVE-2022-45154 + supportconfig: collect BPF information (pr#154) + Added additional iscsi information (pr#155) - Added run time detection (bsc#1213127) - Changes for supportutils version 3.1.25 + Removed iSCSI passwords CVE-2022-45154 (bsc#1207598) + powerpc: Collect lsslot,amsstat, and opal elogs (pr#149) + powerpc: collect invscout logs (pr#150) + powerpc: collect RMC status logs (pr#151) + Added missing nvme nbft commands (bsc#1211599) + Fixed invalid nvme commands (bsc#1211598) + Added missing podman information (PED-1703, bsc#1181477) + Removed dependency on sysfstools + Check for systool use (bsc#1210015) + Added selinux checking (bsc#1209979) + Updated SLES_VER matrix - Fixed missing status detail for apparmor (bsc#1196933) - Corrected invalid argument list in docker.txt (bsc#1206608) - Applies limit equally to sar data and text files (bsc#1207543) - Collects hwinfo hardware logs (bsc#1208928) - Collects lparnumascore logs (issue#148) - Add dependency to `numactl` on ppc64le and `s390x`, this enforces that `numactl --hardware` data is provided in supportconfigs - Changes to supportconfig.rc version 3.1.11-35 + Corrected _sanitize_file to include iscsi.conf and others (bsc#1206402) - Changes to supportconfig version 3.1.11-46.4 + Added plymouth_info - Changes to getappcore version 1.53.02 + The location of chkbin was updated earlier. This documents that change (bsc#1205533, bsc#1204942) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3823-1 Released: Wed Sep 27 18:42:38 2023 Summary: Security update for curl Type: security Severity: important References: 1215026,CVE-2023-38039 This update for curl fixes the following issues: - CVE-2023-38039: Fixed possible DoS when receiving too large HTTP header. (bsc#1215026) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3828-1 Released: Wed Sep 27 19:07:38 2023 Summary: Security update forpython3 Type: security Severity: important References: 1214692,CVE-2023-40217 This update for python3 fixes the following issues: - CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3831-1 Released: Wed Sep 27 19:15:23 2023 Summary: Security update for xen Type: security Severity: important References: 1215145,1215474,CVE-2023-20588,CVE-2023-34322 This update for xen fixes the following issues: - CVE-2023-20588: Fixed AMD CPU transitional execution leak via division by zero (XSA-439) (bsc#1215474). - CVE-2023-34322: Fixed top-level shadow reference dropped too early for 64-bit PV guests (XSA-438) (bsc#1215145). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3843-1 Released: Wed Sep 27 20:18:06 2023 Summary: Recommended update for suse-build-key Type: recommended Severity: important References: This update for suse-build-key fixes the following issues: This update adds and runs a import-suse-build-key script. It is run after installation with libzypp based installers. (jsc#PED-2777) It imports the future SUSE Linux Enterprise 15 4096 bit RSA key primary and reserve keys. To manually import them you can also run: # rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-3fa1d6ce-63c9481c.asc # rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-d588dc46-63c939db.asc ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3951-1 Released: Tue Oct 3 19:37:46 2023 Summary: Recommended update for python3-jmespath, python3-ply Type: recommended Severity: moderate References: 1209233 This update for python3-jmespath and python3-ply fixes the following issue: - the packages are required as dependencies for python3-salt, and were missing on aarch64 based SLE Micro flavors so far. There are no functionalchanges. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3952-1 Released: Tue Oct 3 20:06:23 2023 Summary: Security update for runc Type: security Severity: important References: 1212475 This update of runc fixes the following issues: - Update to runc v1.1.8. Upstream changelog is available from . - rebuild the package with the go 1.21 security release (bsc#1212475). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3954-1 Released: Tue Oct 3 20:09:47 2023 Summary: Security update for libeconf Type: security Severity: important References: 1211078,CVE-2023-22652,CVE-2023-30078,CVE-2023-30079,CVE-2023-32181 This update for libeconf fixes the following issues: Update to version 0.5.2. - CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078). - CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3970-1 Released: Wed Oct 4 14:17:12 2023 Summary: Recommended update for dracut Type: recommended Severity: moderate References: 1215578 This update for dracut fixes the following issues: - Honor nvme-cli's /etc/nvme/config.json in NVMe/TCP (bsc#1215578) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3971-1 Released: Wed Oct 4 14:36:01 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1023051,1120059,1177719,1188885,1193629,1194869,1203329,1203330,1205462,1206453,1208902,1208949,1209284,1209799,1210048,1210448,1211220,1212091,1212142,1212423,1212526,1212857,1212873,1213026,1213123,1213546,1213580,1213601,1213666,1213733,1213757,1213759,1213916,1213921,1213927,1213946,1213949,1213968,1213970,1213971,1214000,1214019,1214073,1214120,1214149,1214180,1214233,1214238,1214285,1214297,1214299,1214305,1214350,1214368,1214370,1214371,1214372,1214380,1214386,1214392,1214393,1214397,1214404,1214428,1214451,1214635,1214659,1214661,1214727,1214729,1214742,1214743,1214756,1214976,1215522,1215523,1215552,1215553,CVE-2022-38457,CVE-2022-40133,CVE-2023-2007,CVE-2023-20588,CVE-2023-34319,CVE-2023-3610,CVE-2023-37453,CVE-2023-3772,CVE-2023-3863,CVE-2023-40283,CVE-2023-4128,CVE-2023-4133,CVE-2023-4134,CVE-2023-4147,CVE-2023-4194,CVE-2023-4273,CVE-2023-4387,CVE-2023-4459,CVE-2023-4563,CVE-2023-4569 The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2022-38457: Fixed a use-after-free vulnerability in vmwgfx driver that allowed a local attacker to cause a denial of service (bsc#1203330). - CVE-2022-40133: Fixed a use-after-free vulnerability in vmwgfx driver that allowed a local attacker to cause a denial of service (bsc#1203329). - CVE-2023-2007: Fixed a flaw in the DPT I2O Controller driver that could allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel (bsc#1210448). - CVE-2023-20588: Fixed a division-by-zero error on some AMD processors that can potentially return speculative data resulting in loss of confidentiality (bsc#1213927). - CVE-2023-34319: Fixed buffer overrun triggered by unusual packet in xen/netback (XSA-432) (bsc#1213546). - CVE-2023-3610: Fixed use-after-free vulnerability in nf_tables can be exploited to achieve local privilege escalation (bsc#1213580). - CVE-2023-37453: Fixed oversight in SuperSpeed initialization (bsc#1213123). - CVE-2023-3772: Fixed a flawin XFRM subsystem that may have allowed a malicious user with CAP_NET_ADMIN privileges to directly dereference a NULL pointer leading to a possible kernel crash and denial of service (bsc#1213666). - CVE-2023-3863: Fixed a use-after-free flaw was found in nfc_llcp_find_local that allowed a local user with special privileges to impact a kernel information leak issue (bsc#1213601). - CVE-2023-40283: Fixed use-after-free in l2cap_sock_ready_cb (bsc#1214233). - CVE-2023-4128: Fixed a use-after-free flaw in net/sched/cls_fw.c that allowed a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue (bsc#1214149). - CVE-2023-4133: Fixed use after free bugs caused by circular dependency problem in cxgb4 (bsc#1213970). - CVE-2023-4134: Fixed use-after-free in cyttsp4_watchdog_work() (bsc#1213971). - CVE-2023-4147: Fixed use-after-free in nf_tables_newrule (bsc#1213968). - CVE-2023-4194: Fixed a type confusion in net tun_chr_open() (bsc#1214019). - CVE-2023-4273: Fixed a flaw in the exFAT driver of the Linux kernel that alloawed a local privileged attacker to overflow the kernel stack (bsc#1214120). - CVE-2023-4387: Fixed use-after-free flaw in vmxnet3_rq_alloc_rx_buf that could allow a local attacker to crash the system due to a double-free (bsc#1214350). - CVE-2023-4459: Fixed a NULL pointer dereference flaw in vmxnet3_rq_cleanup that may have allowed a local attacker with normal user privilege to cause a denial of service (bsc#1214451). - CVE-2023-4563: Fixed use-after-free in nft_verdict_dump due to a race between set GC and transaction (bsc#1214727). - CVE-2023-4569: Fixed information leak in nft_set_catchall_flush in net/netfilter/nf_tables_api.c (bsc#1214729). The following non-security bugs were fixed: - ACPI/IORT: Update SMMUv3 DeviceID support (bsc#1214305). - ACPI: processor: perflib: Avoid updating frequency QoS unnecessarily (git-fixes). - ACPI: processor: perflib: Use the 'no limit' frequency QoS (git-fixes). - ACPI:x86: s2idle: Fix a logic error parsing AMD constraints table (git-fixes). - ALSA: ac97: Fix possible error value of *rac97 (git-fixes). - ALSA: hda/cs8409: Support new Dell Dolphin Variants (git-fixes). - ALSA: hda/realtek - Remodified 3k pull low procedure (git-fixes). - ALSA: hda/realtek: Add quirk for HP Victus 16-d1xxx to enable mute LED (git-fixes). - ALSA: hda/realtek: Add quirk for mute LEDs on HP ENVY x360 15-eu0xxx (git-fixes). - ALSA: hda/realtek: Add quirks for HP G11 Laptops (git-fixes). - ALSA: hda/realtek: Switch Dell Oasis models to use SPI (git-fixes). - ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl (git-fixes). - ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces (git-fixes). - ALSA: usb-audio: Fix init call orders for UAC1 (git-fixes). - ALSA: ymfpci: Fix the missing snd_card_free() call at probe error (git-fixes). - ARM: dts: imx6dl: prtrvt, prtvt7, prti6q, prtwd2: fix USB related warnings (git-fixes). - ARM: dts: imx6sll: fixup of operating points (git-fixes). - ARM: spear: Do not use timer namespace for timer_shutdown() function (bsc#1213970). - ASoC: SOF: Intel: fix SoundWire/HDaudio mutual exclusion (git-fixes). - ASoC: amd: yc: Fix a non-functional mic on Lenovo 82SJ (git-fixes). - ASoC: lower 'no backend DAIs enabled for ... Port' log severity (git-fixes). - ASoC: meson: axg-tdm-formatter: fix channel slot allocation (git-fixes). - ASoC: rt5665: add missed regulator_bulk_disable (git-fixes). - ASoC: stac9766: fix build errors with REGMAP_AC97 (git-fixes). - ASoC: tegra: Fix SFC conversion for few rates (git-fixes). - Bluetooth: Fix potential use-after-free when clear keys (git-fixes). - Bluetooth: L2CAP: Fix use-after-free (git-fixes). - Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb (git-fixes). - Bluetooth: Remove unused declaration amp_read_loc_info() (git-fixes). - Bluetooth: btusb: Add MT7922 bluetooth ID for the Asus Ally (git-fixes). - Bluetooth: btusb: Do not call kfree_skb() under spin_lock_irqsave() (git-fixes). -Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe() (git-fixes). - CONFIG_NVME_VERBOSE_ERRORS=y gone with a82baa8083b - CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 gone with 7e152d55123 - Created new preempt kernel flavor Configs are cloned from the respective $arch/default configs. All changed configs appart from CONFIG_PREEMPT-> y are a result of dependencies, namely many lock/unlock primitives are no longer inlined in the preempt kernel. TREE_RCU has been also changed to PREEMPT_RCU which is the default implementation for PREEMPT kernel. - Documentation: devices.txt: Fix minors for ttyCPM* (git-fixes). - Documentation: devices.txt: Remove ttyIOC* (git-fixes). - Documentation: devices.txt: Remove ttySIOC* (git-fixes). - Drivers: hv: Do not remap addresses that are above shared_gpa_boundary (bsc#1206453). - Drivers: hv: Enable vmbus driver for nested root partition (bsc#1206453). - Drivers: hv: Explicitly request decrypted in vmap_pfn() calls (bsc#1206453). - Drivers: hv: Setup synic registers in case of nested root partition (bsc#1206453). - Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails (bsc#1206453). - Drivers: hv: vmbus: Remove second mapping of VMBus monitor pages (bsc#1206453). - Drivers: hv: vmbus: Remove second way of mapping ring buffers (bsc#1206453). - Drivers: hv: vmbus: Remove the per-CPU post_msg_page (bsc#1206453). - Drop amdgpu patch causing spamming (bsc#1215523) - Drop cfg80211 lock fix patches that caused a regression (bsc#1213757) - Drop rtsx patch that caused a regression (bsc#1214397,bsc#1214428) - Enable Analog Devices Industrial Ethernet PHY driver (jsc#PED-4759) - HID: add quirk for 03f0:464a HP Elite Presenter Mouse (git-fixes). - HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode() (git-fixes). - HID: logitech-hidpp: Add USB and Bluetooth IDs for the Logitech G915 TKL Keyboard (git-fixes). - HID: multitouch: Correct devm device reference for hidinput input_dev name (git-fixes). - HID: wacom: remove the battery when the EKR is off(git-fixes). - HWPOISON: offline support: fix spelling in Documentation/ABI/ (git-fixes). - IB/hfi1: Fix possible panic during hotplug remove (git-fixes) - IB/uverbs: Fix an potential error pointer dereference (git-fixes) - Input: exc3000 - properly stop timer on shutdown (git-fixes). - KVM: s390: fix sthyi error handling (git-fixes bsc#1214370). - Kbuild: add -Wno-shift-negative-value where -Wextra is used (bsc#1214756). - Kbuild: move to -std=gnu11 (bsc#1214756). - PCI/ASPM: Avoid link retraining race (git-fixes). - PCI/ASPM: Factor out pcie_wait_for_retrain() (git-fixes). - PCI/ASPM: Return 0 or -ETIMEDOUT from pcie_retrain_link() (git-fixes). - PCI: Mark NVIDIA T4 GPUs to avoid bus reset (git-fixes). - PCI: acpiphp: Reassign resources on bridge if necessary (git-fixes). - PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus (git-fixes). - PCI: hv: Enable PCI pass-thru devices in Confidential VMs (bsc#1206453). - PCI: hv: Replace retarget_msi_interrupt_params with (bsc#1206453). - PCI: meson: Remove cast between incompatible function type (git-fixes). - PCI: microchip: Correct the DED and SEC interrupt bit offsets (git-fixes). - PCI: microchip: Remove cast between incompatible function type (git-fixes). - PCI: pciehp: Use RMW accessors for changing LNKCTL (git-fixes). - PCI: rockchip: Remove writes to unused registers (git-fixes). - PCI: s390: Fix use-after-free of PCI resources with per-function hotplug (git-fixes). - PCI: tegra194: Fix possible array out of bounds access (git-fixes). - PM / devfreq: Fix leak in devfreq_dev_release() (git-fixes). - RDMA/bnxt_re: Fix error handling in probe failure path (git-fixes) - RDMA/bnxt_re: Fix max_qp count for virtual functions (git-fixes) - RDMA/efa: Fix wrong resources deallocation order (git-fixes) - RDMA/hns: Fix CQ and QP cache affinity (git-fixes) - RDMA/hns: Fix incorrect post-send with direct wqe of wr-list (git-fixes) - RDMA/hns: Fix port active speed (git-fixes) - RDMA/irdma: Prevent zero-length STAG registration (git-fixes) -RDMA/irdma: Replace one-element array with flexible-array member (git-fixes) - RDMA/mlx5: Return the firmware result upon destroying QP/RQ (git-fixes) - RDMA/qedr: Remove a duplicate assignment in irdma_query_ah() (git-fixes) - RDMA/siw: Balance the reference of cep-> kref in the error path (git-fixes) - RDMA/siw: Correct wrong debug message (git-fixes) - RDMA/umem: Set iova in ODP flow (git-fixes) - README.BRANCH: Add Miroslav Franc as a SLE15-SP4 co-maintainer. - Revert 'IB/isert: Fix incorrect release of isert connection' (git-fixes) - Revert 'tracing: Add '(fault)' name injection to kernel probes' (git-fixes). - SMB3: Do not send lease break acknowledgment if all file handles have been closed (git-fixes). - Update patches.suse/cpufreq-intel_pstate-Fix-cpu-pstate.turbo_freq-initi.patch (git-fixes bsc#1212526 bsc#1214368 jsc#PED-4927 jsc#PED-4929). - amba: bus: fix refcount leak (git-fixes). - arm64: dts: imx8mn-var-som: add missing pull-up for onboard PHY reset pinmux (git-fixes). - arm64: dts: qcom: qrb5165-rb5: fix thermal zone conflict (git-fixes). - arm64: dts: rockchip: Disable HS400 for eMMC on ROCK Pi 4 (git-fixes). - audit: fix possible soft lockup in __audit_inode_child() (git-fixes). - backlight/bd6107: Compare against struct fb_info.device (git-fixes). - backlight/gpio_backlight: Compare against struct fb_info.device (git-fixes). - backlight/lv5207lp: Compare against struct fb_info.device (git-fixes). - batman-adv: Do not get eth header before batadv_check_management_packet (git-fixes). - batman-adv: Do not increase MTU when set by user (git-fixes). - batman-adv: Fix TT global entry leak when client roamed back (git-fixes). - batman-adv: Fix batadv_v_ogm_aggr_send memory leak (git-fixes). - batman-adv: Hold rtnl lock during MTU update via netlink (git-fixes). - batman-adv: Trigger events for auto adjusted MTU (git-fixes). - bnx2x: fix page fault following EEH recovery (bsc#1214299). - bpf: Disable preemption in bpf_event_output (git-fixes). - bpftool: Print newline before '}' for struct withpadding only fields (bsc#1211220 jsc#PED-3924). - bus: mhi: host: Skip MHI reset if device is in RDDM (git-fixes). - bus: ti-sysc: Fix build warning for 64-bit build (git-fixes). - bus: ti-sysc: Fix cast to enum warning (git-fixes). - bus: ti-sysc: Flush posted write on enable before reset (git-fixes). - can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM (git-fixes). - ceph: defer stopping mdsc delayed_work (bsc#1214392). - ceph: do not check for quotas on MDS stray dirs (bsc#1214238). - ceph: never send metrics if disable_send_metrics is set (bsc#1214180). - check-for-config-changes: ignore BUILTIN_RETURN_ADDRESS_STRIPS_PAC (bsc#1214380). gcc7 on SLE 15 does not support this while later gcc does. - cifs: add missing return value check for cifs_sb_tlink (bsc#1193629). - cifs: allow dumping keys for directories too (bsc#1193629). - cifs: fix mid leak during reconnection after timeout threshold (git-fixes). - cifs: if deferred close is disabled then close files immediately (git-fixes). - cifs: is_network_name_deleted should return a bool (bsc#1193629). - cifs: update internal module version number for cifs.ko (bsc#1193629). - clk: Fix slab-out-of-bounds error in devm_clk_release() (git-fixes). - clk: Fix undefined reference to `clk_rate_exclusive_{get,put}' (git-fixes). - clk: imx8mp: fix sai4 clock (git-fixes). - clk: imx: composite-8m: fix clock pauses when set_rate would be a no-op (git-fixes). - clk: imx: pll14xx: dynamically configure PLL for 393216000/361267200Hz (git-fixes). - clk: qcom: camcc-sc7180: fix async resume during probe (git-fixes). - clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock (git-fixes). - clk: qcom: gcc-sc7180: Fix up gcc_sdcc2_apps_clk_src (git-fixes). - clk: qcom: gcc-sm8250: Fix gcc_sdcc2_apps_clk_src (git-fixes). - clk: sunxi-ng: Modify mismatched function name (git-fixes). - clocksource/drivers/arm_arch_timer: Do not use timer namespace for timer_shutdown() function (bsc#1213970). - clocksource/drivers/hyper-v: Rework clocksourceand sched clock setup (bsc#1206453). - clocksource/drivers/sp804: Do not use timer namespace for timer_shutdown() function (bsc#1213970). - clocksource: hyper-v: Add TSC page support for root partition (bsc#1206453). - clocksource: hyper-v: Introduce TSC PFN getter (bsc#1206453). - clocksource: hyper-v: Introduce a pointer to TSC page (bsc#1206453). - clocksource: hyper-v: Use TSC PFN getter to map vvar page (bsc#1206453). - clocksource: hyper-v: make sure Invariant-TSC is used if it is (bsc#1206453). - cpu/SMT: Allow enabling partial SMT states via sysfs (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588). - cpu/SMT: Create topology_smt_thread_allowed() (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588). - cpu/SMT: Move SMT prototypes into cpu_smt.h (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588). - cpu/SMT: Move smt/control simple exit cases earlier (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588). - cpu/SMT: Remove topology_smt_supported() (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588). - cpu/SMT: Store the current/max number of threads (bsc#1214285 bsc#1205462 ltc#200161 ltc#200588). - cpufreq: Fix the race condition while updating the transition_task of policy (git-fixes). - cpufreq: intel_pstate: Adjust balance_performance EPP for Sapphire Rapids (bsc#1214659). - cpufreq: intel_pstate: Enable HWP IO boost for all servers (bsc#1208949 jsc#PED-6003 jsc#PED-6004). - cpufreq: intel_pstate: Fix scaling for hybrid-capable systems with disabled E-cores (bsc#1212526 bsc#1214368 jsc#PED-4927 jsc#PED-4929). - cpufreq: intel_pstate: Read all MSRs on the target CPU (bsc#1212526 bsc#1214368 jsc#PED-4927 jsc#PED-4929). - cpufreq: intel_pstate: hybrid: Rework HWP calibration (bsc#1212526 bsc#1214368 jsc#PED-4927 jsc#PED-4929). - cpufreq: intel_pstate: hybrid: Use known scaling factor for P-cores (bsc#1212526 bsc#1214368 jsc#PED-4927 jsc#PED-4929). - crypto: caam - fix unchecked return value error (git-fixes). - crypto: stm32 - Properly handle pm_runtime_get failing (git-fixes). - define more Hyper-V related constants(bsc#1206453). - dma-buf/sw_sync: Avoid recursive lock during fence signal (git-fixes). - dma-buf/sync_file: Fix docs syntax (git-fixes). - dmaengine: idxd: Modify the dependence of attribute pasid_enabled (git-fixes). - dmaengine: mcf-edma: Fix a potential un-allocated memory access (git-fixes). - dmaengine: pl330: Return DMA_PAUSED when transaction is paused (git-fixes). - dmaengine: ste_dma40: Add missing IRQ check in d40_probe (git-fixes). - docs/process/howto: Replace C89 with C11 (bsc#1214756). - docs: kernel-parameters: Refer to the correct bitmap function (git-fixes). - docs: networking: replace skb_hwtstamp_tx with skb_tstamp_tx (git-fixes). - docs: printk-formats: Fix hex printing of signed values (git-fixes). - driver core: test_async: fix an error code (git-fixes). - drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init() (git-fixes). - drivers: usb: smsusb: fix error handling code in smsusb_init_device (git-fixes). - drm/amd/display: Apply 60us prefetch for DCFCLK 64 VPs for a fully enlightened TDX/SNP VM (bsc#1206453). - Drivers: hv: vmbus: Support fully enlightened TDX guests (bsc#1206453). - drm: gm12u320: Fix the timeout usage for usb_bulk_msg() (git-fixes). - drm/amd/display: Add smu write msg id fail retry process (git-fixes). - drm/amd/display: enable cursor degamma for DCN3+ DRM legacy gamma (git-fixes). - drm/amd/display: fix the white screen issue when > = 64GB DRAM (git-fixes). - drm/amd/display: prevent potential division by zero errors (git-fixes). - drm/amd/display: register edp_backlight_control() for DCN301 (git-fixes). - drm/amd/display: Remove wait while locked (git-fixes). - drm/ast: Add BMC virtual connector (bsc#1152472) Backporting changes: * rename ast_device to ast_private - drm/ast: report connection status on Display Port. (bsc#1152472) Backporting changes: * rename ast_device to ast_private * context changes - drm/display: Do not assume dual mode adaptors support i2c sub-addressing (bsc#1213808). - drm/i915: mark requests for GuC virtual engines to avoiduse-after-free (git-fixes). - drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() (git-fixes). - drm/i915/gvt: Put the page reference obtained by KVM's gfn_to_pfn() (git-fixes). - drm/i915/gvt: Verify pfn is 'valid' before dereferencing 'struct page' (git-fixes). - drm/meson: fix memory leak on -> hpd_notify callback (git-fixes). - drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling (git-fixes). - drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() (git-fixes). - ext4: avoid potential data overflow in next_linear_group (bsc#1214951). - ext4: correct inline offset when handling xattrs in inode body (bsc#1214950). - ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} (bsc#1214954). - ext4: fix wrong unit use in ext4_mb_clear_bb (bsc#1214943). - ext4: fix wrong unit use in ext4_mb_new_blocks (bsc#1214944). - ext4: get block from bh in ext4_free_blocks for fast commit replay (bsc#1214942). - ext4: reflect error codes from ext4_multi_mount_protect() to its callers (bsc#1214941). - ext4: Remove ext4 locking of moved directory (bsc#1214957). - ext4: set goal start correctly in ext4_mb_normalize_request (bsc#1214940). - fs: do not update freeing inode i_io_list (bsc#1214813). - fs: Establish locking order for unrelated directories (bsc#1214958). - fs: Lock moved directories (bsc#1214959). - fs: lockd: avoid possible wrong NULL parameter (git-fixes). - fs: no need to check source (bsc#1215752). - fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE (bsc#1214813). - fuse: nlookup missing decrement in fuse_direntplus_link (bsc#1215581). - gve: Add AF_XDP zero-copy support for GQI-QPL format (bsc#1214479). - gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479). - gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479). - gve: Changes to add new TX queues (bsc#1214479). - gve: Control path for DQO-QPL (bsc#1214479). - gve: fix frag_list chaining (bsc#1214479). - gve: Fix gve interrupt names (bsc#1214479). - gve: RX path for DQO-QPL(bsc#1214479). - gve: trivial spell fix Recive to Receive (bsc#1214479). - gve: Tx path for DQO-QPL (bsc#1214479). - gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479). - gve: use vmalloc_array and vcalloc (bsc#1214479). - gve: XDP support GQI-QPL: helper function changes (bsc#1214479). - hwrng: virtio - add an internal buffer (git-fixes). - hwrng: virtio - always add a pending request (git-fixes). - hwrng: virtio - do not wait on cleanup (git-fixes). - hwrng: virtio - do not waste entropy (git-fixes). - hwrng: virtio - Fix race on data_avail and actual data (git-fixes). - i2c: aspeed: Reset the i2c controller when timeout occurs (git-fixes). - i3c: master: svc: fix probe failure when no i3c device exist (git-fixes). - i915/pmu: Move execlist stats initialization to execlist specific setup (git-fixes). - idr: fix param name in idr_alloc_cyclic() doc (git-fixes). - Input: tca6416-keypad - fix interrupt enable disbalance (git-fixes). - iommu/virtio: Detach domain on endpoint release (git-fixes). - iommu/virtio: Return size mapped for a detached domain (git-fixes). - jbd2: check 'jh-> b_transaction' before removing it from checkpoint (bsc#1214953). - jbd2: correct the end of the journal recovery scan range (bsc#1214955). - jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949). - jbd2: fix checkpoint cleanup performance regression (bsc#1214952). - jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint (bsc#1214948). - jbd2: recheck chechpointing non-dirty buffer (bsc#1214945). - jbd2: remove journal_clean_one_cp_list() (bsc#1214947). - jbd2: remove t_checkpoint_io_list (bsc#1214946). - jbd2: restore t_checkpoint_io_list to maintain kABI (bsc#1214946). - kabi: hide changes in enum ipl_type and struct sclp_info (jsc#PED-2023 jsc#PED-2025). - kabi/severities: ignore mlx4 internal symbols - kconfig: fix possible buffer overflow (git-fixes). - kernel-binary: Move build-time definitions together Move source list and build architecture to buildrequires to aid in futurereorganization of the spec template. - kernel-binary: python3 is needed for build At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18 Other simimlar scripts may exist. - kselftest/runner.sh: Propagate SIGTERM to runner child (git-fixes). - KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes (git-fixes bsc#1215915). - KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (git-fixes bsc#1215896). - KVM: s390: pv: fix external interruption loop not always detected (git-fixes bsc#1215916). - KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (git-fixes bsc#1215894). - KVM: s390: vsie: fix the length of APCB bitmap (git-fixes bsc#1215895). - KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler (git-fixes bsc#1215911). - KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git-fixes). - KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes). - KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues (git-fixes). - KVM: x86/mmu: Include mmu.h in spte.h (git-fixes). - loop: Fix use-after-free issues (bsc#1214991). - loop: loop_set_status_from_info() check before assignment (bsc#1214990). - mlx4: Avoid resetting MLX4_INTFF_BONDING per driver (bsc#1187236). - mlx4: Connect the ethernet part to the auxiliary bus (bsc#1187236). - mlx4: Connect the infiniband part to the auxiliary bus (bsc#1187236). - mlx4: Delete custom device management logic (bsc#1187236). - mlx4: Get rid of the mlx4_interface.activate callback (bsc#1187236). - mlx4: Get rid of the mlx4_interface.get_dev callback (bsc#1187236). - mlx4: Move the bond work to the core driver (bsc#1187236). - mlx4: Register mlx4 devices to an auxiliary virtual bus (bsc#1187236). - mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236). - mlx4: Replace the mlx4_interface.event callback with a notifier (bsc#1187236). - mlx4: Use 'void *' as the event param of mlx4_dispatch_event() (bsc#1187236). - module: Expose module_init_layout_section() (git-fixes) - net: do notallow gso_size to be set to GSO_BY_FRAGS (git-fixes). - net: mana: Add page pool for RX buffers (bsc#1214040). - net: mana: Configure hwc timeout from hardware (bsc#1214037). - net: phy: micrel: Correct bit assignments for phy_device flags (git-fixes). - net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes). - net/mlx4: Remove many unnecessary NULL values (bsc#1187236). - NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN (git-fixes). - NFS/blocklayout: Use the passed in gfp flags (git-fixes). - NFS/pNFS: Report EINVAL errors from connect() to the server (git-fixes). - NFSD: da_addr_body field missing in some GETDEVICEINFO replies (git-fixes). - NFSD: fix change_info in NFSv4 RENAME replies (git-fixes). - NFSD: Fix race to FREE_STATEID and cl_revoked (git-fixes). - NFSv4: Fix dropped lock for racing OPEN and delegation return (git-fixes). - NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes). - NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes). - NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes). - NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info (git-fixes). - ntb: Clean up tx tail index on link down (git-fixes). - ntb: Drop packets when qp link is down (git-fixes). - ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes). - nvme-auth: use chap-> s2 to indicate bidirectional authentication (bsc#1214543). - nvme-tcp: add recovery_delay to sysfs (bsc#1201284). - nvme-tcp: delay error recovery until the next KATO interval (bsc#1201284). - nvme-tcp: Do not terminate commands when in RESETTING (bsc#1201284). - nvme-tcp: make 'err_work' a delayed work (bsc#1201284). - PCI: Free released resource after coalescing (git-fixes). - platform/mellanox: mlxbf-pmc: Fix potential buffer overflows (git-fixes). - platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events (git-fixes). - platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes). - platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors (git-fixes). - platform/x86:intel_scu_ipc: Check status after timeout in busy_loop() (git-fixes). - platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() (git-fixes). - platform/x86: intel_scu_ipc: Do not override scu in intel_scu_ipc_dev_simple_command() (git-fixes). - platform/x86: intel_scu_ipc: Fail IPC send if still busy (git-fixes). - pNFS: Fix assignment of xprtdata.cred (git-fixes). - powerpc/fadump: make is_kdump_kernel() return false when fadump is active (bsc#1212639 ltc#202582). - powerpc/iommu: Fix notifiers being shared by PCI and VIO buses (bsc#1065729). - powerpc/xics: Remove unnecessary endian conversion (bsc#1065729). - printk: ringbuffer: Fix truncating buffer size min_t cast (bsc#1215875). - pwm: lpc32xx: Remove handling of PWM channels (git-fixes). - quota: add new helper dquot_active() (bsc#1214998). - quota: factor out dquot_write_dquot() (bsc#1214995). - quota: fix dqput() to follow the guarantees dquot_srcu should provide (bsc#1214963). - quota: fix warning in dqgrab() (bsc#1214962). - quota: Properly disable quotas when add_dquot_ref() fails (bsc#1214961). - quota: rename dquot_active() to inode_quota_active() (bsc#1214997). - RDMA/siw: Fabricate a GID on tun and loopback devices (git-fixes) - s390/dasd: fix command reject error on ESE devices (LTC#203630 bsc#1215123 git-fixes). - s390/dasd: fix hanging device after request requeue (git-fixes LTC#203629 bsc#1215124). - s390/ipl: add DEFINE_GENERIC_LOADPARM() (jsc#PED-2023). - s390/ipl: add eckd dump support (jsc#PED-2025). - s390/ipl: add eckd support (jsc#PED-2023). - s390/ipl: add loadparm parameter to eckd ipl/reipl data (jsc#PED-2023). - s390/ipl: use octal values instead of S_* macros (jsc#PED-2023). - s390/qeth: Do not call dev_close/dev_open (DOWN/UP) (bsc#1214873 git-fixes). - s390/zcrypt: do not leak memory if dev_set_name() fails (git-fixes bsc#1215148). - scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() (git-fixes). - scsi: 53c700: Check that command slot is not NULL (git-fixes). - scsi: core: Fixlegacy /proc parsing buffer overflow (git-fixes). - scsi: core: Fix possible memory leak if device_add() fails (git-fixes). - scsi: fnic: Replace return codes in fnic_clean_pending_aborts() (git-fixes). - scsi: lpfc: Do not abuse UUID APIs and LPFC_COMPRESS_VMID_SIZE (git-fixes). - scsi: lpfc: Early return after marking final NLP_DROPPED flag in dev_loss_tmo (git-fixes). - scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git-fixes). - scsi: lpfc: Modify when a node should be put in device recovery mode during RSCN (git-fixes). - scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports (git-fixes). - scsi: lpfc: Remove reftag check in DIF paths (git-fixes). - scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658). - scsi: qedf: Fix firmware halt over suspend and resume (git-fixes). - scsi: qedf: Fix NULL dereference in error handling (git-fixes). - scsi: qedi: Fix firmware halt over suspend and resume (git-fixes). - scsi: qla2xxx: Add logs for SFP temperature monitoring (bsc#1214928). - scsi: qla2xxx: Allow 32-byte CDBs (bsc#1214928). - scsi: qla2xxx: Error code did not return to upper layer (bsc#1214928). - scsi: qla2xxx: Fix firmware resource tracking (bsc#1214928). - scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() (git-fixes). - scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() (bsc#1214928). - scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1214928). - scsi: qla2xxx: Move resource to allow code reuse (bsc#1214928). - scsi: qla2xxx: Remove unsupported ql2xenabledif option (bsc#1214928). - scsi: qla2xxx: Remove unused declarations (bsc#1214928). - scsi: qla2xxx: Remove unused variables in qla24xx_build_scsi_type_6_iocbs() (bsc#1214928). - scsi: qla2xxx: Update version to 10.02.09.100-k (bsc#1214928). - scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() (git-fixes). - scsi: scsi_debug: Remove dead code (git-fixes). - scsi: snic: Fix double free in snic_tgt_create() (git-fixes). - scsi: snic: Fixpossible memory leak if device_add() fails (git-fixes). - scsi: storvsc: Handle additional SRB status values (git-fixes). - scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes bsc#1215941). - selftests: mlxsw: Fix test failure on Spectrum-4 (jsc#PED-1549). - selftests: tracing: Fix to unmount tracefs for recovering environment (git-fixes). - spi: Add TPM HW flow flag (bsc#1213534) - spi: tegra210-quad: Enable TPM wait polling (bsc#1213534) - spi: tegra210-quad: set half duplex flag (bsc#1213534) - SUNRPC: Mark the cred for revalidation if the server rejects it (git-fixes). - tcpm: Avoid soft reset when partner does not support get_status (git-fixes). - tpm_tis_spi: Add hardware wait polling (bsc#1213534) - tracing: Fix race issue between cpu buffer write and swap (git-fixes). - tracing: Remove extra space at the end of hwlat_detector/mode (git-fixes). - tracing: Remove unnecessary copying of tr-> current_trace (git-fixes). - uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes). - udf: Fix extension of the last extent in the file (bsc#1214964). - udf: Fix file corruption when appending just after end of preallocated extent (bsc#1214965). - udf: Fix off-by-one error when discarding preallocation (bsc#1214966). - udf: Fix uninitialized array access for some pathnames (bsc#1214967). - Update metadata - uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes). - usb: ehci: add workaround for chipidea PORTSC.PEC bug (git-fixes). - usb: ehci: move new member has_ci_pec_bug into hole (git-fixes). - usb: serial: option: add FOXCONN T99W368/T99W373 product (git-fixes). - usb: serial: option: add Quectel EM05G variant (0x030e) (git-fixes). - usb: typec: tcpci: clear the fault status bit (git-fixes). - usb: typec: tcpci: move tcpci.h to include/linux/usb/ (git-fixes). - vhost_vdpa: fix the crash in unmap a large memory (git-fixes). - vhost-scsi: unbreak any layout for response (git-fixes). - vhost: allow batching hint without size (git-fixes). - vhost: allow batching hint without size(git-fixes). - vhost: fix hung thread due to erroneous iotlb entries (git-fixes). - vhost: handle error while adding split ranges to iotlb (git-fixes). - virtio_net: add checking sq is full inside xdp xmit (git-fixes). - virtio_net: Fix probe failed when modprobe virtio_net (git-fixes). - virtio_net: reorder some funcs (git-fixes). - virtio_net: separate the logic of checking whether sq is full (git-fixes). - virtio_ring: fix avail_wrap_counter in virtqueue_add_packed (git-fixes). - virtio-blk: set req-> state to MQ_RQ_COMPLETE after polling I/O is finished (git-fixes). - virtio-mmio: do not break lifecycle of vm_dev (git-fixes). - virtio-net: fix race between set queues and probe (git-fixes). - virtio-net: set queues after driver_ok (git-fixes). - virtio-rng: make device ready before making request (git-fixes). - virtio: acknowledge all features before access (git-fixes). - vmcore: remove dependency with is_kdump_kernel() for exporting vmcore (bsc#1212639 ltc#202582). - watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load (git-fixes). - word-at-a-time: use the same return type for has_zero regardless of endianness (bsc#1065729). - x86/alternative: Fix race in try_get_desc() (git-fixes). - x86/boot/e820: Fix typo in e820.c comment (git-fixes). - x86/bugs: Reset speculation control settings on init (git-fixes). - x86/coco: Allow CPU online/offline for a TDX VM with the paravisor on Hyper-V (bsc#1206453). - x86/coco: Export cc_vendor (bsc#1206453). - x86/cpu: Add Lunar Lake M (git-fixes). - x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes). - x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git-fixes). - x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git-fixes). - x86/hyperv: Add hv_isolation_type_tdx() to detect TDX guests (bsc#1206453). - x86/hyperv: Add hv_write_efer() for a TDX VM with the paravisor (bsc#1206453). - x86/hyperv: Add hyperv-specific handling for VMMCALL under SEV-ES (bsc#1206453). - x86/hyperv: Add missing 'inline' tohv_snp_boot_ap() stub (bsc#1206453). - x86/hyperv: Add sev-snp enlightened guest static key (bsc#1206453) - x86/hyperv: Add smp support for SEV-SNP guest (bsc#1206453). - x86/hyperv: Add VTL specific structs and hypercalls (bsc#1206453). - x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline (bsc#1206453). - x86/hyperv: Fix serial console interrupts for fully enlightened TDX guests (bsc#1206453). - x86/hyperv: Fix undefined reference to isolation_type_en_snp without CONFIG_HYPERV (bsc#1206453). - x86/hyperv: Introduce a global variable hyperv_paravisor_present (bsc#1206453). - x86/hyperv: Mark hv_ghcb_terminate() as noreturn (bsc#1206453). - x86/hyperv: Mark Hyper-V vp assist page unencrypted in SEV-SNP enlightened guest (bsc#1206453). - x86/hyperv: Move the code in ivm.c around to avoid unnecessary ifdef's (bsc#1206453). - x86/hyperv: Remove hv_isolation_type_en_snp (bsc#1206453). - x86/hyperv: Set Virtual Trust Level in VMBus init message (bsc#1206453). - x86/hyperv: Support hypercalls for fully enlightened TDX guests (bsc#1206453). - x86/hyperv: Use TDX GHCI to access some MSRs in a TDX VM with the paravisor (bsc#1206453). - x86/hyperv: Use vmmcall to implement Hyper-V hypercall in sev-snp enlightened guest (bsc#1206453). - x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes). - x86/ioapic: Do not return 0 from arch_dynirq_lower_bound() (git-fixes). - x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git-fixes). - x86/mce: Retrieve poison range from hardware (git-fixes). - x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes). - x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes). - x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes). - x86/purgatory: remove PGO flags (git-fixes). - x86/PVH: avoid 32-bit build warning when obtaining VGA console info (git-fixes). - x86/reboot: Disable virtualization in an emergency if SVM is supported (git-fixes). - x86/resctl: fix scheduler confusion with 'current' (git-fixes). - x86/resctrl:Fix task CLOSID/RMID update race (git-fixes). - x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes). - x86/rtc: Remove __init for runtime functions (git-fixes). - x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635). - x86/sgx: Reduce delay and interference of enclave release (git-fixes). - x86/srso: Do not probe microcode in a guest (git-fixes). - x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes). - x86/srso: Fix srso_show_state() side effect (git-fixes). - x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes). - x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes). - xen: remove a confusing comment on auto-translated guest I/O (git-fixes). - xprtrdma: Remap Receive buffers after a reconnect (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:4073-1 Released: Fri Oct 13 11:40:26 2023 Summary: Recommended update for rpm Type: recommended Severity: low References: This update for rpm fixes the following issue: - Enables build for all python modules (jsc#PED-68, jsc#PED-1988) The following package changes have been done: - apparmor-abstractions-3.0.4-150500.11.9.1 updated - apparmor-parser-3.0.4-150500.11.9.1 updated - bind-utils-9.16.44-150500.8.12.2 updated - containerd-ctr-1.6.21-150000.95.1 updated - containerd-1.6.21-150000.95.1 updated - curl-8.0.1-150400.5.32.1 updated - dracut-055+suse.371.g5237e44a-150500.3.12.1 updated - glibc-locale-base-2.31-150300.58.1 updated - glibc-locale-2.31-150300.58.1 updated - glibc-2.31-150300.58.1 updated - kernel-default-5.14.21-150500.55.31.1 updated - libapparmor1-3.0.4-150500.11.9.1 updated - libcurl4-8.0.1-150400.5.32.1 updated - libeconf0-0.5.2-150400.3.6.1 updated - libgcc_s1-12.3.0+git1204-150000.1.16.1 updated - libhidapi-hidraw0-0.10.1-150300.3.2.1 updated - libnghttp2-14-1.40.0-150200.9.1 updated - libpython3_6m1_0-3.6.15-150300.10.51.1updated - libstdc++6-12.3.0+git1204-150000.1.16.1 updated - libxml2-2-2.10.3-150500.5.8.1 updated - login_defs-4.8.1-150400.10.12.1 updated - nfs-client-2.1.1-150500.22.3.1 updated - perl-Bootloader-0.945-150400.3.9.1 updated - python3-base-3.6.15-150300.10.51.1 updated - python3-bind-9.16.44-150500.8.12.2 updated - python3-ply-3.10-150000.3.5.1 updated - python3-3.6.15-150300.10.51.1 updated - rpm-ndb-4.14.3-150400.59.3.1 updated - runc-1.1.8-150000.49.1 updated - samba-client-libs-4.17.9+git.421.abde31ca5c2-150500.3.11.1 updated - shadow-4.8.1-150400.10.12.1 updated - supportutils-3.1.26-150300.7.35.21.1 updated - suse-build-key-12.0-150000.8.34.1 updated - suse-module-tools-15.5.2-150500.3.3.1 updated - xen-libs-4.17.2_06-150500.3.12.1 updated - zypper-1.14.64-150400.3.32.1 updated - sysfsutils-2.1.0-3.3.1 removed . The SUSE Container Update Advisory outlines essential updates and security enhancements for the container suse-sles-15-sp5-chost-byos-v20231020.. SUSE Security Advisory, Container Patches, Kernel Updates, Software Assessments, Patch Management. . Severity: Important. LinuxSecurity.com Team
Oct 16, 2023
•Important
SuSE
100
security advisorysecurity issuesecurity fixSUSE: 2023:3067-1 Critical: Rancher Elemental Onyx 5.7 Security Update
The container rancher/elemental-teal/5.4 was updated. The following patches have been included in this update:. SUSE Container Update Advisory: rancher/elemental-teal/5.4 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:2962-1 Container Tags : rancher/elemental-teal/5.4:1.2.2 , rancher/elemental-teal/5.4:1.2.2-2.6 , rancher/elemental-teal/5.4:latest Container Release : 2.6 Severity : important Type : security References : 1168481 1187364 1187364 1187365 1187366 1187366 1187367 1187367 1197093 1198773 1198773 1200441 1200441 1200441 1200441 1201519 1201551 1201551 1204844 1206346 1206346 1207004 1208074 1208364 1208510 1208737 1208962 1209307 1209495 1209884 1209888 1210004 1210298 1211079 1211124 1211418 1211419 1211578 CVE-2021-3592 CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3594 CVE-2021-3595 CVE-2021-3595 CVE-2023-0778 CVE-2023-25809 CVE-2023-2602 CVE-2023-2603 CVE-2023-27561 CVE-2023-28642 ----------------------------------------------------------------- The container rancher/elemental-teal/5.4 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1465-1 Released: Fri Apr 29 11:36:02 2022 Summary: Security update for libslirp Type: security Severity: important References: 1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595 This update for libslirp fixes the following issues: - CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364). - CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367). - CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure(tftp) (bsc#1187366). - Fix a dhcp regression [bsc#1198773] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:1730-1 Released: Wed May 18 16:56:21 2022 Summary: Security update for libslirp Type: security Severity: important References: 1187364,1187366,1187367,1198773,CVE-2021-3592,CVE-2021-3594,CVE-2021-3595 This update for libslirp fixes the following issues: - CVE-2021-3592: Fixed invalid pointer initialization may lead to information disclosure (bootp) (bsc#1187364). - CVE-2021-3594: Fixed invalid pointer initialization may lead to information disclosure (udp) (bsc#1187367). - CVE-2021-3595: Fixed invalid pointer initialization may lead to information disclosure (tftp) (bsc#1187366). - Fix a dhcp regression [bsc#1198773] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2941-1 Released: Tue Aug 30 10:51:09 2022 Summary: Security update for libslirp Type: security Severity: moderate References: 1187365,1201551,CVE-2021-3593 This update for libslirp fixes the following issues: - CVE-2021-3593: Fixed invalid pointer initialization may lead to information disclosure (udp6) (bsc#1187365). Non-security fixes: - Fix the version header (bsc#1201551) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:1814-1 Released: Tue Apr 11 14:40:34 2023 Summary: Security update for podman Type: security Severity: important References: 1197093,1208364,1208510,1209495,CVE-2023-0778 This update for podman fixes the following issues: Update to version 4.4.4: * libpod: always use direct mapping * macos pkginstaller: do not fail when podman-mac-helper fails * podman-mac-helper: install: do not error if already installed - podman.spec: Bump required version for libcontainers-common (bsc#1209495) Update to version 4.4.3: * compat: /auth: parse server address correctly * vendor github.com/containers/common@v0.51.1 * pkginstaller: bumpQemu to version 7.2.0 * podman machine: Adjust Chrony makestep config * [v4.4] fix --health-on-failure=restart in transient unit * podman logs passthrough driver support --cgroups=split * journald logs: simplify entry parsing * podman logs: read journald with passthrough * journald: remove initializeJournal() * netavark: only use aardvark ip as nameserver * compat API: network create return 409 for duplicate * fix 'podman logs --since --follow' flake * system service --log-level=trace: support hijack * podman-mac-helper: exit 1 on error * bump golang.org/x/net to v0.8.0 * Fix package restore * Quadlet - use the default runtime Update to version 4.4.2: * Revert 'CI: Temporarily disable all AWS EC2-based tasks' * kube play: only enforce passthrough in Quadlet * Emergency fix for man pages: check for broken includes * CI: Temporarily disable all AWS EC2-based tasks * quadlet system tests: add useful defaults, logging * volume,container: chroot to source before exporting content * install sigproxy before start/attach * Update to c/image 5.24.1 * events + container inspect test: RHEL fixes - podman.spec: add `crun` requirement for quadlet - podman.spec: set PREFIX at build stage (bsc#1208510) - CVE-2023-0778: Fixed symlink exchange attack in podman export volume (bsc#1208364) Update to version 4.4.1: * kube play: do not teardown unconditionally on error * Resolve symlink path for qemu directory if possible * events: document journald identifiers * Quadlet: exit 0 when there are no files to process * Cleanup podman-systemd.unit file * Install podman-systemd.unit man page, make quadlet discoverable * Add missing return after errors * oci: bind mount /sys with --userns=(auto|pod:) * docs: specify order preference for FROM * Cirrus: Fix & remove GraphQL API tests * test: adapt test to work on cgroupv1 * make hack/markdown-preprocess parallel-safe * Fix default handling of pids-limit * system tests: fix volume exec/noexec test Update toversion 4.4.0: * Emergency fix for RHEL8 gating tests * Do not mount /dev/tty into rootless containers * Fixes port collision issue on use of --publish-all * Fix usage of absolute windows paths with --image-path * fix #17244: use /etc/timezone where `timedatectl` is missing on Linux * podman-events: document verbose create events * Making gvproxy.exe optional for building Windows installer * Add gvproxy to Windows packages * Match VT device paths to be blocked from mounting exactly * Clean up more language for inclusiveness * Set runAsNonRoot=true in gen kube * quadlet: Add device support for .volume files * fix: running check error when podman is default in wsl * fix: don't output 'ago' when container is currently up and running * journald: podman logs only show logs for current user * journald: podman events only show events for current user * Add (podman {image,manifest} push --sign-by-sigstore=param-file.yaml) * DB: make loading container states optional * ps: do not sync container * Allow --device-cgroup-rule to be passed in by docker API * Create release notes for v4.4.0 * Cirrus: Update operating branch * fix APIv2 python attach test flake * ps: query health check in batch mode * make example volume import, not import volume * Correct output when inspecting containers created with --ipc * Vendor containers/(storage, image, common, buildah) * Get correct username in pod when using --userns=keep-id * ps: get network data in batch mode * build(deps): bump github.com/onsi/gomega from 1.25.0 to 1.26.0 * add hack/perf for comparing two container engines * systems: retrofit dns options test to honor other search domains * ps: do not create copy of container config * libpod: set search domain independently of nameservers * libpod,netavark: correctly populate /etc/resolv.conf with custom dns server * podman: relay custom DNS servers to network stack * (fix) mount_program is in storage.options.overlay * Change example target to default indoc * network create: do not allow `default` as name * kube-play: add support for HostPID in podSpec * build(deps): bump github.com/docker/docker * Let's see if #14653 is fixed or not * Add support for podman build --group-add * vendor in latests containers/(storage, common, build, image) * unskip network update test * do not install swagger by default * pasta: skip 'Local forwarder, IPv4' test * add testbindings Makefile target * update CI images to include pasta * [CI:DOCS] Add CNI deprecation notices to documentation * Cirrus: preserve podman-server logs * waitPidStop: reduce sleep time to 10ms * StopContainer: return if cleanup process changed state * StopSignal: add a comment * StopContainer: small refactor * waitPidStop: simplify code * e2e tests: reenable long-skipped build test * Add openssh-clients to podmanimage * Reworks Windows smoke test to tunnel through interactive session. * fix bud-multiple-platform-with-base-as-default-arg flake * Remove ReservedAnnotations from kube generate specification * e2e: update test/README.md * e2e: use isRootless() instead of rootless.IsRootless() * Cleanup documentation on --userns=auto * Vendor in latest c/common * sig-proxy system test: bump timeout * build(deps): bump github.com/containernetworking/plugins * rootless: rename auth-scripts to preexec-hooks * Docs: version-check updates * commit: use libimage code to parse changes * [CI:DOCS] Remove experimental mac tutorial * man: Document the interaction between --systemd and --privileged * Make rootless privileged containers share the same tty devices as rootfull ones * container kill: handle stopped/exited container * Vendor in latest containers/(image,ocicrypt) * add a comment to container removal * Vendor in latest containers/storage * Cirrus: Run machine tests on PR merge * fix flake in kube system test * kube play: complete container spec * E2E Tests: Use inspect instead of actual data to avoid UDP flake * Usecontainers/storage/pkg/regexp in place of regexp * Vendor in latest containers/storage * Cirrus: Support using updated/latest NV/AV in PRs * Limit replica count to 1 when deploying from kubernetes YAML * Set StoppedByUser earlier in the process of stopping * podman-play system test: refactor * network: add support for podman network update and --network-dns-server * service container: less verbose error logs * Quadlet Kube - add support for PublishPort key * e2e: fix systemd_activate_test * Compile regex on demand not in init * [docker compat] Don't overwrite the NetworkMode if containers.conf overrides netns. * E2E Test: Play Kube set deadline to connection to avoid hangs * Only prevent VTs to be mounted inside privileged systemd containers * e2e: fix play_kube_test * Updated error message for supported VolumeSource types * Introduce pkg retry logic in win installer task * logformatter: include base SHA, with history link * Network tests: ping redhat.com, not podman.io * cobra: move engine shutdown to Execute * Updated options for QEMU on Windows hosts * Update Mac installer to use gvproxy v0.5.0 * podman: podman rm -f doesn't leave processes * oci: check for valid PID before kill(pid, 0) * linux: add /sys/fs/cgroup if /sys is a bind mount * Quadlet: Add support for ConfigMap key in Kube section * remove service container _after_ pods * Kube Play - allow setting and overriding published host ports * oci: terminate all container processes on cleanup * Update win-sshproxy to 0.5.0 gvisor tag * Vendor in latest containers/common * Fix a potential defer logic error around locking * logformatter: nicer formatting for bats failures * logformatter: refactor verbose line-print * e2e tests: stop using UBI images * k8s-file: podman logs --until --follow exit after time * journald: podman logs --until --follow exit after time * journald: seek to time when --since is used * podman logs: journald fix --since and --follow * Preprocess files inUTF-8 mode * Vendor in latest containers/(common, image, storage) * Switch to C based msi hooks for win installer * hack/bats: improve usage message * hack/bats: add --remote option * hack/bats: fix root/rootless logic * Describe copy volume options * Support sig-proxy for podman-remote attach and start * libpod: fix race condition rm'ing stopping containers * e2e: fix run_volume_test * Add support for Windows ARM64 * Add shared --compress to man pages * Add container error message to ContainerState * Man page checker: require canonical name in SEE ALSO * system df: improve json output code * kube play: fix the error logic with --quiet * System tests: quadlet network test * Fix: List container with volume filter * adding -dryrun flag * Quadlet Container: Add support for EnvironmentFile and EnvironmentHost * Kube Play: use passthrough as the default log-driver if service-container is set * System tests: add missing cleanup * System tests: fix unquoted question marks * Build and use a newer systemd image * Quadlet Network - Fix the name of the required network service * System Test Quadlet - Volume dependency test did not test the dependency * fix `podman system connection - tcp` flake * vendor: bump c/storage to a747b27 * Fix instructions about setting storage driver on command-line * Test README - point users to hack/bats * System test: quadlet kube basic test * Fixed `podman update --pids-limit` * podman-remote,bindings: trim context path correctly when its emptydir * Quadlet Doc: Add section for .kube files * e2e: fix containers_conf_test * Allow '/' to prefix container names to match Docker * Remove references to qcow2 * Fix typos in man page regarding transient storage mode. * make: Use PYTHON var for .install.pre-commit * Add containers.conf read-only flag support * Explain that relabeling/chowning of volumes can take along time * events: support 'die' filter * infra/abi: refactor ContainerRm * When in transient storemode, use rundir for bundlepath * quadlet: Support Type=oneshot container files * hacks/bats: keep QUADLET env var in test env * New system tests for conflicting options * Vendor in latest containers/(buildah, image, common) * Output Size and Reclaimable in human form for json output * podman service: close duplicated /dev/null fd * ginkgo tests: apply ginkgolinter fixes * Add support for hostPath and configMap subpath usage * export: use io.Writer instead of file * rootless: always create userns with euid != 0 * rootless: inhibit copy mapping for euid != 0 * pkg/domain/infra/abi: introduce `type containerWrapper` * vendor: bump to buildah ca578b290144 and use new cache API * quadlet: Handle booleans that have defaults better * quadlet: Rename parser.LookupBoolean to LookupBooleanWithDefault * Add podman-clean-transient.service service * Stop recording annotations set to false * Unify --noheading and -n to be consistent on all commands * pkg/domain/infra/abi: add `getContainers` * Update vendor of containters/(common, image) * specfile: Drop user-add depedency from quadlet subpackage. * quadlet: Default BINDIR to /usr/bin if tag not specified * Quadlet: add network support * Add comment for jsonMarshal command * Always allow pushing from containers-storage * libpod: move NetNS into state db instead of extra bucket * Add initial system tests for quadlets * quadlet: Add --user option * libpod: remove CNI word were no longer applicable * libpod: fix header length in http attach with logs * podman-kube@ template: use `podman kube` * build(deps): bump github.com/docker/docker * wait: add --ignore option * qudlet: Respect $PODMAN env var for podman binary * e2e: Add assert-key-is-regex check to quadlet e2e testsuite * e2e: Add some assert to quadlet test to make sure testcases are sane * remove unmapped ports from inspect port bindings * update podman-network-create for clarity * Vendor in latest containers/common with default capabilities * pkg/rootless: Change error text ... * rootless: add cli validator * rootless: define LIBEXECPODMAN * doc: fix documentation for idmapped mounts * bump golangci-lint to v1.50.1 * build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.24.2 * [CI:DOCS] podman-mount: s/umount/unmount/ * create/pull --help: list pull policies * Network Create: Add --ignore flag to support idempotent script * Make qemu security model none * libpod: use OCI idmappings for mounts * stop reporting errors removing containers that don't exist * test: added test from wait endpoint with to long label * quadlet: Default VolatileTmp to off * build(deps): bump github.com/ulikunitz/xz from 0.5.10 to 0.5.11 * docs/options/ipc: fix list syntax * Docs: Add dedicated DOWNLOAD doc w/ links to bins * Make a consistently-named windows installer * checkpoint restore: fix --ignore-static-ip/mac * add support for subpath in play kube for named volumes * build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 * golangci-lint: remove three deprecated linters * parse-localbenchmarks: separate standard deviation * build(deps): bump golang.org/x/term from 0.2.0 to 0.3.0 * podman play kube support container startup probe * Add podman buildx version support * Cirrus: Collect benchmarks on machine instances * Cirrus: Remove escape codes from log files * [CI:DOCS] Clarify secret target behavior * Fix typo on network docs * podman-remote build add --volume support * remote: allow --http-proxy for remote clients * Cleanup kube play workloads if error happens * health check: ignore dependencies of transient systemd units/timers * fix: event read from syslog * Fixes secret (un)marshaling for kube play. * Remove 'you' from man pages * build(deps): bump golang.org/x/tools from 0.3.0 to 0.4.0 in /test/tools * [CI:DOCS] test/README.md: run tests with podman-remote * e2e: keeps the http_proxy value * Makefile: Add podman-mac-helper to darwin client zip * test/e2e: enable 'podman run withipam none driver' for nv * [skip-ci] GHA/Cirrus-cron: Fix execution order * kube sdnotify: run proxies for the lifespan of the service * Update containers common package * podman manpage: Use man-page links instead of file names * e2e: fix e2e tests in proxy environment * Fix test * disable healthchecks automatically on non systemd systems * Quadlet Kube: Add support for userns flag * [CI:DOCS] Add warning about --opts,o with mount's -o * Add podman system prune --external * Add some tests for transient store * runtime: In transient_store mode, move bolt_state.db to rundir * runtime: Handle the transient store options * libpod: Move the creation of TmpDir to an earlier time * network create: support '-o parent=XXX' for ipvlan * compat API: allow MacAddress on container config * Quadlet Kube: Add support for relative path for YAML file * notify k8s system test: move sending message into exec * runtime: do not chown idmapped volumes * quadlet: Drop ExecStartPre=rm %t/%N.cid * Quadlet Kube: Set SyslogIdentifier if was not set * Add a FreeBSD cross build to the cirrus alt build task * Add completion for --init-ctr * Fix handling of readonly containers when defined in kube.yaml * Build cross-compilation fixes * libpod: Track healthcheck API changes in healthcheck_unsupported.go * quadlet: Use same default capability set as podman run * quadlet: Drop --pull=never * quadlet: Change default of ReadOnly to no * quadlet: Change RunInit default to no * quadlet: Change NoNewPrivileges default to false * test: podman run with checkpoint image * Enable 'podman run' for checkpoint images * test: Add tests for checkpoint images * CI setup: simplify environment passthrough code * Init containers should not be restarted * Update c/storage after https://github.com/containers/storage/pull/1436 * Set the latest release explicitly * add friendly comment * fix an overriding logic and load config problem * Update the issue templates * Update vendor ofcontainers/(image, buildah) * [CI:DOCS] Skip windows-smoke when not useful * [CI:DOCS] Remove broken gate-container docs * OWNERS: add Jason T. Greene * hack/podmansnoop: print arguments * Improve atomicity of VM state persistence on Windows * [CI:BUILD] copr: enable podman-restart.service on rpm installation * macos: pkg: Use -arm64 suffix instead of -aarch64 * linux: Add -linux suffix to podman-remote-static binaries * linux: Build amd64 and arm64 podman-remote-static binaries * container create: add inspect data to event * Allow manual override of install location * Run codespell on code * Add missing parameters for checkpoint/restore endpoint * Add support for startup healthchecks * Add information on metrics to the `network create` docs * Introduce podman machine os commands * Document that ignoreRootFS depends on export/import * Document ignoreVolumes in checkpoint/restore endpoint * Remove leaveRunning from swagger restore endpoint * libpod: Add checks to avoid nil pointer dereference if network setup fails * Address golangci-lint issues * Documenting Hyper-V QEMU acceleration settings * Kube Play: fix the handling of the optional field of SecretVolumeSource * Update Vendor of containers/(common, image, buildah) * Fix swapped NetInput/-Output stats * libpod: Use O_CLOEXEC for descriptors returned by (*Container).openDirectory * chore: Fix MD for Troubleshooting Guide link in GitHub Issue Template * test/tools: rebuild when files are changed * ginkgo tests: apply ginkgolinter fixes * ginkgo: restructure install work flow * Fix manpage emphasis * specgen: support CDI devices from containers.conf * vendor: update containers/common * pkg/trust: Take the default policy path from c/common/pkg/config * Add validate-in-container target * Adding encryption decryption feature * container restart: clean up healthcheck state * Add support for podman-remote manifest annotate * Quadlet: Add support for .kube files * Update vendor ofcontainers/(buildah, common, storage, image) * specgen: honor user namespace value * [CI:DOCS] Migrate OSX Cross to M1 * quadlet: Rework uid/gid remapping * GHA: Fix cirrus re-run workflow for other repos. * ssh system test: skip until it becomes a test * shell completion: fix hard coded network drivers * libpod: Report network setup errors properly on FreeBSD * E2E Tests: change the registry for the search test to avoid authentication * pkginstaller: install podman-mac-helper by default * Fix language. Mostly spelling a -> an * podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd environment. * [CI:DOCS] Fix spelling and typos * Modify man page of '--pids-limit' option to correct a default value. * Update docs/source/markdown/podman-remote.1.md * Update pkg/bindings/connection.go * Add more documentation on UID/GID Mappings with --userns=keep-id * support podman-remote to connect tcpURL with proxy * Removing the RawInput from the API output * fix port issues for CONTAINER_HOST * CI: Package versions: run in the 'main' step * build(deps): bump github.com/rootless-containers/rootlesskit * pkg/domain: Make checkExecPreserveFDs platform-specific * e2e tests: fix restart race * Fix podman --noout to suppress all output * remove pod if creation has failed * pkg/rootless: Implement rootless.IsFdInherited on FreeBSD * Fix more podman-logs flakes * healthcheck system tests: try to fix flake * libpod: treat ESRCH from /proc/PID/cgroup as ENOENT * GHA: Configure workflows for reuse * compat,build: handle docker's preconfigured cacheTo,cacheFrom * docs: deprecate pasta network name * utils: Enable cgroup utils for FreeBSD * pkg/specgen: Disable kube play tests on FreeBSD * libpod/lock: Fix build and tests for SHM locks on FreeBSD * podman cp: fix copying with '.' suffix * pkginstaller: bump Qemu to version 7.1.0 * specgen,wasm: switch to crun-wasm wherever applicable * vendor: bump c/common tov0.50.2-0.20221111184705-791b83e1cdf1 * libpod: Make unit test for statToPercent Linux only * Update vendor of containers/storage * fix connection usage with containers.conf * Add --quiet and --no-info flags to podman machine start * Add hidden podman manifest inspect -v option * Add podman volume create -d short option for driver * Vendor in latest containers/(common,image,storage) * Add podman system events alias to podman events * Fix search_test to return correct version of alpine * GHA: Fix undefined secret env. var. * Release notes for 4.3.1 * GHA: Fix make_email-body script reference * Add release keys to README * GHA: Fix typo setting output parameter * GHA: Fix typo. * New tool, docs/version-check * Formalize our compare-against-docker mechanism * Add restart-sec for container service files * test/tools: bump module to go 1.17 * contrib/cirrus/check_go_changes.sh: ignore test/tools/vendor * build(deps): bump golang.org/x/tools from 0.1.12 to 0.2.0 in /test/tools * libpod: Add FreeBSD support in packageVersion * Allow podman manigest push --purge|-p as alias for --rm * [CI:DOCS] Add performance tutorial * [CI:DOCS] Fix build targets in build_osx.md. * fix --format {{json .}} output to match docker * remote: fix manifest add --annotation * Skip test if `--events-backend` is necessary with podman-remote * kube play: update the handling of PersistentVolumeClaim * system tests: fix a system test in proxy environment * Use single unqualified search registry on Windows * test/system: Add, use tcp_port_probe() to check for listeners rather than binds * test/system: Add tests for pasta(1) connectivity * test/system: Move network-related helpers to helpers.network.bash * test/system: Use procfs to find bound ports, with optional address and protocol * test/system: Use port_is_free() from wait_for_port() * libpod: Add pasta networking mode * More log-flake work * Fix test flakes caused by improper podman-logs * fix incorrect systemdbooted check * Cirrus: Add tests for GHA scripts * GHA: Update scripts to pass shellcheck * Cirrus: Shellcheck github-action scripts * Cirrus: shellcheck support for github-action scripts * GHA: Fix cirrus-cron scripts * Makefile: don't install to tmpfiles.d on FreeBSD * Make sure we can build and read each line of docker py's api client * Docker compat build api - make sure only one line appears per flush * Run codespell on code * Update vendor of containers/(image, storage, common) * Allow namespace path network option for pods. * Cirrus: Never skip running Windows Cross task * GHA: Auto. re-run failed cirrus-cron builds once * GHA: Migrate inline script to file * GHA: Simplify script reference * test/e2e: do not use apk in builds * remove container/pod id file along with container/pod * Cirrus: Synchronize windows image * Add --insecure,--tls-verify,--verbose flags to podman manifest inspect * runtime: add check for valid pod systemd cgroup * CI: set and verify DESIRED_NETWORK (netavark, cni) * [CI:DOCS] troubleshooting: document keep-id options * Man pages: refactor common options: --security-opt * Cirrus: Guarantee CNI testing w/o nv/av present * Cirrus: temp. disable all Ubuntu testing * Cirrus: Update to F37beta * buildah bud tests: better handling of remote * quadlet: Warn in generator if using short names * Add Windows Smoke Testing * Add podman kube apply command * docs: offer advice on installing test dependencies * Fix documentation on read-only-tmpfs * version bump to 4.4.0-dev * deps: bump go-criu to v6 * Makefile: Add cross build targets for freebsd * pkg/machine: Make this build on FreeBSD/arm64 * pkg/rctl: Remove unused cgo dependency * man pages: assorted underscore fixes * Upgrade GitHub actions packages from v2 to v3 * vendor github.com/godbus/dbus/v5@4b691ce * [CI:DOCS] fix --tmpdir typos * Do not report that /usr/share/containers/storage.conf has been edited. * Eval symlinks on XDG_RUNTIME_DIR *hack/podmansnoop * rootless: support keep-id with one mapping * rootless: add argument to GetConfiguredMappings * Update vendor containers/(common,storage,buildah,image) * Fix deadlock between 'podman ps' and 'container inspect' commands * Add information about where the libpod/boltdb database lives * Consolidate the dependencies for the IsTerminal() API * Ensure that StartAndAttach locks while sending signals * ginkgo testing: fix podman usernamespace join * Test runners: nuke podman from $PATH before tests * volumes: Fix idmap not working for volumes * FIXME: Temporary workaround for ubi8 CI breakage * System tests: teardown: clean up volumes * update api versions on docs.podman.io * system tests: runlabel: use podman-under-test * system tests: podman network create: use random port * sig-proxy test: bump timeout * play kube: Allow the user to import the contents of a tar file into a volume * Clarify the docs on DropCapability * quadlet tests: Disable kmsg logging while testing * quadlet: Support multiple Network= * quadlet: Add support for Network=... * Fix manpage for podman run --network option * quadlet: Add support for AddDevice= * quadlet: Add support for setting seccomp profile * quadlet: Allow multiple elements on each Add/DropCaps line * quadlet: Embed the correct binary name in the generated comment * quadlet: Drop the SocketActivated key * quadlet: Switch log-driver to passthrough * quadlet: Change ReadOnly to default to enabled * quadlet tests: Run the tests even for (exected) failed tests * quadlet tests: Fix handling of stderr checks * Remove unused script file * notifyproxy: fix container watcher * container/pod id file: truncate instead of throwing an error * quadlet: Use the new podman create volume --ignore * Add podman volume create --ignore * logcollector: include aardvark-dns * build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 * build(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1 *docs: generate systemd: point to kube template * docs: kube play: mention restart policy * Fixes: 15858 (podman system reset --force destroy machine) * fix search flake * use cached containers.conf * adding regex support to the ancestor ps filter function * Fix `system df` issues with `-f` and `-v` * markdown-preprocess: cross-reference where opts are used * Default qemu flags for Windows amd64 * build(deps): bump golang.org/x/text from 0.3.8 to 0.4.0 * Update main to reflect v4.3.0 release * build(deps): bump github.com/docker/docker * move quadlet packages into pkg/systemd * system df: fix image-size calculations * Add man page for quadlet * Fix small typo * testimage: add iproute2 & socat, for pasta networking * Set up minikube for k8s testing * Makefile: don't install systemd generator binaries on FreeBSD * [CI:BUILD] copr: podman rpm should depend on containers-common-extra * Podman image: Set default_sysctls to empty for rootless containers * Don't use github.com/docker/distribution * libpod: Add support for 'podman top' on FreeBSD * libpod: Factor out jail name construction from stats_freebsd.go * pkg/util: Add pid information descriptors for FreeBSD * Initial quadlet version integrated in golang * bump golangci-lint to v1.49.0 * Update vendor containers/(common,image,storage) * Allow volume mount dups, iff source and dest dirs * rootless: fix return value handling * Change to correct break statements * vendor containers/psgo@v1.8.0 * Clarify that MacOSX docs are client specific * libpod: Factor out the call to PidFdOpen from (*Container).WaitForExit * Add swagger install + allow version updates in CI * Cirrus: Fix windows clone race * build(deps): bump github.com/docker/docker * kill: wait for the container * generate systemd: set --stop-timeout for stopping containers * hack/tree_status.sh: print diff at the end * Fix markdown header typo * markdown-preprocess: add generic include mechanism * markdown-preprocess: almostcomplete OO rewrite * Update tests for changed error messages * Update c/image after https://github.com/containers/image/pull/1299 * Man pages: refactor common options (misc) * Man pages: Refactor common options: --detach-keys * vendor containers/storage@main * Man pages: refactor common options: --attach * build(deps): bump github.com/fsnotify/fsnotify from 1.5.4 to 1.6.0 * KillContainer: improve error message * docs: add missing options * Man pages: refactor common options: --annotation (manifest) * build(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.0 * system tests: health-on-failure: fix broken logic * build(deps): bump golang.org/x/text from 0.3.7 to 0.3.8 * build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1 * ContainerEngine.SetupRootless(): Avoid calling container.Config() * Container filters: Avoid use of ctr.Config() * Avoid unnecessary calls to Container.Spec() * Add and use Container.LinuxResource() helper * play kube: notifyproxy: listen before starting the pod * play kube: add support for configmap binaryData * Add and use libpod/Container.Terminal() helper * Revert 'Add checkpoint image tests' * Revert 'cmd/podman: add support for checkpoint images' * healthcheck: fix --on-failure=stop * Man pages: Add mention of behavior due to XDG_CONFIG_HOME * build(deps): bump github.com/containers/ocicrypt from 1.1.5 to 1.1.6 * Avoid unnecessary timeout of 250msec when waiting on container shutdown * health checks: make on-failure action retry aware * libpod: Remove 100msec delay during shutdown * libpod: Add support for 'podman pod' on FreeBSD * libpod: Factor out cgroup validation from (*Runtime).NewPod * libpod: Move runtime_pod_linux.go to runtime_pod_common.go * specgen/generate: Avoid a nil dereference in MakePod * libpod: Factor out cgroups handling from (*Pod).refresh * Adds a link to OSX docs in CONTRIBUTING.md * Man pages: refactor common options: --os-version * Create full path to a directory whenDirectoryOrCreate is used with play kube * Return error in podman system service if URI scheme is not unix/tcp * Man pages: refactor common options: --time * man pages: document some --format options: images * Clean up when stopping pods * Update vendor of containers/buildah v1.28.0 * Proof of concept: nightly dependency treadmill - Make the priority for picking the storage driver configurable (bsc#1197093) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1913-1 Released: Wed Apr 19 14:23:14 2023 Summary: Recommended update for libslirp, slirp4netns Type: recommended Severity: moderate References: 1201551 This update for libslirp and slirp4netns fixes the following issues: libslirp was updated to version 4.7.0+44 (current git master): * Fix vmstate regression * Align outgoing packets * Bump incoming packet alignment to 8 bytes * vmstate: only enable when building under GNU C * ncsitest: Fix build with msvc * Separate out SLIRP_PACKED to SLIRP_PACKED_BEGIN/END * ncsi: Add Mellanox Get Mac Address handler * slirp: Add out-of-band ethernet address * ncsi: Add OEM command handler * ncsi: Add basic test for Get Version ID response * ncsi: Use response header for payload length * ncsi: Pass command header to response handlers * ncsi: Add Get Version ID command * ncsi: Pass Slirp structure to response handlers * slirp: Add manufacturer's ID Release v4.7.0 * slirp: invoke client callback before creating timers * pingtest: port to timer_new_opaque * introduce timer_new_opaque callback * introduce slirp_timer_new wrapper * icmp6: make ndp_send_ra static * socket: Handle ECONNABORTED from recv * bootp: fix g_str_has_prefix warning/critical * slirp: Don't duplicate packet in tcp_reass * Rename insque/remque -> slirp_[ins|rem]que * mbuf: Use SLIRP_DEBUG to enable mbuf debugging instead of DEBUG * Replace inet_ntoa() with safer inet_ntop() * Add VMS_END marker * bootp: add support for UEFI HTTP boot * IPv6 DNS proxying support * Add missingscope_id in caching * socket: Move closesocket(so-> s_aux) to sofree * socket: Check so_type instead of so_tcpcb for Unix-to-inet translation * socket: Add s_aux field to struct socket for storing auxilliary socket * socket: Initialize so_type in socreate * socket: Allocate Unix-to-TCP hostfwd port from OS by binding to port 0 * Allow to disable internal DHCP server * slirp_pollfds_fill: Explain why dividing so_snd.sb_datalen by two * CI: run integration tests with slirp4netns * socket: Check address family for Unix-to-inet accept translation * socket: Add debug args for tcpx_listen (inet and Unix sockets) * socket: Restore original definition of fhost * socket: Move include to socket.h * Support Unix sockets in hostfwd * resolv: fix IPv6 resolution on Darwin * Use the exact sockaddr size in getnameinfo call * Initialize sin6_scope_id to zero * slirp_socketpair_with_oob: Connect pair through 127.0.0.1 * resolv: fix memory leak when using libresolv * pingtest: Add a trivial ping test * icmp: Support falling back on trying a SOCK_RAW socket Update to version 4.6.1+7: * Haiku: proper path to resolv.conf for DNS server * Fix for Haiku * dhcp: Always send DHCP_OPT_LEN bytes in options Update to version 4.6.1: * Fix 'DHCP broken in libslirp v4.6.0' Update to version 4.6.0: * udp: check upd_input buffer size * tftp: introduce a header structure * tftp: check tftp_input buffer size * upd6: check udp6_input buffer size * bootp: check bootp_input buffer size * bootp: limit vendor-specific area to input packet memory buffer Update to version 4.4.0: * socket: consume empty packets * slirp: check pkt_len before reading protocol header * Add DNS resolving for iOS * sosendoob: better document what urgc is used for * TCPIPHDR_DELTA: Fix potential negative value * udp, udp6, icmp, icmp6: Enable forwarding errors on Linux * icmp, icmp6: Add icmp_forward_error and icmp6_forward_error * udp, udp6, icmp: handle TTL value * ip_stripoptions use memmove slirp4netns was updated to 1.2.0: * Add slirp4netns --target-type=bess/path/to/bess.sock for supporting UML (#281) * Explicitly support DHCP (#270) * Update parson to v1.1.3 (#273) kgabis/
Sep 14, 2023
•Important
SuSE
98
security advisorycritical severitysecurity fixesRedHat: RHSA-2023-3353-01 Critical: Kubernetes Multicluster Engine Fixes
Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: Multicluster Engine for Kubernetes 2.0.9 security fixes and container updates Advisory ID: RHSA-2023:3353-01 Product: multicluster engine for Kubernetes Advisory URL: https://access.redhat.com/errata/RHSA-2023:3353 Issue date: 2023-05-30 CVE Names: CVE-2022-2795 CVE-2022-2928 CVE-2022-2929 CVE-2022-36227 CVE-2022-41973 CVE-2023-27535 CVE-2023-32313 CVE-2023-32314 ==================================================================== 1. Summary: Multicluster Engine for Kubernetes 2.0.9 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Description: Multicluster Engine for Kubernetes 2.0.9 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Security fix(es): * CVE-2023-32314 vm2: Sandbox Escape *CVE-2023-32313 vm2: Inspect Manipulation 3. Solution: For multicluster engine for Kubernetes, see the following documentation for details on how to install the images: 4. Bugs fixed (https://bugzilla.redhat.com/): 2208376 - CVE-2023-32314 vm2: Sandbox Escape 2208377 - CVE-2023-32313 vm2: Inspect Manipulation 5. References: https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-2928 https://access.redhat.com/security/cve/CVE-2022-2929 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-41973 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-32313 https://access.redhat.com/security/cve/CVE-2023-32314 https://access.redhat.com/security/updates/classification/#critical 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZHsDKtzjgjWX9erEAQiCaxAAg13g7gG+8ypdz3ovJCkfLUF4Qtmtt0H+ 86n0MM3MWzy2difiDiCswyNSPL0hULASDVFKIkAwWEbmm1WYbPTadAe3x/TTmUhC U0EyWLnWGnxDmnnC5SgrIjHFLJrjKG4Qa/ZbtZxUMNLkA0d2KlOYgwBu5m4gRuyH 73QFUE+iyqV4emMUIhgqyjsWEeiE/GdAz8KM0Rav/+zG9n8JMP3Lmc3W9T6rgqX9 gwyeDqvF81ZRmAWoPrTrsoTNXe69es+5hv8hHEoU2noEfuFMStuOGqA2Mvddrztp rGtuLVMcoMTX+f9yxXReqHdTJEpBcmDZhl1TAg8aYb44isoxoRFSx+G73Akv00Uq mWjTOJ6D/9T+h8tBFUKxYHxjgl/3xt3t4SFqH+un4S+vlypAJO6+mPZjjKRoJE88 8w0za9kbUo/r+ST1J12JOs6JrqAR7qDWad1Mkrk0qmSZLSQ9H7plF1j3XA8ZlBs7 CAtgi3Cg85DByF4e26/WUw69z9Foh5qgr05c3G/AHELLcJY/DdJUOCeoNBo9HYi7 K/l2J78/t7kuQgVSxC+//gMGxGj1z5itHHvxJ12ZTUO3ts/jwHGa49Ow2hh7WdCE Wpa76bv+X+X0M3riX5X8x+Kw4iu3Hs8t8U6SaMkFGIQs5CTrDPcaEbjCa2CxJUe4 JvKwaYiKHlY=wc9k -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jun 03, 2023
•Critical
Red Hat
98
security advisoryRed HatcriticalRed Hat Advanced Cluster Management: RHSA-2023:3326-01 Critical Issues
Red Hat Advanced Cluster Management for Kubernetes 2.6.6 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat Advanced Cluster Management 2.6.6 security fixes and container updates Advisory ID: RHSA-2023:3326-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2023:3326 Issue date: 2023-05-25 CVE Names: CVE-2021-26341 CVE-2021-33655 CVE-2021-33656 CVE-2022-1462 CVE-2022-1679 CVE-2022-1789 CVE-2022-2196 CVE-2022-2663 CVE-2022-3028 CVE-2022-3239 CVE-2022-3522 CVE-2022-3524 CVE-2022-3564 CVE-2022-3566 CVE-2022-3567 CVE-2022-3619 CVE-2022-3623 CVE-2022-3625 CVE-2022-3627 CVE-2022-3628 CVE-2022-3707 CVE-2022-3970 CVE-2022-4129 CVE-2022-20141 CVE-2022-25265 CVE-2022-30594 CVE-2022-35252 CVE-2022-36227 CVE-2022-39188 CVE-2022-39189 CVE-2022-41218 CVE-2022-41674 CVE-2022-42703 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-43552 CVE-2022-43750 CVE-2022-47929 CVE-2023-0361 CVE-2023-0394 CVE-2023-0461 CVE-2023-1195 CVE-2023-1582 CVE-2023-1999 CVE-2023-22490 CVE-2023-23454 CVE-2023-23946 CVE-2023-25652 CVE-2023-25815 CVE-2023-27535 CVE-2023-28856 CVE-2023-29007 CVE-2023-32313 CVE-2023-32314 ==================================================================== 1. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.6.6 General Availability release images, which fix security issues andupdate container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat Advanced Cluster Management for Kubernetes 2.6.6 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single consoleâwith security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/index Security Fix(es): * CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command * CVE-2023-32314 vm2: Sandbox Escape * CVE-2023-32313 vm2: Inspect Manipulation 3. Solution: For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation for details on how to install the images: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/install/installing#installing-while-connected-online 4. Bugs fixed (https://bugzilla.redhat.com/): 2187525 - CVE-2023-28856 redis: Insufficient validation of HINCRBYFLOAT command 2208376 - CVE-2023-32314 vm2: Sandbox Escape 2208377 - CVE-2023-32313 vm2: Inspect Manipulation 5.References: https://access.redhat.com/security/cve/CVE-2021-26341 https://access.redhat.com/security/cve/CVE-2021-33655 https://access.redhat.com/security/cve/CVE-2021-33656 https://access.redhat.com/security/cve/CVE-2022-1462 https://access.redhat.com/security/cve/CVE-2022-1679 https://access.redhat.com/security/cve/CVE-2022-1789 https://access.redhat.com/security/cve/CVE-2022-2196 https://access.redhat.com/security/cve/CVE-2022-2663 https://access.redhat.com/security/cve/CVE-2022-3028 https://access.redhat.com/security/cve/CVE-2022-3239 https://access.redhat.com/security/cve/CVE-2022-3522 https://access.redhat.com/security/cve/CVE-2022-3524 https://access.redhat.com/security/cve/CVE-2022-3564 https://access.redhat.com/security/cve/CVE-2022-3566 https://access.redhat.com/security/cve/CVE-2022-3567 https://access.redhat.com/security/cve/CVE-2022-3619 https://access.redhat.com/security/cve/CVE-2022-3623 https://access.redhat.com/security/cve/CVE-2022-3625 https://access.redhat.com/security/cve/CVE-2022-3627 https://access.redhat.com/security/cve/CVE-2022-3628 https://access.redhat.com/security/cve/CVE-2022-3707 https://access.redhat.com/security/cve/CVE-2022-3970 https://access.redhat.com/security/cve/CVE-2022-4129 https://access.redhat.com/security/cve/CVE-2022-20141 https://access.redhat.com/security/cve/CVE-2022-25265 https://access.redhat.com/security/cve/CVE-2022-30594 https://access.redhat.com/security/cve/CVE-2022-35252 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-39188 https://access.redhat.com/security/cve/CVE-2022-39189 https://access.redhat.com/security/cve/CVE-2022-41218 https://access.redhat.com/security/cve/CVE-2022-41674 https://access.redhat.com/security/cve/CVE-2022-42703 https://access.redhat.com/security/cve/CVE-2022-42720 https://access.redhat.com/security/cve/CVE-2022-42721 https://access.redhat.com/security/cve/CVE-2022-42722 https://access.redhat.com/security/cve/CVE-2022-43552 https://access.redhat.com/security/cve/CVE-2022-43750 https://access.redhat.com/security/cve/CVE-2022-47929 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0394 https://access.redhat.com/security/cve/CVE-2023-0461 https://access.redhat.com/security/cve/CVE-2023-1195 https://access.redhat.com/security/cve/CVE-2023-1582 https://access.redhat.com/security/cve/CVE-2023-1999 https://access.redhat.com/security/cve/CVE-2023-22490 https://access.redhat.com/security/cve/CVE-2023-23454 https://access.redhat.com/security/cve/CVE-2023-23946 https://access.redhat.com/security/cve/CVE-2023-25652 https://access.redhat.com/security/cve/CVE-2023-25815 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-28856 https://access.redhat.com/security/cve/CVE-2023-29007 https://access.redhat.com/security/cve/CVE-2023-32313 https://access.redhat.com/security/cve/CVE-2023-32314 https://access.redhat.com/security/updates/classification#critical 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZHBqdtzjgjWX9erEAQgPBBAAnba1fjcWKh24XoIxjEsRwYwq2JN7qmIU MANW+FQiQX2SxrlS729OKswdcDQbMeGr2S9bnmZutqTTihgS/0DnCEUV4leX2fec iX3+umTRrS4S2n1bs6jhMTygTHNFMEm0hRlaif0T35YnLtFDUO82QQVMAuifh0kn 5Z8n3oHiu5KX8oHQueP2zk9jC1DP2LWcxPZq3X90kYPTYn1bv12N8EcmaiIsQI2L I5vXMPLf/SSl22Fzgs/qvFrdpRzwuWl4OATWjdICIZZg4hVrxG/k4pekuPX1QsTE 7sFOBsDp6i9RW/ZgUG30BI7RI5TZv1x087SI9j5M4PL06ePnYzBeWOPmkD5XeclV ScJvCcVQpI4gef0QrsRcfaMaVdYgJa4S6rn0RJddaXY1FsyhDU/61LjEpI/Mu5LC GKchpJC+lUGhGWy7r5Nn563VuUwdjKqjvtBdU4UwB/K6GoLF4QYMWOcBlZUBxNfD JLVIVj5FgQYNMcV/0KFsL51rlbeTCntp4xH5QbPxt+932E0FlSej5Y1dqTBNX78a w0hkqQoBDqjfYK80yvyeRI5X3ZQ4SHJe61ozHVSLa+VhGz5WDrPaHNsFkPM01EsV pUhn2d27SA+SRwPE93GG6smk1dHgx6grZCISvRbtqzItoXcDdEb5L94GZx0pIFiF nh/78SLF0ZU=P0X2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 26, 2023
•Critical
Red Hat
98
security advisoryRed HatcriticalRed Hat ACM 2.7.4 Critical: RHSA-2023-3297-01 Sandbox Escape Update
Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat Advanced Cluster Management 2.7.4 security fixes and container updates Advisory ID: RHSA-2023:3297-01 Product: Red Hat ACM Advisory URL: https://access.redhat.com/errata/RHSA-2023:3297 Issue date: 2023-05-24 CVE Names: CVE-2022-36227 CVE-2023-0361 CVE-2023-22490 CVE-2023-23946 CVE-2023-25652 CVE-2023-25815 CVE-2023-27535 CVE-2023-29007 CVE-2023-32313 CVE-2023-32314 ==================================================================== 1. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.7.4 General Availability release images, which fix security issues and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section. 2. Description: Red Hat Advanced Cluster Management for Kubernetes 2.7.4 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single consoleâwith security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. See the following Release Notes documentation, which will be updated shortly for this release, foradditional details about this release: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.7/html/release_notes/index Security fix(es): * CVE-2023-32314 vm2: Sandbox Escape * CVE-2023-32313 vm2: Inspect Manipulation 3. Solution: For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation, which will be updated shortly for this release, for important instructions on installing this release: https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.7/html-single/install/index#installing 4. Bugs fixed (https://bugzilla.redhat.com/): 2208376 - CVE-2023-32314 vm2: Sandbox Escape 2208377 - CVE-2023-32313 vm2: Inspect Manipulation 5. References: https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-22490 https://access.redhat.com/security/cve/CVE-2023-23946 https://access.redhat.com/security/cve/CVE-2023-25652 https://access.redhat.com/security/cve/CVE-2023-25815 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-29007 https://access.redhat.com/security/cve/CVE-2023-32313 https://access.redhat.com/security/cve/CVE-2023-32314 https://access.redhat.com/security/updates/classification#critical 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBZG5wNtzjgjWX9erEAQhtig//Z/qbgBp0IoWqglFZ5bkFe1AAvUQYHDrT 6iuglIY5Lmi71ezBt4DEqEs0pZjJ4u3dm/ikQxyg3AuBNGtcRkxI3hNJMia3uKYW jsCP8oBPGnsyQ/f9IiupbYScEula3pl50yu3CvXQNtG5hcNbIDU1HctlVeOH9VOi ZTYB+7Lfw39ENh4EArkz7wUP8Vg2oE9Pc+pfau+OJQ+NmUX1Uc6kio6UMR8s/qPw X1e8pl+qDiDIQj6iODF44scLZGbCS5OzrZs8rLn9KpA1Upo6sjStz+H1DnAGkCu5 Nq4xcaif63cS2+mar/6yXMd46vHHUQZc4Nyrgl+IzLeiTy5TfUWKzkNgcd+d09ff t0nxDN2/wnQTo5h1FhJzdYOwP9CG9t7XjAZvj/CwlrZtw4LBiEpZqhNwuTFqzfRP EA4GDUNqXEKrDiNXecL/MId+QGcu2lJx/19yENF6csIIMJZzPljtCM5NdRXK2LO8 JJppnE13Pa0HCA9fwVCHgpWbKRi3l95uJrS1XOdJeBhZ8az/ky/TSBqtn9tzd8ih yDhSZCTYcRmnUfpxzq7c4tZHeeYFVuUSxOCHYTY35YFS2tD5TGOliGCszfl60zYB Q9hS9VdbiI7wi7+6AaTlYZb4ZkfZ5/DK7ADZeSgFY6CJLWBQidnBKSpG5x6CAqaT B6U0UG3yYqc=WYPq -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 24, 2023
•Critical
Red Hat
98
security advisoryRed Hatmoderate impactRed Hat: RHSA-2023:2110-01 moderate: Security Patches for OpenShift
Red Hat OpenShift Container Platform release 4.12.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.12.16 security update Advisory ID: RHSA-2023:2110-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:2110 Issue date: 2023-05-10 CVE Names: CVE-2022-46146 CVE-2023-0286 CVE-2023-1999 CVE-2023-28617 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.12.16 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.12. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.16. See the following advisory for the RPM packages for this release: Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes/ocp-4-12-release-notes Security Fix(es): *exporter-toolkit: authentication bypass via cache poisoning (CVE-2022-46146) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/updating_clusters/updating-cluster-cli 3. Solution: For OpenShift Container Platform 4.12 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes/ocp-4-12-release-notes You can download the oc tool and use it to inspect release image metadata for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests can be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags. The sha values for the release are: (For x86_64 architecture) The image digest is sha256:5339b3c4686010dc42990e0addce5aa4fddd071d6d9504dffe08a4b5059f6f38 (For s390x architecture) The image digest is sha256:171c389cac763eb6f77cb088755782bec565357baf655e611f50885f814f1aaf (For ppc64le architecture) The image digest is sha256:de25720325b20112a6361207a6c42a2f5859e6d023fe176410a9e1aaf0ed3c74 (For aarch64 architecture) The image digest is sha256:8794d8a92afa21c8869daba76761deff737126ef9e3377e30173bd826506cc67 All OpenShift Container Platform 4.12 users are advised to upgradeto these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/updating_clusters/updating-cluster-cli 4. Bugs fixed (https://bugzilla.redhat.com/): 2149436 - CVE-2022-46146 exporter-toolkit: authentication bypass via cache poisoning 5. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-11559 - multus-admission-controller should not run as root under Hypershift-managed CNO OCPBUGS-11844 - Pipeline is not removed when Deployment/DC/Knative Service or Application is deleted OCPBUGS-11972 - update the default pipelineRun template name OCPBUGS-11993 - TypeError on VIF revert OCPBUGS-12199 - create hosted cluster failed with aws s3 access issue OCPBUGS-12265 - [4.12] Network scale metrics OCPBUGS-12361 - PTP metrics - Unexpected metrics for old phc2sys appears in metrics after modify ptpconfigs OCPBUGS-12440 - Instance shouldn't be moved back from f to a OCPBUGS-12473 - [4.13] Fix Flake TestAttemptToScaleDown/scale_down_only_by_one_machine_at_a_time OCPBUGS-12476 - Pipelines repository list and creation form doesn't show Tech Preview status OCPBUGS-12477 - Users don't know what type of resource is being created by Import from Git or Deploy Image flows OCPBUGS-12688 - 4.12 upgrade jobs broken by runc upgrade OCPBUGS-1753 - Using OLM descriptor components deletes operand e2e test failing OCPBUGS-6888 - Show Git icon and URL in repository link in PLR details page should be based on the git provider 6.References: https://access.redhat.com/security/cve/CVE-2022-46146 https://access.redhat.com/security/cve/CVE-2023-0286 https://access.redhat.com/security/cve/CVE-2023-1999 https://access.redhat.com/security/cve/CVE-2023-28617 https://access.redhat.com/security/updates/classification/#moderate https://docs.redhat.com/en/documentation/openshift_container_platform/4.12/html/release_notes/ocp-4-12-release-notes 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFva69zjgjWX9erEAQihxBAAjfgP91+Y8NAL9LsgpC9pMvYIjh92ZI1L uMzPo33etxENoDLUGik24Bfd+ZT9RWWywA00Ksq0LpUK4p5UBsHtXdBpCV6XhwlZ t5elfvcdTiIUMnV9u8HfQKsEqwnID0r8eBExCkINDbeBWHfp5qReSSHdL8xw34tA D/Mh6S7zlOJakNPaedRMFwxM8GYixy3fgRSVlsSk2n+Qsd4kTb9eUpl1e6tilSn/ CVtMyF7hccKUz6U/eV7L0igzDqsaQ9PN83msDCcI2JP5sp1d4H/dcvEExMxAeJj0 HegtSF2ZlgqICROfufKP08ySfxCYnDWbqwpgMu+6d4sLs8E7OPVD+DQ3RpyXJYfs ZWlZXBYZnFfxzXbN2keulncrTTrCtWr678DLPKpoKMGF/8SU727Qi7U3X7/6LMdr vaPnz5uPPTj8SH1ezEZE/eCoIqozVYYp4TI8bY+NYnw5dbFUJP6N4JSK0p2ul6pK /LIMgaslNLKm9/qZzHE8xo9d3f7zPUimc5MV9HuKe3I6sorqlJEE5TZf971tvWkL QhXzT4e06C2bHBaH9CSRZ0dad0BydJWgw+PXbln6Bxqm0drt+ASjbmHdHGgKV43H 8KI9qvpFlAcaBzk78zd+MiNtDaLTpUDH3zKkh2X+8Nwzl4R4x6JHvV7utmEopR0V t/7Wrna0fIg=Jc1o -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 10, 2023
Red Hat
100
security advisorydenial of servicesecurity updateSUSE: 2022:1133-1 Critical: Container Security Updates for Memory Leaks
The container suse-sles-15-sp3-chost-byos-v20221119-x86_64-gen2 was updated. The following patches have been included in this update:. SUSE Image Update Advisory: suse-sles-15-sp3-chost-byos-v20221119-x86_64-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2022:1133-1 Image Tags : suse-sles-15-sp3-chost-byos-v20221119-x86_64-gen2:20221119 Image Release : Severity : critical Type : security References : 1027519 1032323 1065729 1087072 1101820 1149792 1152489 1167864 1176785 1177083 1177460 1177471 1180995 1181961 1185032 1190818 1192439 1193923 1194023 1194530 1196444 1196840 1197659 1198702 1199492 1199564 1199856 1199918 1199926 1199927 1199944 1200022 1200102 1200313 1200465 1200622 1200788 1201247 1201309 1201310 1201489 1201645 1201725 1201865 1201959 1201978 1201990 1202021 1202095 1202324 1202341 1202385 1202627 1202638 1202677 1202686 1202700 1202803 1202812 1202821 1202960 1202976 1202984 1203046 1203066 1203098 1203159 1203164 1203181 1203201 1203290 1203313 1203387 1203389 1203391 1203410 1203424 1203496 1203514 1203552 1203614 1203619 1203620 1203622 1203652 1203681 1203737 1203769 1203770 1203802 1203806 1203807 1203906 1203909 1203911 1203935 1203939 1203987 1203988 1203989 1203992 1204051 1204053 1204059 1204060 1204111 1204112 1204113 1204125 1204137 1204145 1204166 1204168 1204179 1204211 1204256 1204289 1204290 1204291 1204292 1204354 1204355 1204357 1204366 1204367 1204382 1204383 1204402 1204415 1204417 1204431 1204439 1204470 1204479 1204482 1204485 1204487 1204488 1204489 1204490 1204494 12044961204574 1204575 1204619 1204635 1204637 1204646 1204647 1204649 1204653 1204690 1204708 1204728 1204753 1204754 1204968 1204986 1205156 CVE-2016-3709 CVE-2018-10903 CVE-2020-10696 CVE-2020-16119 CVE-2021-20206 CVE-2021-22569 CVE-2021-4037 CVE-2021-46848 CVE-2022-1615 CVE-2022-1664 CVE-2022-1941 CVE-2022-20008 CVE-2022-2153 CVE-2022-2503 CVE-2022-2586 CVE-2022-2795 CVE-2022-2928 CVE-2022-2929 CVE-2022-2964 CVE-2022-2978 CVE-2022-2990 CVE-2022-3169 CVE-2022-3171 CVE-2022-3176 CVE-2022-32221 CVE-2022-3239 CVE-2022-32743 CVE-2022-3303 CVE-2022-33746 CVE-2022-33747 CVE-2022-33748 CVE-2022-3424 CVE-2022-3515 CVE-2022-3521 CVE-2022-3524 CVE-2022-3535 CVE-2022-3542 CVE-2022-3545 CVE-2022-3565 CVE-2022-3577 CVE-2022-3586 CVE-2022-3594 CVE-2022-3621 CVE-2022-3625 CVE-2022-3629 CVE-2022-3640 CVE-2022-3646 CVE-2022-3649 CVE-2022-38177 CVE-2022-38178 CVE-2022-3821 CVE-2022-39189 CVE-2022-40303 CVE-2022-40304 CVE-2022-40768 CVE-2022-41218 CVE-2022-41222 CVE-2022-41674 CVE-2022-41848 CVE-2022-41849 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-42309 CVE-2022-42310 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314 CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318 CVE-2022-42319 CVE-2022-42320 CVE-2022-42321 CVE-2022-42322 CVE-2022-42323 CVE-2022-42325 CVE-2022-42326 CVE-2022-42703 CVE-2022-42719 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-43680 CVE-2022-43750 CVE-2022-43995 ----------------------------------------------------------------- The container suse-sles-15-sp3-chost-byos-v20221119-x86_64-gen2 was updated. Thefollowing patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3682-1 Released: Fri Oct 21 11:42:40 2022 Summary: Security update for bind Type: security Severity: important References: 1201247,1203614,1203619,1203620,CVE-2022-2795,CVE-2022-38177,CVE-2022-38178 This update for bind fixes the following issues: - CVE-2022-2795: Fixed potential performance degredation due to missing database lookup limits when processing large delegations (bsc#1203614). - CVE-2022-38177: Fixed a memory leak that could be externally triggered in the DNSSEC verification code for the ECDSA algorithm (bsc#1203619). - CVE-2022-38178: Fixed memory leaks that could be externally triggered in the DNSSEC verification code for the EdDSA algorithm (bsc#1203620). Bugfixes: - Changed ownership of /var/lib/named/master from named:named to root:root (bsc#1201247) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3683-1 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Type: security Severity: critical References: 1204357,CVE-2022-3515 This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3766-1 Released: Wed Oct 26 11:38:01 2022 Summary: Security update for buildah Type: security Severity: important References: 1167864,1181961,1202812,CVE-2020-10696,CVE-2021-20206,CVE-2022-2990 This update for buildah fixes the following issues: - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961). - CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864). - CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812 Buildah wasupdated to version 1.27.1: * run: add container gid to additional groups - Add fix for CVE-2022-2990 / bsc#1202812 Update to version 1.27.0: * Don't try to call runLabelStdioPipes if spec.Linux is not set * build: support filtering cache by duration using --cache-ttl * build: support building from commit when using git repo as build context * build: clean up git repos correctly when using subdirs* integration tests: quote '?' in shell scripts * test: manifest inspect should have OCIv1 annotation * vendor: bump to c/common@87fab4b7019a * Failure to determine a file or directory should print an error * refactor: remove unused CommitOptions from generateBuildOutput * stage_executor: generate output for cases with no commit * stage_executor, commit: output only if last stage in build * Use errors.Is() instead of os.Is{Not,}Exist * Minor test tweak for podman-remote compatibility * Cirrus: Use the latest imgts container * imagebuildah: complain about the right Dockerfile * tests: don't try to wrap `nil` errors* cmd/buildah.commitCmd: don't shadow 'err' * cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig * Fix a copy/paste error message * Fix a typo in an error message * build,cache: support pulling/pushing cache layers to/from remote sources * Update vendor of containers/(common, storage, image) * Rename chroot/run.go to chroot/run_linux.go * Don't bother telling codespell to skip files that don't exist * Set user namespace defaults correctly for the library * imagebuildah: optimize cache hits for COPY and ADD instructions * Cirrus: Update VM images w/ updated bats * docs, run: show SELinux label flag for cache and bind mounts * imagebuildah, build: remove undefined concurrent writes * bump github.com/opencontainers/runtime-tools * Add FreeBSD support for 'buildah info' * Vendor in latest containers/(storage, common, image) * Add freebsd cross build targets * Make the jail package build on 32bit platforms * Cirrus: Ensure the build-push VM image is labeled * GHA: Fix dynamic script filename *Vendor in containers/(common, storage, image) * Run codespell * Remove import of github.com/pkg/errors* Avoid using cgo in pkg/jail * Rename footypes to fooTypes for naming consistency * Move cleanupTempVolumes and cleanupRunMounts to run_common.go * Make the various run mounts work for FreeBSD * Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go * Move runSetupRunMounts to run_common.go * Move cleanableDestinationListFromMounts to run_common.go * Make setupMounts and runSetupBuiltinVolumes work on FreeBSD * Move setupMounts and runSetupBuiltinVolumes to run_common.go * Tidy up - runMakeStdioPipe can't be shared with linux * Move runAcceptTerminal to run_common.go * Move stdio copying utilities to run_common.go * Move runUsingRuntime and runCollectOutput to run_common.go * Move fileCloser, waitForSync and contains to run_common.go * Move checkAndOverrideIsolationOptions to run_common.go * Move DefaultNamespaceOptions to run_common.go * Move getNetworkInterface to run_common.go * Move configureEnvironment to run_common.go * Don't crash in configureUIDGID if Process.Capabilities is nil * Move configureUIDGID to run_common.go * Move runLookupPath to run_common.go * Move setupTerminal to run_common.go * Move etc file generation utilities to run_common.go * Add run support for FreeBSD * Add a simple FreeBSD jail library * Add FreeBSD support to pkg/chrootuser * Sync call signature for RunUsingChroot with chroot/run.go * test: verify feature to resolve basename with args * vendor: bump openshift/imagebuilder to master@4151e43 * GHA: Remove required reserved-name use * buildah: set XDG_RUNTIME_DIR before setting default runroot * imagebuildah: honor build output even if build container is not commited * chroot: honor DefaultErrnoRet * [CI:DOCS] improve pull-policy documentation * tests: retrofit test since --file does not supports dir * Switch to golang native error wrapping * BuildDockerfiles: error out if path to containerfile is a directory * define.downloadToDirectory: fail early if bad HTTP response * GHA:Allow re-use of Cirrus-Cron fail-mail workflow * add: fail on bad http response instead of writing to container * [CI:DOCS] Update buildahimage comment * lint: inspectable is never nil * vendor: c/common to common@7e1563b * build: support OCI hooks for ephemeral build containers* [CI:BUILD] Install latest buildah instead of compiling * Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED] * Make sure cpp is installed in buildah images * demo: use unshare for rootless invocations * buildah.spec.rpkg: initial addition * build: fix test for subid 4 * build, userns: add support for --userns=auto * Fix building upstream buildah image * Remove redundant buildahimages-are-sane validation * Docs: Update multi-arch buildah images readme * Cirrus: Migrate multiarch build off github actions * retrofit-tests: we skip unused stages so use stages * stage_executor: dont rely on stage while looking for additional-context * buildkit, multistage: skip computing unwanted stages * More test cleanup * copier: work around freebsd bug for 'mkdir /' * Replace $BUILDAH_BINARY with buildah() function * Fix up buildah images * Make util and copier build on FreeBSD * Vendor in latest github.com/sirupsen/logrus * Makefile: allow building without .git * run_unix: don't return an error from getNetworkInterface * run_unix: return a valid DefaultNamespaceOptions * Update vendor of containers/storage * chroot: use ActKillThread instead of ActKill * use resolvconf package from c/common/libnetwork * update c/common to latest main * copier: add `NoOverwriteNonDirDir` option * Sort buildoptions and move cli/build functions to internal * Fix TODO: de-spaghettify run mounts * Move options parsing out of build.go and into pkg/cli * [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps * build, multiarch: support splitting build logs for --platform * [CI:BUILD] WIP Cleanup Image Dockerfiles * cli remove stutter * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with--omit-history * Fix use generic/ambiguous DEBUG name * Cirrus: use Ubuntu 22.04 LTS * Fix codespell errors* Remove util.StringInSlice because it is defined in containers/common * buildah: add support for renaming a device in rootless setups * squash: never use build cache when computing last step of last stage * Update vendor of containers/(common, storage, image) * buildkit: supports additionalBuildContext in builds via --build-context * buildah source pull/push: show progress bar * run: allow resuing secret twice in different RUN steps * test helpers: default to being rootless-aware * Add --cpp-flag flag to buildah build * build: accept branch and subdirectory when context is git repo * Vendor in latest containers/common * vendor: update c/storage and c/image * Fix gentoo install docs * copier: move NSS load to new process * Add test for prevention of reusing encrypted layers* Make `buildah build --label foo` create an empty 'foo' label again Update to version 1.26.4: * build, multiarch: support splitting build logs for --platform * copier: add `NoOverwriteNonDirDir` option * docker-parity: ignore sanity check if baseImage history is null * build, commit: allow disabling image history with --omit-history * buildkit: supports additionalBuildContext in builds via --build-context * Add --cpp-flag flag to buildah build Update to version 1.26.3: * define.downloadToDirectory: fail early if bad HTTP response * add: fail on bad http response instead of writing to container * squash: never use build cache when computing last step of last stage * run: allow resuing secret twice in different RUN steps * integration tests: update expected error messages * integration tests: quote '?' in shell scripts * Use errors.Is() to check for storage errors* lint: inspectable is never nil * chroot: use ActKillThread instead of ActKill * chroot: honor DefaultErrnoRet * Set user namespace defaults correctly for the library * contrib/rpm/buildah.spec: fix `rpm` parser warnings Drop requires on apparmor pattern, should be movedelsewhere for systems which want AppArmor instead of SELinux. - Update BuildRequires to libassuan-devel > = 2.5.2, pkgconfig file is required to build. Update to version 1.26.2: * buildah: add support for renaming a device in rootless setups Update to version 1.26.1: * Make `buildah build --label foo` create an empty 'foo' label again * imagebuildah,build: move deepcopy of args before we spawn goroutine * Vendor in containers/storage v1.40.2 * buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated * help output: get more consistent about option usage text * Handle OS version and features flags * buildah build: --annotation and --label should remove values * buildah build: add a --env * buildah: deep copy options.Args before performing concurrent build/stage * test: inline platform and builtinargs behaviour * vendor: bump imagebuilder to master/009dbc6 * build: automatically set correct TARGETPLATFORM where expected * Vendor in containers/(common, storage, image) * imagebuildah, executor: process arg variables while populating baseMap * buildkit: add support for custom build output with --output * Cirrus: Update CI VMs to F36 * fix staticcheck linter warning for deprecated function * Fix docs build on FreeBSD * copier.unwrapError(): update for Go 1.16 * copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit * copier.Put(): write to read-only directories * Ed's periodic test cleanup * using consistent lowercase 'invalid' word in returned err msg * use etchosts package from c/common * run: set actual hostname in /etc/hostname to match docker parity * Update vendor of containers/(common,storage,image) * manifest-create: allow creating manifest list from local image * Update vendor of storage,common,image * Initialize network backend before first pull * oci spec: change special mount points for namespaces * tests/helpers.bash: assert handle corner cases correctly * buildah: actually use containers.conf settings * integration tests: learn to start a dummy registry * Fix error checkto work on Podman * buildah build should accept at most one arg * tests: reduce concurrency for flaky bud-multiple-platform-no-run * vendor in latest containers/common,image,storage * manifest-add: allow override arch,variant while adding image * Remove a stray `\` from .containerenv * Vendor in latest opencontainers/selinux v1.10.1 * build, commit: allow removing default identity labels * Create shorter names for containers based on image IDs * test: skip rootless on cgroupv2 in root env * fix hang when oci runtime fails * Set permissions for GitHub actions * copier test: use correct UID/GID in test archives * run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3773-1 Released: Wed Oct 26 12:19:29 2022 Summary: Security update for curl Type: security Severity: important References: 1204383,CVE-2022-32221 This update for curl fixes the following issues: - CVE-2022-32221: Fixed POST following PUT confusion (bsc#1204383). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3775-1 Released: Wed Oct 26 13:06:35 2022 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1177471,1185032,1194023,1196444,1197659,1199564,1200313,1200622,1201309,1201310,1201489,1201645,1201865,1201990,1202095,1202341,1202385,1202677,1202960,1202984,1203159,1203290,1203313,1203389,1203410,1203424,1203514,1203552,1203622,1203737,1203769,1203770,1203906,1203909,1203935,1203939,1203987,1203992,1204051,1204059,1204060,1204125,1204289,1204290,1204291,1204292,CVE-2020-16119,CVE-2022-20008,CVE-2022-2503,CVE-2022-2586,CVE-2022-3169,CVE-2022-3239,CVE-2022-3303,CVE-2022-40768,CVE-2022-41218,CVE-2022-41222,CVE-2022-41674,CVE-2022-41848,CVE-2022-41849,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722 The SUSE Linux Enterprise 15 SP3 kernel was updated. The following security bugs were fixed: - CVE-2022-40768: Fixedinformation leak in the scsi driver which allowed local users to obtain sensitive information from kernel memory. (bnc#1203514) - CVE-2022-3169: Fixed a denial of service flaw which occurs when consecutive requests to NVME_IOCTL_RESET and the NVME_IOCTL_SUBSYS_RESET are sent. (bnc#1203290) - CVE-2022-42722: Fixed crash in beacon protection for P2P-device. (bsc#1204125) - CVE-2022-42719: Fixed MBSSID parsing use-after-free. (bsc#1204051) - CVE-2022-42721: Avoid nontransmitted BSS list corruption. (bsc#1204060) - CVE-2022-42720: Fixed BSS refcounting bugs. (bsc#1204059) - CVE-2022-3303: Fixed a race condition in the sound subsystem due to improper locking (bnc#1203769). - CVE-2022-41218: Fixed an use-after-free caused by refcount races in drivers/media/dvb-core/dmxdev.c (bnc#1202960). - CVE-2022-3239: Fixed an use-after-free in the video4linux driver that could lead a local user to able to crash the system or escalate their privileges (bnc#1203552). - CVE-2022-41848: Fixed a race condition and resultant use-after-free if a physically proximate attacker removes a PCMCIA device while calling ioctl (bnc#1203987). - CVE-2022-41849: Fixed a race condition and resultant use-after-free if a physically proximate attacker removes a USB device while calling open (bnc#1203992). - CVE-2022-41674: Fixed a DoS issue where kernel can crash on the reception of specific WiFi Frames (bsc#1203770). - CVE-2022-2586: Fixed a use-after-free which can be triggered when a nft table is deleted (bnc#1202095). - CVE-2022-41222: Fixed a use-after-free via a stale TLB because an rmap lock is not held during a PUD move (bnc#1203622). - CVE-2022-2503: Fixed a bug in dm-verity, device-mapper table reloads allowed users with root privileges to switch out the target with an equivalent dm-linear target and bypass verification till reboot. This allowed root to bypass LoadPin and can be used to load untrusted and unverified kernel modules and firmware, which implies arbitrary kernel execution and persistence for peripherals that do not verifyfirmware updates (bnc#1202677). - CVE-2022-20008: Fixed a bug which allowed to read kernel heap memory due to uninitialized data. This could lead to local information disclosure if reading from an SD card that triggers errors, with no additional execution privileges needed. (bnc#1199564) - CVE-2020-16119: Fixed a use-after-free vulnerability exploitable by a local attacker due to reuse of a DCCP socket. (bnc#1177471) The following non-security bugs were fixed: - ALSA: aloop: Fix random zeros in capture data when using jiffies timer (git-fixes). - ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() (git-fixes). - ALSA: hda/realtek: Re-arrange quirk table entries (git-fixes). - ALSA: seq: Fix data-race at module auto-loading (git-fixes). - ALSA: seq: oss: Fix data-race for max_midi_devs access (git-fixes). - ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() (git-fixes). - ALSA: usb-audio: fix spelling mistakes (git-fixes). - ALSA: usb-audio: Inform the delayed registration more properly (git-fixes). - ALSA: usb-audio: Register card again for iface over delayed_register option (git-fixes). - ALSA: usb-audio: Split endpoint setups for hw_params and prepare (git-fixes). - arm64: cpufeature: Allow different PMU versions in ID_DFR0_EL1 (git-fixes) - arm64: dts: allwinner: A64 Sopine: phy-mode rgmii-id (git-fixes) - arm64: dts: allwinner: a64-sopine-baseboard: change RGMII mode to (bsc#1202341) - arm64: dts: allwinner: H5: NanoPi Neo Plus2: phy-mode rgmii-id (git-fixes) - arm64: dts: rockchip: Pull up wlan wake# on Gru-Bob (git-fixes) - arm64: dts: rockchip: Remove 'enable-active-low' from rk3399-puma (git-fixes) - arm64: dts: rockchip: Set RK3399-Gru PCLK_EDP to 24 MHz (git-fixes) - arm64: dts: uniphier: Fix USB interrupts for PXs3 SoC (git-fixes) - arm64: kexec_file: use more system keyrings to verify kernel image signature (bsc#1196444). - arm64: mm: Always update TCR_EL1 from __cpu_set_tcr_t0sz() (git-fixes) - arm64: mm: fix p?d_leaf() (git-fixes) - arm64: mm:use a 48-bit ID map when possible on 52-bit VA builds (git-fixes) - arm64: tegra: Fix SDMMC1 CD on P2888 (git-fixes) - arm64: tegra: Remove non existent Tegra194 reset (git-fixes) - arm64: tlb: fix the TTL value of tlb_get_level (git-fixes) - arm64/mm: Validate hotplug range before creating linear mapping (git-fixes) - bpf: Compile out btf_parse_module() if module BTF is not enabled (git-fixes). - cgroup: cgroup_get_from_id() must check the looked-up kn is a directory (bsc#1203906). - crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE (git-fixes) - crypto: arm64/poly1305 - fix a read out-of-bound (git-fixes) - drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup (git-fixes). - drm/amdgpu: mmVM_L2_CNTL3 register not initialized correctly (git-fixes). - drm/gem: Fix GEM handle release errors (git-fixes). - drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk (git-fixes). - drm/meson: Correct OSD1 global alpha value (git-fixes). - drm/meson: Fix OSD1 RGB to YCbCr coefficient (git-fixes). - drm/msm/rd: Fix FIFO-full deadlock (git-fixes). - drm/radeon: add a force flush to delay work when radeon (git-fixes). - dtb: Do not include sources in src.rpm - refer to kernel-source Same as other kernel binary packages there is no need to carry duplicate sources in dtb packages. - efi: capsule-loader: Fix use-after-free in efi_capsule_write (git-fixes). - fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() (git-fixes). - fbdev: fb_pm2fb: Avoid potential divide by zero error (git-fixes). - ftrace: Fix NULL pointer dereference in is_ftrace_trampoline when ftrace is dead (git-fixes). - gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in mpc85xx (git-fixes). - HID: intel-ish-hid: ishtp: Fix ishtp client sending disordered message (git-fixes). - HID: ishtp-hid-clientHID: ishtp-hid-client: Fix comment typo (git-fixes). - ieee802154: cc2520: add rc code in cc2520_tx() (git-fixes). - ima: force signature verification when CONFIG_KEXEC_SIG is configured (bsc#1203737). - Input: iforce - add supportfor Boeder Force Feedback Wheel (git-fixes). - Input: melfas_mip4 - fix return value check in mip4_probe() (git-fixes). - Input: snvs_pwrkey - fix SNVS_HPVIDR1 register address (git-fixes). - JFS: fix GPF in diFree (bsc#1203389). - JFS: fix memleak in jfs_mount (git-fixes). - JFS: more checks for invalid superblock (git-fixes). - JFS: prevent NULL deref in diFree (bsc#1203389). - kABI: x86: kexec: hide new include from genksyms (bsc#1196444). - kexec: clean up arch_kexec_kernel_verify_sig (bsc#1196444). - kexec: do not verify the signature without the lockdown or mandatory signature (bsc#1203737). - kexec: drop weak attribute from arch_kexec_apply_relocations[_add] (bsc#1196444). - kexec: drop weak attribute from functions (bsc#1196444). - kexec: drop weak attribute from functions (bsc#1196444). - kexec: KEYS: make the code in bzImage64_verify_sig generic (bsc#1196444). - kexec: KEYS: s390: Make use of built-in and secondary keyring for signature verification (bsc#1196444). - KVM: nVMX: Let userspace set nVMX MSR to any _host_ supported value (git-fixes). - KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks (git-fixes). - KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP (git-fixes). - md-raid10: fix KASAN warning (git-fixes). - md: call __md_stop_writes in md_stop (git-fixes). - md: unlock mddev before reap sync_thread in action_store (bsc#1197659). - mm: pagewalk: Fix race between unmap and page walker (git-fixes, bsc#1203159). - mm: proc: smaps_rollup: do not stall write attempts on mmap_lock (bsc#1201990). - mm: smaps*: extend smap_gather_stats to support specified beginning (bsc#1201990). - net: mana: Add rmb after checking owner bits (git-fixes). - net: mana: Add support of XDP_REDIRECT action (bug#1201310, jsc#PED-529). - net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529). - NFS: Do not decrease the value of seq_nr_highest_sent (git-fixes). - NFS: Fix races in the legacy idmapper upcall (git-fixes). - NFS: Handle NFS4ERR_DELAY replies toOP_SEQUENCE correctly (git-fixes). - NFS: RECLAIM_COMPLETE must handle EACCES (git-fixes). - NFSD: Fix offset type in I/O trace points (git-fixes). - nvme-fabrics: parse nvme connect Linux error codes (bsc#1201865). - nvme-rdma: Handle number of queue changes (bsc#1201865). - nvme-tcp: fix UAF when detecting digest errors (bsc#1200313 bsc#1201489). - nvme-tcp: Handle number of queue changes (bsc#1201865). - nvmet: Expose max queues to configfs (bsc#1201865). - of: device: Fix up of_dma_configure_id() stub (git-fixes). - of: fdt: fix off-by-one error in unflatten_dt_nodes() (git-fixes). - pinctrl: rockchip: Enhance support for IRQ_TYPE_EDGE_BOTH (git-fixes). - platform/x86: acer-wmi: Acer Aspire One AOD270/Packard Bell Dot keymap fixes (git-fixes). - powerpc/drmem: Make lmb_size 64 bit (bsc#1203424 ltc#199544). - powerpc/memhotplug: Make lmb size 64bit (bsc#1203424 ltc#199544). - ppc64/kdump: Limit kdump base to 512MB (bsc#1203410 ltc#199904). - psi: Fix uaf issue when psi trigger is destroyed while being polled (bsc#1203909). - regulator: core: Clean up on enable failure (git-fixes). - s390/qeth: cache link_info for ethtool (bsc#1202984 LTC#199607). - s390/qeth: clean up default cases for ethtool link mode (bsc#1202984 LTC#199607). - s390/qeth: improve QUERY CARD INFO processing (bsc#1202984 LTC#199607). - s390/qeth: improve selection of ethtool link modes (bsc#1202984 LTC#199607). - s390/qeth: set static link info during initialization (bsc#1202984 LTC#199607). - s390/qeth: tolerate error when querying card info (bsc#1202984 LTC#199607). - s390/qeth: use QUERY OAT for initial link info (bsc#1202984 LTC#199607). - scsi: core: Fix bad pointer dereference when ehandler kthread is invalid (git-fixes). - scsi: lpfc: Add missing destroy_workqueue() in error path (bsc#1203939). - scsi: lpfc: Add missing free iocb and nlp kref put for early return VMID cases (bsc#1203939). - scsi: lpfc: Add reporting capability for Link Degrade Signaling (bsc#1203939). - scsi: lpfc: Fix FLOGI ACC with wrong SID in PT2PT topology(bsc#1203939). - scsi: lpfc: Fix mbuf pool resource detected as busy at driver unload (bsc#1203939). - scsi: lpfc: Fix multiple NVMe remoteport registration calls for the same NPort ID (bsc#1203939). - scsi: lpfc: Fix prli_fc4_req checks in PRLI handling (bsc#1203939). - scsi: lpfc: Fix various issues reported by tools (bsc#1203939). - scsi: lpfc: Move scsi_host_template outside dynamically allocated/freed phba (bsc#1185032 bsc#1203939). - scsi: lpfc: Remove the unneeded result variable (bsc#1203939). - scsi: lpfc: Remove unneeded result variable (bsc#1203939). - scsi: lpfc: Rename mp/bmp dma buffers to rq/rsp in lpfc_fdmi_cmd (bsc#1203939). - scsi: lpfc: Return DID_TRANSPORT_DISRUPTED instead of DID_REQUEUE (bsc#1203939). - scsi: lpfc: Rework FDMI attribute registration for unintential padding (bsc#1203939). - scsi: lpfc: Rework lpfc_fdmi_cmd() routine for cleanup and consistency (bsc#1203939). - scsi: lpfc: Update congestion mode logging for Emulex SAN Manager application (bsc#1203939). - scsi: lpfc: Update lpfc version to 14.2.0.7 (bsc#1203939). - scsi: mpt3sas: Fix use-after-free warning (git-fixes). - scsi: qla2xxx: Add debugfs create/delete helpers (bsc#1203935). - scsi: qla2xxx: Add NVMe parameters support in Auxiliary Image Status (bsc#1203935). - scsi: qla2xxx: Always wait for qlt_sess_work_fn() from qlt_stop_phase1() (bsc#1203935). - scsi: qla2xxx: Avoid flush_scheduled_work() usage (bsc#1203935). - scsi: qla2xxx: Disable ATIO interrupt coalesce for quad port ISP27XX (bsc#1203935). - scsi: qla2xxx: Drop DID_TARGET_FAILURE use (bsc#1203935). - scsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts() (bsc#1203935). - scsi: qla2xxx: Fix response queue handler reading stale packets (bsc#1203935). - scsi: qla2xxx: Log message 'skipping scsi_scan_host()' as informational (bsc#1203935). - scsi: qla2xxx: Remove unused declarations for qla2xxx (bsc#1203935). - scsi: qla2xxx: Remove unused del_sess_list field (bsc#1203935). - scsi: qla2xxx: Remove unused qlt_tmr_work() (bsc#1203935). - scsi: qla2xxx: Revert'scsi: qla2xxx: Fix response queue handler reading stale packets' (bsc#1203935). - scsi: qla2xxx: Update version to 10.02.07.900-k (bsc#1203935). - scsi: sg: Allow waiting for commands to complete on removed device (git-fixes). - scsi: smartpqi: Fix DMA direction for RAID requests (git-fixes). - scsi: smartpqi: Shorten drive visibility after removal (bsc#1200622). - scsi: smartpqi: Update LUN reset handler (bsc#1200622). - soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs (git-fixes). - squashfs: fix divide error in calculate_skip() (git-fixes). - struct ehci_hcd: hide new member (git-fixes). - struct otg_fsm: hide new boolean member in gap (git-fixes). - SUNRPC: Do not call connect() more than once on a TCP socket (git-fixes). - SUNRPC: Do not leak sockets in xs_local_connect() (git-fixes). - SUNRPC: fix expiry of auth creds (git-fixes). - SUNRPC: Fix misplaced barrier in call_decode (git-fixes). - SUNRPC: Partial revert of commit 6f9f17287e78 (git-fixes). - SUNRPC: Reinitialise the backchannel request buffers before reuse (git-fixes). - SUNRPC: RPC level errors should set task-> tk_rpc_status (git-fixes). - svcrdma: Hold private mutex while invoking rdma_accept() (git-fixes). - tracing: hold caller_addr to hardirq_{enable,disable}_ip (git-fixes). - USB: Add ignore-residue quirk for NXP PN7462AU (git-fixes). - USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) (git-fixes). - USB: core: Fix RST error in hub.c (git-fixes). - USB: core: Prevent nested device-reset calls (git-fixes). - USB: dwc3: disable USB core PHY management (git-fixes). - USB: ehci: handshake CMD_RUN instead of STS_HALT (git-fixes). - USB: otg-fsm: Fix hrtimer list corruption (git-fixes). - USB: serial: ch341: fix disabled rx timer on older devices (git-fixes). - USB: serial: ch341: fix lost character on LCR updates (git-fixes). - USB: serial: ch341: name prescaler, divisor registers (git-fixes). - USB: serial: cp210x: add Decagon UCA device id (git-fixes). - USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id (git-fixes). -USB: serial: option: add Quectel EM060K modem (git-fixes). - USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode (git-fixes). - USB: serial: option: add support for OPPO R11 diag port (git-fixes). - USB: storage: Add ASUS to IGNORE_UAS (git-fixes). - USB: struct usb_device: hide new member (git-fixes). - usbnet: Fix memory leak in usbnet_disconnect() (git-fixes). - vt: Clear selection before changing the font (git-fixes). - vt: selection, introduce vc_is_sel (git-fixes). - watchdog: wdat_wdt: Set the min and max timeout values properly (bsc#1194023). - wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd() (git-fixes). - x86/bugs: Reenable retbleed=off While for older kernels the return thunks are statically built in and cannot be dynamically patched out, retbleed=off should still work so that it can be disabled. - x86/kexec: fix memory leak of elf header buffer (bsc#1196444). - x86/xen: Remove undefined behavior in setup_features() (git-fixes). - xen/xenbus: fix return type in xenbus_file_read() (git-fixes). - xprtrdma: Fix cwnd update ordering (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3776-1 Released: Wed Oct 26 14:06:43 2022 Summary: Recommended update for permissions Type: recommended Severity: important References: 1203911,1204137 This update for permissions fixes the following issues: - Revert changes that replaced ping capabilities with ICMP_PROTO sockets. Older SUSE Linux Enterprise versions don't properly support ICMP_PROTO sockets feature yet (bsc#1204137) - Fix regression introduced by backport of security fix (bsc#1203911) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3784-1 Released: Wed Oct 26 18:03:28 2022 Summary: Security update for libtasn1 Type: security Severity: critical References: 1204690,CVE-2021-46848 This update for libtasn1 fixes the following issues: - CVE-2021-46848: Fixedoff-by-one array size check that affects asn1_encode_simple_der (bsc#1204690) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3805-1 Released: Thu Oct 27 17:19:46 2022 Summary: Security update for dbus-1 Type: security Severity: important References: 1087072,1204111,1204112,1204113,CVE-2022-42010,CVE-2022-42011,CVE-2022-42012 This update for dbus-1 fixes the following issues: - CVE-2022-42010: Fixed potential crash that could be triggered by an invalid signature (bsc#1204111). - CVE-2022-42011: Fixed an out of bounds read caused by a fixed length array (bsc#1204112). - CVE-2022-42012: Fixed a use-after-free that could be trigged by a message in non-native endianness with out-of-band Unix file descriptor (bsc#1204113). Bugfixes: - Disable asserts (bsc#1087072). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3871-1 Released: Fri Nov 4 13:26:29 2022 Summary: Security update for libxml2 Type: security Severity: important References: 1201978,1204366,1204367,CVE-2016-3709,CVE-2022-40303,CVE-2022-40304 This update for libxml2 fixes the following issues: - CVE-2016-3709: Fixed possible XSS vulnerability (bsc#1201978). - CVE-2022-40303: Fixed integer overflows with XML_PARSE_HUGE (bsc#1204366). - CVE-2022-40304: Fixed dict corruption caused by entity reference cycles (bsc#1204367). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3900-1 Released: Tue Nov 8 10:47:55 2022 Summary: Recommended update for docker Type: recommended Severity: moderate References: 1200022 This update for docker fixes the following issues: - Fix a crash-on-start issue with dockerd (bsc#1200022) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3901-1 Released: Tue Nov 8 10:50:06 2022 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1180995,1203046 This update for openssl-1_1 fixes the following issues: - Default to RFC7919 groups when generating ECDH parameters using 'genpkey' or 'dhparam' in FIPS mode (bsc#1180995) - Fix memory leaks (bsc#1203046) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3904-1 Released: Tue Nov 8 10:52:13 2022 Summary: Recommended update for openssh Type: recommended Severity: moderate References: 1192439 This update for openssh fixes the following issue: - Prevent empty messages from being sent. (bsc#1192439) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3905-1 Released: Tue Nov 8 12:23:17 2022 Summary: Recommended update for aaa_base Type: recommended Severity: important References: 1196840,1199492,1199918,1199926,1199927 This update for aaa_base and iputils fixes the following issues: aaa_base: - Failures in ping for SUSE Linux Enterprise 15 and 15 SP1 due to sysctl setting for ping_group_range (bsc#1199926, bsc#1199927) - The wrapper rootsh is not a restricted shell (bsc#1199492) iputils: - Fix device binding on ping6 for ICMP datagram socket. (bsc#1196840, bsc#1199918, bsc#1199926, bsc#1199927) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3910-1 Released: Tue Nov 8 13:05:04 2022 Summary: Recommended update for pam Type: recommended Severity: moderate References: This update for pam fixes the following issue: - Update pam_motd to the most current version. (PED-1712) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3912-1 Released: Tue Nov 8 13:38:11 2022 Summary: Security update for expat Type: security Severity: important References: 1204708,CVE-2022-43680 This update for expat fixes the following issues: - CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate(bsc#1204708). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3917-1 Released: Tue Nov 8 16:41:28 2022 Summary: Recommended update for python-azure-agent Type: recommended Severity: moderate References: 1203164,1203181 This update for python-azure-agent fixes the following issues: - Properly set OS.EnableRDMA flag (bsc#1203181) - Update to version 2.8.0.11 (bsc#1203164) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3922-1 Released: Wed Nov 9 09:03:33 2022 Summary: Security update for protobuf Type: security Severity: important References: 1194530,1203681,1204256,CVE-2021-22569,CVE-2022-1941,CVE-2022-3171 This update for protobuf fixes the following issues: - CVE-2021-22569: Fixed Denial of Service in protobuf-java in the parsing procedure for binary data (bsc#1194530). - CVE-2022-1941: Fix a potential DoS issue in protobuf-cpp and protobuf-python (bsc#1203681) - CVE-2022-3171: Fix a potential DoS issue when parsing with binary data in protobuf-java (bsc#1204256) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3927-1 Released: Wed Nov 9 14:55:47 2022 Summary: Recommended update for runc Type: recommended Severity: moderate References: 1202021,1202821 This update for runc fixes the following issues: - Update to runc v1.1.4 (bsc#1202021) - Fix failed exec after systemctl daemon-reload (bsc#1202821) - Fix mounting via wrong proc - Fix 'permission denied' error from runc run on noexec filesystem ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3947-1 Released: Fri Nov 11 09:04:30 2022 Summary: Security update for xen Type: security Severity: important References: 1027519,1193923,1203806,1203807,1204482,1204485,1204487,1204488,1204489,1204490,1204494,1204496,CVE-2022-33746,CVE-2022-33747,CVE-2022-33748,CVE-2022-42309,CVE-2022-42310,CVE-2022-42311,CVE-2022-42312,CVE-2022-42313,CVE-2022-42314,CVE-2022-42315,CVE-2022-42316,CVE-2022-42317,CVE-2022-42318,CVE-2022-42319,CVE-2022-42320,CVE-2022-42321,CVE-2022-42322,CVE-2022-42323,CVE-2022-42325,CVE-2022-42326 This update for xen fixes the following issues: - CVE-2022-33746: Fixed DoS due to excessively long P2M pool freeing (bsc#1203806) - CVE-2022-33748: Fixed DoS due to race in locking (bsc#1203807) - CVE-2022-42311, CVE-2022-42312, CVE-2022-42313, CVE-2022-42314, CVE-2022-42315, CVE-2022-42316, CVE-2022-42317, CVE-2022-42318: xen: Xenstore: Guests can let xenstored run out of memory (bsc#1204482) - CVE-2022-42309: xen: Xenstore: Guests can crash xenstored (bsc#1204485) - CVE-2022-42310: xen: Xenstore: Guests can create orphaned Xenstore nodes (bsc#1204487) - CVE-2022-42319: xen: Xenstore: Guests can cause Xenstore to not free temporary memory (bsc#1204488) - CVE-2022-42320: xen: Xenstore: Guests can get access to Xenstore nodes of deleted domains (bsc#1204489) - CVE-2022-42321: xen: Xenstore: Guests can crash xenstored via exhausting the stack (bsc#1204490) - CVE-2022-42322,CVE-2022-42323: xen: Xenstore: cooperating guests can create arbitrary numbers of nodes (bsc#1204494) - CVE-2022-42325,CVE-2022-42326: xen: Xenstore: Guests can create arbitrary number of nodes via transactions (bsc#1204496) - xen: Frontends vulnerable to backends (bsc#1193923) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3955-1 Released: Fri Nov 11 12:24:27 2022 Summary: Security update for samba Type: security Severity: important References: 1200102,1202803,1202976,CVE-2022-1615,CVE-2022-32743 This update for samba fixes the following issues: - CVE-2022-1615: Fixed error handling in random number generation (bso#15103)(bsc#1202976). - CVE-2022-32743: Implement validated dnsHostName writerights (bso#14833)(bsc#1202803). Bugfixes: - Fixed use after free when iterating smbd_server_connection-> connections after tree disconnect failure (bso#15128)(bsc#1200102). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3961-1 Released: Mon Nov 14 07:33:50 2022 Summary: Recommended update for zlib Type: recommended Severity: important References: 1203652 This update for zlib fixes the following issues: - Fix updating strm.adler with inflate() if DFLTCC is used (bsc#1203652) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3973-1 Released: Mon Nov 14 15:38:25 2022 Summary: Recommended update for util-linux Type: recommended Severity: moderate References: 1201959,1204211 This update for util-linux fixes the following issues: - Fix file conflict during upgrade (bsc#1204211) - libuuid improvements (bsc#1201959, PED-1150): libuuid: Fix range when parsing UUIDs. Improve cache handling for short running applications-increment the cache size over runtime. Implement continuous clock handling for time based UUIDs. Check clock value from clock file to provide seamless libuuid. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3985-1 Released: Tue Nov 15 12:54:11 2022 Summary: Recommended update for python-apipkg Type: recommended Severity: moderate References: 1204145 This update fixes for python3-apipkg the following issues: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3991-1 Released: Tue Nov 15 13:54:13 2022 Summary: Security update for dhcp Type: security Severity: moderate References: 1203988,1203989,CVE-2022-2928,CVE-2022-2929 This update for dhcp fixes the following issues: - CVE-2022-2928: Fixed an option refcount overflow (bsc#1203988). - CVE-2022-2929: Fixed a DHCP memory leak(bsc#1203989). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4020-1 Released: Wed Nov 16 15:45:13 2022 Summary: Recommended update for nfs-utils Type: recommended Severity: moderate References: 1199856,1202627 This update for nfs-utils fixes the following issues: - Fix nfsdcltrack bug that affected non-x86 archs (bsc#1202627) - Ensure sysctl setting work (bsc#1199856) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4044-1 Released: Thu Nov 17 09:07:24 2022 Summary: Security update for python-cryptography, python-cryptography-vectorsType: security Severity: important References: 1101820,1149792,1176785,1177083,CVE-2018-10903 This update for python-cryptography, python-cryptography-vectors fixes the following issues: - Update in SLE-15 (bsc#1177083, jsc#PM-2730, jsc#SLE-18312) - Refresh patches for new version - Update in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352) - update to 2.9.2 * 2.9.2 - 2020-04-22 - Updated the macOS wheel to fix an issue where it would not run on macOS versions older than 10.15. * 2.9.1 - 2020-04-21 - Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1g. * 2.9 - 2020-04-02 - BACKWARDS INCOMPATIBLE: Support for Python 3.4 has been removed due to low usage and maintenance burden. - BACKWARDS INCOMPATIBLE: Support for OpenSSL 1.0.1 has been removed. Users on older version of OpenSSL will need to upgrade. - BACKWARDS INCOMPATIBLE: Support for LibreSSL 2.6.x has been removed. - Removed support for calling public_bytes() with no arguments, as per our deprecation policy. You must now pass encoding and format. - BACKWARDS INCOMPATIBLE: Reversed the order in which rfc4514_string() returns the RDNs as required by RFC 4514. - Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1f. - Added support for parsing single_extensions in an OCSP response. -NameAttribute values can now be empty strings. - Add openSSL_111d.patch to make this version of the package compatible with OpenSSL 1.1.1d, thus fixing bsc#1149792. - bsc#1101820 CVE-2018-10903 GCM tag forgery via truncated tag in finalize_with_tag API - Update in SLE-15 (bsc#1177083, jsc#PM-2730, jsc#SLE-18312) - Include in SLE-15 (bsc#1176785, jsc#ECO-3105, jsc#PM-2352) - update to 2.9.2: * updated vectors for the cryptography 2.9.2 testing ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4053-1 Released: Thu Nov 17 15:35:55 2022 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1032323,1065729,1152489,1198702,1200465,1200788,1201725,1202638,1202686,1202700,1203066,1203098,1203387,1203391,1203496,1203802,1204053,1204166,1204168,1204354,1204355,1204382,1204402,1204415,1204417,1204431,1204439,1204470,1204479,1204574,1204575,1204619,1204635,1204637,1204646,1204647,1204653,1204728,1204753,1204754,CVE-2021-4037,CVE-2022-2153,CVE-2022-2964,CVE-2022-2978,CVE-2022-3176,CVE-2022-3424,CVE-2022-3521,CVE-2022-3524,CVE-2022-3535,CVE-2022-3542,CVE-2022-3545,CVE-2022-3565,CVE-2022-3577,CVE-2022-3586,CVE-2022-3594,CVE-2022-3621,CVE-2022-3625,CVE-2022-3629,CVE-2022-3640,CVE-2022-3646,CVE-2022-3649,CVE-2022-39189,CVE-2022-42703,CVE-2022-43750 The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-4037: Fixed function logic vulnerability that allowed local users to create files for the XFS file-system with an unintended group ownership and with group execution and SGID permission bits set (bnc#1198702). - CVE-2022-2153: Fixed vulnerability in KVM that could allow an unprivileged local attacker on the host to cause DoS (bnc#1200788). - CVE-2022-2964: Fixed memory corruption issues in ax88179_178a devices (bnc#1202686). - CVE-2022-2978: Fixed use-after-free in the NILFS file system that could lead to local privilege escalationor DoS (bnc#1202700). - CVE-2022-3176: Fixed use-after-free in io_uring when using POLLFREE (bnc#1203391). - CVE-2022-3424: Fixed use-after-free in gru_set_context_option(), gru_fault() and gru_handle_user_call_os() that could lead to kernel panic (bsc#1204166). - CVE-2022-3521: Fixed race condition in kcm_tx_work() in net/kcm/kcmsock.c (bnc#1204355). - CVE-2022-3524: Fixed memory leak in ipv6_renew_options() in the IPv6 handler (bnc#1204354). - CVE-2022-3535: Fixed memory leak in mvpp2_dbgfs_port_init() in drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c (bnc#1204417). - CVE-2022-3542: Fixed memory leak in bnx2x_tpa_stop() in drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c (bnc#1204402). - CVE-2022-3545: Fixed use-after-free in area_cache_get() in drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c (bnc#1204415). - CVE-2022-3565: Fixed use-after-free in del_timer() in drivers/isdn/mISDN/l1oip_core.c (bnc#1204431). - CVE-2022-3577: Fixed out-of-bounds memory write flaw in bigben device driver that could lead to local privilege escalation or DoS (bnc#1204470). - CVE-2022-3586: Fixed use-after-free in socket buffer (SKB) that could allow a local unprivileged user to cause a denial of service (bnc#1204439). - CVE-2022-3594: Fixed excessive data logging in intr_callback() in drivers/net/usb/r8152.c (bnc#1204479). - CVE-2022-3621: Fixed null pointer dereference in nilfs_bmap_lookup_at_level() in fs/nilfs2/inode.c (bnc#1204574). - CVE-2022-3625: Fixed use-after-free in devlink_param_set()/devlink_param_get() in net/core/devlink.c (bnc#1204637). - CVE-2022-3629: Fixed memory leak in vsock_connect() in net/vmw_vsock/af_vsock.c (bnc#1204635). - CVE-2022-3640: Fixed use-after-free in l2cap_conn_del() in net/bluetooth/l2cap_core.c (bnc#1204619). - CVE-2022-3646: Fixed memory leak in nilfs_attach_log_writer() in fs/nilfs2/segment.c (bnc#1204646). - CVE-2022-3649: Fixed use-after-free in nilfs_new_inode() in fs/nilfs2/inode.c (bnc#1204647). - CVE-2022-39189: Fixed a flaw in the x86 KVM subsystem that could allowunprivileged guest users to compromise the guest kernel via TLB flush operations on preempted vCPU (bnc#1203066). - CVE-2022-42703: Fixed use-after-free in mm/rmap.c related to leaf anon_vma double reuse (bnc#1204168). - CVE-2022-43750: Fixed vulnerability in usbmon that allowed a user-space client to corrupt the monitor's internal memory (bnc#1204653). The following non-security bugs were fixed: - ACPI: APEI: do not add task_work to kernel thread to avoid memory leak (git-fixes). - ACPI: HMAT: Release platform device in case of platform_device_add_data() fails (git-fixes). - ACPI: extlog: Handle multiple records (git-fixes). - ACPI: processor idle: Practically limit 'Dummy wait' workaround to old Intel systems (bnc#1203802). - ACPI: video: Add Toshiba Satellite/Portege Z830 quirk (git-fixes). - ALSA: Use del_timer_sync() before freeing timer (git-fixes). - ALSA: ac97: fix possible memory leak in snd_ac97_dev_register() (git-fixes). - ALSA: aoa: Fix I2S device accounting (git-fixes). - ALSA: aoa: i2sbus: fix possible memory leak in i2sbus_add_dev() (git-fixes). - ALSA: asihpi - Remove useless code in hpi_meter_get_peak() (git-fixes). - ALSA: au88x0: use explicitly signed char (git-fixes). - ALSA: dmaengine: increment buffer pointer atomically (git-fixes). - ALSA: hda/hdmi: Do not skip notification handling during PM operation (git-fixes). - ALSA: hda/realtek: Add Intel Reference SSID to support headset keys (git-fixes). - ALSA: hda/realtek: Add pincfg for ASUS G513 HP jack (git-fixes). - ALSA: hda/realtek: Add pincfg for ASUS G533Z HP jack (git-fixes). - ALSA: hda/realtek: Add quirk for ASUS GA503R laptop (git-fixes). - ALSA: hda/realtek: Add quirk for ASUS GV601R laptop (git-fixes). - ALSA: hda/realtek: Add quirk for Huawei WRT-WX9 (git-fixes). - ALSA: hda/realtek: Correct pin configs for ASUS G533Z (git-fixes). - ALSA: hda/realtek: Enable 4-speaker output Dell Precision 5530 laptop (git-fixes). - ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530 (git-fixes). - ALSA: hda/sigmatel: Fix unusedvariable warning for beep power change (git-fixes). - ALSA: hda/sigmatel: Keep power up while beep is enabled (git-fixes). - ALSA: hda/tegra: Align BDL entry to 4KB boundary (git-fixes). - ALSA: hda: Fix position reporting on Poulsbo (git-fixes). - ALSA: hda: add Intel 5 Series / 3400 PCI DID (git-fixes). - ALSA: oss: Fix potential deadlock at unregistration (git-fixes). - ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() (git-fixes). - ALSA: rme9652: use explicitly signed char (git-fixes). - ALSA: usb-audio: Fix NULL dererence at error path (git-fixes). - ALSA: usb-audio: Fix potential memory leaks (git-fixes). - ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API (git-fixes). - ASoC: fsl_sai: Remove unnecessary FIFO reset in ISR (git-fixes). - ASoC: mt6660: Fix PM disable depth imbalance in mt6660_i2c_probe (git-fixes). - ASoC: nau8824: Fix semaphore unbalance at error paths (git-fixes). - ASoC: rsnd: Add check for rsnd_mod_power_on (git-fixes). - ASoC: tas2770: Reinit regcache on reset (git-fixes). - ASoC: wcd9335: fix order of Slimbus unprepare/disable (git-fixes). - ASoC: wcd934x: fix order of Slimbus unprepare/disable (git-fixes). - ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe (git-fixes). - ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe (git-fixes). - ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe (git-fixes). - Bluetooth: L2CAP: Fix user-after-free (git-fixes). - Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() (git-fixes). - Bluetooth: hci_core: Fix not handling link timeouts propertly (git-fixes). - Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times (git-fixes). - HID: hidraw: fix memory leak in hidraw_release() (git-fixes). - HID: magicmouse: Do not set BTN_MOUSE on double report (git-fixes). - HID: multitouch: Add memory barriers (git-fixes). - HID: roccat: Fix use-after-free in roccat_read() (git-fixes). - HSI: omap_ssi: Fix refcount leak in ssi_probe (git-fixes). - HSI: omap_ssi_port: Fixdma_map_sg error check (git-fixes). - IB/cm: Cancel mad on the DREQ event when the state is MRA_REP_RCVD (git-fixes) - IB/cma: Allow XRC INI QPs to set their local ACK timeout (git-fixes) - IB/core: Only update PKEY and GID caches on respective events (git-fixes) - IB/hfi1: Adjust pkey entry in index 0 (git-fixes) - IB/hfi1: Fix abba locking issue with sc_disable() (git-fixes) - IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs() (git-fixes) - IB/mlx4: Add support for REJ due to timeout (git-fixes) - IB/mlx4: Use port iterator and validation APIs (git-fixes) - IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields (git-fixes) - IB/rdmavt: Add __init/__exit annotations to module init/exit funcs (git-fixes) - IB/srpt: Remove redundant assignment to ret (git-fixes) - Input: i8042 - fix refount leak on sparc (git-fixes). - Input: xpad - add supported devices as contributed on github (git-fixes). - Input: xpad - fix wireless 360 controller breaking after suspend (git-fixes). - KVM: nVMX: Unconditionally purge queued/injected events on nested 'exit' (git-fixes). - KVM: s390: Clarify SIGP orders versus STOP/RESTART (git-fixes). - KVM: s390: VSIE: fix MVPG handling for prefixing and MSO (git-fixes). - KVM: s390: clear kicked_mask before sleeping again (git-fixes). - KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu (git-fixes). - KVM: s390: pv: do not present the ecall interrupt twice (git-fixes). - KVM: s390: split kvm_s390_real_to_abs (git-fixes). - KVM: s390x: fix SCK locking (git-fixes). - KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility (git-fixes). - PCI: Dynamically map ECAM regions (bsc#1204382). - PCI: Fix used_buses calculation in pci_scan_child_bus_extend() (git-fixes). - PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge (git-fixes). - PM: domains: Fix handling of unavailable/disabled idle states (git-fixes). - PM: hibernate: Allow hybrid sleep to work with s2idle (git-fixes). - RDMA/bnxt_re: Add missing spin lockinitialization (git-fixes) - RDMA/bnxt_re: Fix query SRQ failure (git-fixes) - RDMA/cm: Fix memory leak in ib_cm_insert_listen (git-fixes) - RDMA/cma: Ensure rdma_addr_cancel() happens before issuing more requests (git-fixes) - RDMA/cma: Fix arguments order in net device validation (git-fixes) - RDMA/core: Sanitize WQ state received from the userspace (git-fixes) - RDMA/cxgb4: Remove MW support (git-fixes) - RDMA/efa: Free IRQ vectors on error flow (git-fixes) - RDMA/efa: Remove double QP type assignment (git-fixes) - RDMA/efa: Use ib_umem_num_dma_pages() (git-fixes) - RDMA/hfi1: Fix potential integer multiplication overflow errors (git-fixes) - RDMA/hns: Remove unnecessary check for the sgid_attr when modifying QP (git-fixes) - RDMA/i40iw: Use ib_umem_num_dma_pages() (git-fixes) - RDMA/iwcm: Release resources if iw_cm module initialization fails (git-fixes) - RDMA/mlx4: Return missed an error if device does not support steering (git-fixes) - RDMA/mlx5: Add missing check for return value in get namespace flow (git-fixes) - RDMA/mlx5: Block FDB rules when not in switchdev mode (git-fixes) - RDMA/mlx5: Fix memory leak in error flow for subscribe event routine (git-fixes) - RDMA/mlx5: Make mkeys always owned by the kernel's PD when not enabled (git-fixes) - RDMA/mlx5: Set user priority for DCT (git-fixes) - RDMA/mlx5: Use set_mkc_access_pd_addr_fields() in reg_create() (git-fixes) - RDMA/qedr: Fix NULL deref for query_qp on the GSI QP (git-fixes) - RDMA/qedr: Fix potential memory leak in __qedr_alloc_mr() (git-fixes) - RDMA/qedr: Fix reporting QP timeout attribute (git-fixes) - RDMA/qib: Remove superfluous fallthrough statements (git-fixes) - RDMA/rtrs-srv: Pass the correct number of entries for dma mapped SGL (git-fixes) - RDMA/rxe: Do not overwrite errno from ib_umem_get() (git-fixes) - RDMA/rxe: Fix 'kernel NULL pointer dereference' error (git-fixes) - RDMA/rxe: Fix error unwind in rxe_create_qp() (git-fixes) - RDMA/rxe: Fix extra copies in build_rdma_network_hdr (git-fixes) - RDMA/rxe: Fix extra copy inprepare_ack_packet (git-fixes) - RDMA/rxe: Fix failure during driver load (git-fixes) - RDMA/rxe: Fix over copying in get_srq_wqe (git-fixes) - RDMA/rxe: Fix redundant call to ip_send_check (git-fixes) - RDMA/rxe: Fix redundant skb_put_zero (git-fixes) - RDMA/rxe: Fix rnr retry behavior (git-fixes) - RDMA/rxe: Fix the error caused by qp-> sk (git-fixes) - RDMA/rxe: Fix wrong port_cap_flags (git-fixes) - RDMA/rxe: Generate a completion for unsupported/invalid opcode (git-fixes) - RDMA/rxe: Remove unused pkt-> offset (git-fixes) - RDMA/rxe: Return CQE error if invalid lkey was supplied (git-fixes) - RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string (git-fixes) - RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall. (git-fixes) - RDMA/siw: Fix a condition race issue in MPA request processing (git-fixes) - RDMA/siw: Fix duplicated reported IW_CM_EVENT_CONNECT_REPLY event (git-fixes) - RDMA/siw: Pass a pointer to virt_to_page() (git-fixes) - RDMA/usnic: fix set-but-not-unused variable 'flags' warning (git-fixes) - RDMA: Verify port when creating flow rule (git-fixes) - RDMA: remove useless condition in siw_create_cq() (git-fixes) - RDMa/mthca: Work around -Wenum-conversion warning (git-fixes) - Revert 'drivers/video/backlight/platform_lcd.c: add support for (bsc#1152489) - Revert 'drm: bridge: analogix/dp: add panel prepare/unprepare in suspend/resume time' (git-fixes). - Revert 'usb: add quirks for Lenovo OneLink+ Dock' (git-fixes). - Revert 'usb: storage: Add quirk for Samsung Fit flash' (git-fixes). - Revert 'usb: storage: Add quirk for Samsung Fit flash' (git-fixes). - USB: serial: console: move mutex_unlock() before usb_serial_put() (git-fixes). - USB: serial: ftdi_sio: fix 300 bps rate for SIO (git-fixes). - USB: serial: option: add Quectel BG95 0x0203 composition (git-fixes). - USB: serial: option: add Quectel BG95 0x0203 composition (git-fixes). - USB: serial: option: add Quectel RM520N (git-fixes). - USB: serial: option: add Quectel RM520N (git-fixes). - USB: serial: qcserial:add new usb-id for Dell branded EM7455 (git-fixes). - USB: serial: qcserial: add new usb-id for Dell branded EM7455 (git-fixes). - arm64: assembler: add cond_yield macro (git-fixes) - ata: fix ata_id_has_devslp() (git-fixes). - ata: fix ata_id_has_dipm() (git-fixes). - ata: fix ata_id_has_ncq_autosense() (git-fixes). - ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting() (git-fixes). - ata: libahci_platform: Sanity check the DT child nodes number (git-fixes). - can: bcm: check the result of can_send() in bcm_can_tx() (git-fixes). - can: gs_usb: gs_can_open(): fix race dev-> can.state condition (git-fixes). - can: kvaser_usb: Fix possible completions during init_completion (git-fixes). - can: kvaser_usb: Fix use of uninitialized completion (git-fixes). - can: kvaser_usb_leaf: Fix CAN state after restart (git-fixes). - can: kvaser_usb_leaf: Fix TX queue out of sync after restart (git-fixes). - can: mscan: mpc5xxx: mpc5xxx_can_probe(): add missing put_clock() in error path (git-fixes). - cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset (bsc#1204753). - clk: bcm2835: Make peripheral PLLC critical (git-fixes). - clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration (git-fixes). - clk: berlin: Add of_node_put() for of_get_parent() (git-fixes). - clk: imx: imx6sx: remove the SET_RATE_PARENT flag for QSPI clocks (git-fixes). - clk: iproc: Do not rely on node name for correct PLL setup (git-fixes). - clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent (git-fixes). - clk: oxnas: Hold reference returned by of_get_parent() (git-fixes). - clk: qcom: gcc-msm8916: use ARRAY_SIZE instead of specifying num_parents (git-fixes). - clk: qoriq: Hold reference returned by of_get_parent() (git-fixes). - clk: tegra20: Fix refcount leak in tegra20_clock_init (git-fixes). - clk: tegra: Fix refcount leak in tegra114_clock_init (git-fixes). - clk: tegra: Fix refcount leak in tegra210_clock_init (git-fixes). - clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe (git-fixes). -clk: zynqmp: Fix stack-out-of-bounds in strncpy` (git-fixes). - clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate (git-fixes). - crypto: akcipher - default implementation for setting a private key (git-fixes). - crypto: arm64/sha - fix function types (git-fixes) - crypto: arm64/sha1-ce - simplify NEON yield (git-fixes) - crypto: arm64/sha2-ce - simplify NEON yield (git-fixes) - crypto: arm64/sha3-ce - simplify NEON yield (git-fixes) - crypto: arm64/sha512-ce - simplify NEON yield (git-fixes) - crypto: cavium - prevent integer overflow loading firmware (git-fixes). - crypto: ccp - Release dma channels before dmaengine unrgister (git-fixes). - crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr (git-fixes). - device property: Fix documentation for *_match_string() APIs (git-fixes). - dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup() (git-fixes). - dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure (git-fixes). - dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property (git-fixes). - docs: update mediator information in CoC docs (git-fixes). - drivers: serial: jsm: fix some leaks in probe (git-fixes). - drm/amd/display: Limit user regamma to a valid value (git-fixes). - drm/amdgpu: do not register a dirty callback for non-atomic (git-fixes). - drm/amdgpu: fix initial connector audio value (git-fixes). - drm/amdgpu: use dirty framebuffer helper (git-fixes). - drm/bridge: Avoid uninitialized variable warning (git-fixes). - drm/bridge: megachips: Fix a null pointer dereference bug (git-fixes). - drm/bridge: parade-ps8640: Fix regulator supply order (git-fixes). - drm/i915/gvt: fix a memory leak in intel_gvt_init_vgpu_types (git-fixes). - drm/mipi-dsi: Detach devices when removing the host (git-fixes). - drm/msm/dpu: Fix comment typo (git-fixes). - drm/msm/dpu: index dpu_kms-> hw_vbif using vbif_idx (git-fixes). - drm/msm/dsi: fix memory corruption with too many bridges (git-fixes). - drm/msm/hdmi: fix memory corruptionwith too many bridges (git-fixes). - drm/msm: Fix return type of mdp4_lvds_connector_mode_valid (git-fixes). - drm/msm: Make .remove and .shutdown HW shutdown consistent (git-fixes). - drm/nouveau/nouveau_bo: fix potential memory leak in nouveau_bo_alloc() (git-fixes). - drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table() (git-fixes). - drm/omap: dss: Fix refcount leak bugs (git-fixes). - drm/rockchip: Fix return type of cdn_dp_connector_mode_valid (git-fixes). - drm/scheduler: quieten kernel-doc warnings (git-fixes). - drm/udl: Restore display mode on resume (git-fixes). - drm: Prevent drm_copy_field() to attempt copying a NULL pointer (git-fixes). - drm: Use size_t type for len variable in drm_copy_field() (git-fixes). - drm: bridge: adv7511: fix CEC power down control register offset (git-fixes). - drm: fix drm_mipi_dbi build errors (git-fixes). - drm: panel-orientation-quirks: Add quirk for Anbernic Win600 (git-fixes). - drm:pl111: Add of_node_put() when breaking out of for_each_available_child_of_node() (git-fixes). - dyndbg: fix module.dyndbg handling (git-fixes). - dyndbg: let query-modname override actual module name (git-fixes). - efi: Correct Macmini DMI match in uefi cert quirk (git-fixes). - efi: libstub: drop pointless get_memory_map() call (git-fixes). - exfat: Return ENAMETOOLONG consistently for oversized paths (bsc#1204053 bsc#1201725). - fbdev: cyber2000fb: fix missing pci_disable_device() (git-fixes). - fbdev: da8xx-fb: Fix error handling in .remove() (git-fixes). - firmware: arm_scmi: Add SCMI PM driver remove routine (git-fixes). - firmware: google: Test spinlock on panic path to avoid lockups (git-fixes). - fpga: prevent integer overflow in dfl_feature_ioctl_set_irq() (git-fixes). - gpio: rockchip: request GPIO mux to pinctrl when setting direction (git-fixes). - hid: hid-logitech-hidpp: avoid unnecessary assignments in hidpp_connect_event (git-fixes). - hwmon/coretemp: Handle large core ID value (git-fixes). - iio: ABI: Fix wrong format of differential capacitancechannel ABI (git-fixes). - iio: adc: ad7923: fix channel readings for some variants (git-fixes). - iio: adc: at91-sama5d2_adc: check return status for pressure and touch (git-fixes). - iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX (git-fixes). - iio: adc: at91-sama5d2_adc: lock around oversampling and sample freq (git-fixes). - iio: adc: mcp3911: use correct id bits (git-fixes). - iio: dac: ad5593r: Fix i2c read protocol requirements (git-fixes). - iio: inkern: only release the device node when done with it (git-fixes). - iio: light: tsl2583: Fix module unloading (git-fixes). - iio: pressure: dps310: Refactor startup procedure (git-fixes). - iio: pressure: dps310: Reset chip after timeout (git-fixes). - irqchip/ls-extirq: Fix invalid wait context by avoiding to use regmap (git-fixes). - kABI: arm64/crypto/sha512 Preserve function signature (git-fixes). - kbuild: Add skip_encoding_btf_enum64 option to pahole (git-fixes). - kbuild: remove the target in signal traps when interrupted (git-fixes). - kbuild: sink stdout from cmd for silent build (git-fixes). - kbuild: skip per-CPU BTF generation for pahole v1.18-v1.21 (jsc#SLE-24559). - kthread: Extract KTHREAD_IS_PER_CPU (bsc#1204753). - lib/sg_pool: change module_init(sg_pool_init) to subsys_initcall (git-fixes). - libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205 (git-fixes). - locking/csd_lock: Change csdlock_debug from early_param to __setup (git-fixes). - mISDN: fix use-after-free bugs in l1oip timer handlers (git-fixes). - mISDN: hfcpci: Fix use-after-free bug in hfcpci_softirq (git-fixes). - mac802154: Fix LQI recording (git-fixes). - mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg (git-fixes). - media: aspeed-video: ignore interrupts that are not enabled (git-fixes). - media: cedrus: Set the platform driver data earlier (git-fixes). - media: coda: Add more H264 levels for CODA960 (git-fixes). - media: coda: Fix reported H264 profile (git-fixes). - media: cx88: Fix a null-ptr-deref bug in buffer_prepare() (git-fixes). -media: dvb_vb2: fix possible out of bound access (git-fixes). - media: v4l2-dv-timings: add sanity checks for blanking values (git-fixes). - media: videodev2.h: V4L2_DV_BT_BLANKING_HEIGHT should check 'interlaced' (git-fixes). - media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init (git-fixes). - memory: of: Fix refcount leak bug in of_get_ddr_timings() (git-fixes). - memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe() (git-fixes). - mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq() (git-fixes). - mfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe() (git-fixes). - mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init() (git-fixes). - mfd: lp8788: Fix an error handling path in lp8788_probe() (git-fixes). - mfd: sm501: Add check for platform_driver_register() (git-fixes). - misc: ocxl: fix possible refcount leak in afu_ioctl() (git-fixes). - mm, memcg: avoid stale protection values when cgroup is above protection (bsc#1204754). - mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page (bsc#1204575). - mm: memcontrol: fix occasional OOMs due to proportional memory.low reclaim (bsc#1204754). - mmc: au1xmmc: Fix an error handling path in au1xmmc_probe() (git-fixes). - mmc: core: Fix kernel panic when remove non-standard SDIO card (git-fixes). - mmc: core: Replace with already defined values for readability (git-fixes). - mmc: core: Terminate infinite loop in SD-UHS voltage switch (git-fixes). - mmc: moxart: fix 4-bit bus width and remove 8-bit bus width (git-fixes). - mmc: sdhci-msm: add compatible string check for sdm670 (git-fixes). - mmc: sdhci-sprd: Fix minimum clock limit (git-fixes). - mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe() (git-fixes). - mtd: devices: docg3: check the return value of devm_ioremap() in the probe (git-fixes). - mtd: rawnand: atmel: Unmap streaming DMA mappings (git-fixes). - mtd: rawnand: marvell: Use correct logic for nand-keep-config (git-fixes). - mtd: rawnand: meson:fix bit map use in meson_nfc_ecc_correct() (git-fixes). - net/ieee802154: fix uninit value bug in dgram_sendmsg (git-fixes). - net: ieee802154: return -EINVAL for unknown addr type (git-fixes). - net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 (git-fixes). - net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455 (git-fixes). - net: usb: qmi_wwan: add Quectel RM520N (git-fixes). - openvswitch: Fix double reporting of drops in dropwatch (git-fixes). - openvswitch: Fix overreporting of drops in dropwatch (git-fixes). - openvswitch: switch from WARN to pr_warn (git-fixes). - padata: introduce internal padata_get/put_pd() helpers (bsc#1202638). - padata: make padata_free_shell() to respect pd's -> refcnt (bsc#1202638). - parisc/sticon: fix reverse colors (bsc#1152489) Backporting notes: * context changes - parisc: parisc-agp requires SBA IOMMU driver (bsc#1152489) - phy: qualcomm: call clk_disable_unprepare in the error handling (git-fixes). - pinctrl: armada-37xx: Add missing GPIO-only pins (git-fixes). - pinctrl: armada-37xx: Checks for errors in gpio_request_enable callback (git-fixes). - pinctrl: armada-37xx: Fix definitions for MPP pins 20-22 (git-fixes). - pinctrl: rockchip: add pinmux_ops.gpio_set_direction callback (git-fixes). - platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading (git-fixes). - platform/x86: msi-laptop: Fix old-ec check for backlight registering (git-fixes). - platform/x86: msi-laptop: Fix resource cleanup (git-fixes). - power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() (git-fixes). - powerpc/64: Remove unused SYS_CALL_TABLE symbol (jsc#SLE-9246 git-fixes). - powerpc/fadump: align destination address to pagesize (bsc#1204728 ltc#200074). - powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe() (jsc#SLE-13847 git-fixes). - powerpc/mm/64s: Drop pgd_huge() (bsc#1065729). - powerpc/mm: remove pmd_huge/pud_huge stubs and include hugetlb.h (bsc#1065729). - powerpc/pci_dn: Add missing of_node_put()(bsc#1065729). - powerpc/powernv: add missing of_node_put() in opal_export_attrs() (bsc#1065729). - powerpc/pseries: Interface to represent PAPR firmware attributes (bsc#1200465 ltc#197256 jsc#PED-1931). - quota: widen timestamps for the fs_disk_quota structure (bsc#1203387). - regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe() (git-fixes). - regulator: qcom_rpm: Fix circular deferral regression (git-fixes). - reset: imx7: Fix the iMX8MP PCIe PHY PERST support (git-fixes). - rpmsg: qcom: glink: replace strncpy() with strscpy_pad() (git-fixes). - rtc: stmp3xxx: Add failure handling for stmp3xxx_wdt_register() (git-fixes). - s390/hypfs: avoid error message under KVM (bsc#1032323). - sbitmap: Avoid leaving waitqueue in invalid state in __sbq_wake_up() (git-fixes). - sbitmap: fix possible io hung due to lost wakeup (git-fixes). - scsi: libsas: Fix use-after-free bug in smp_execute_task_sg() (git-fixes). - scsi: mpt3sas: Fix return value check of dma_get_required_mask() (git-fixes). - scsi: qla2xxx: Fix disk failure to rediscover (git-fixes). - selftest/powerpc: Add PAPR sysfs attributes sniff test (bsc#1200465 ltc#197256 jsc#PED-1931). - selftests/powerpc: Skip energy_scale_info test on older firmware (git-fixes). - serial: Create uart_xmit_advance() (git-fixes). - serial: tegra-tcu: Use uart_xmit_advance(), fixes icount.tx accounting (git-fixes). - serial: tegra: Use uart_xmit_advance(), fixes icount.tx accounting (git-fixes). - soc: qcom: smem_state: Add refcounting for the 'state-> of_node' (git-fixes). - soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() (git-fixes). - soc: sunxi: sram: Actually claim SRAM regions (git-fixes). - soc: sunxi: sram: Fix debugfs info for A64 SRAM C (git-fixes). - soc: sunxi: sram: Prevent the driver from being unbound (git-fixes). - soc: sunxi_sram: Make use of the helper function devm_platform_ioremap_resource() (git-fixes). - spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe (git-fixes). - spi: mt7621: Fix an errormessage in mt7621_spi_probe() (git-fixes). - spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime() (git-fixes). - spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume() (git-fixes). - spi: s3c64xx: Fix large transfers with DMA (git-fixes). - staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv() (git-fixes). - staging: vt6655: fix potential memory leak (git-fixes). - staging: vt6655: fix some erroneous memory clean-up loops (git-fixes). - struct pci_config_window kABI workaround (bsc#1204382). - thermal: intel_powerclamp: Use first online CPU as control_cpu (git-fixes). - thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash (git-fixes). - tty/serial: atmel: RS485 & ISO7816: wait for TXRDY before sending data (git-fixes). - tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown (git-fixes). - tty: xilinx_uartps: Fix the ignore_status (git-fixes). - uas: add no-uas quirk for Hiksemi usb_disk (git-fixes). - uas: ignore UAS for Thinkplus chips (git-fixes). - usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS (git-fixes). - usb: add quirks for Lenovo OneLink+ Dock (git-fixes). - usb: add quirks for Lenovo OneLink+ Dock (git-fixes). - usb: bdc: change state when port disconnected (git-fixes). - usb: dwc3: gadget: Avoid starting DWC3 gadget during UDC unbind (git-fixes). - usb: dwc3: gadget: Do not set IMI for no_interrupt (git-fixes). - usb: dwc3: gadget: Prevent repeat pullup() (git-fixes). - usb: dwc3: gadget: Stop processing more requests on IMI (git-fixes). - usb: gadget: function: fix dangling pnp_string in f_printer.c (git-fixes). - usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info() (git-fixes). - usb: idmouse: fix an uninit-value in idmouse_open (git-fixes). - usb: mon: make mmapped memory read only (git-fixes). - usb: musb: Fix musb_gadget.c rxstate overflow bug (git-fixes). - usb: typec: ucsi: Remove incorrect warning (git-fixes). - usb: xhci-mtk: add a function to (un)loadbandwidth info (git-fixes). - usb: xhci-mtk: add only one extra CS for FS/LS INTR (git-fixes). - usb: xhci-mtk: add some schedule error number (git-fixes). - usb: xhci-mtk: fix issue of out-of-bounds array access (git-fixes). - usb: xhci-mtk: get the microframe boundary for ESIT (git-fixes). - usb: xhci-mtk: use @sch_tt to check whether need do TT schedule (git-fixes). - vhost/vsock: Use kvmalloc/kvfree for larger packets (git-fixes). - video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write (git-fixes). - watchdog: armada_37xx_wdt: Fix .set_timeout callback (git-fixes). - watchdog: ftwdt010_wdt: fix test for platform_get_irq() failure (git-fixes). - wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() (git-fixes). - wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() (git-fixes). - wifi: brcmfmac: fix invalid address access when enabling SCAN log level (git-fixes). - wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() (git-fixes). - wifi: cfg80211: update hidden BSSes to avoid WARN_ON (git-fixes). - wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue (other cases) (git-fixes). - wifi: mac80211: Fix UAF in ieee80211_scan_rx() (git-fixes). - wifi: mac80211: allow bw change during channel switch in mesh (git-fixes). - wifi: mac80211: do not drop packets smaller than the LLC-SNAP header on fast-rx (git-fixes). - wifi: mac80211_hwsim: avoid mac80211 warning on bad rate (git-fixes). - wifi: rt2x00: correctly set BBP register 86 for MT7620 (git-fixes). - wifi: rt2x00: do not run Rt5592 IQ calibration on MT7620 (git-fixes). - wifi: rt2x00: set SoC wmac clock register (git-fixes). - wifi: rt2x00: set VGC gain for both chains of MT7620 (git-fixes). - wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 (git-fixes). - wifi: rtl8xxxu: Fix AIFS written to REG_EDCA_*_PARAM (git-fixes). - wifi: rtl8xxxu: Fix skb misuse in TX queue selection (git-fixes). - wifi: rtl8xxxu: Improve rtl8xxxu_queue_select (git-fixes). - wifi: rtl8xxxu: Removecopy-paste leftover in gen2_update_rate_mask (git-fixes). - wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration (git-fixes). - wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() (git-fixes). - xfs: add missing assert in xfs_fsmap_owner_from_rmap (git-fixes). - xfs: enable big timestamps (bsc#1203387). - xfs: enable new inode btree counters feature (bsc#1203387). - xfs: explicitly define inode timestamp range (bsc#1203387). - xfs: fix memory corruption during remote attr value buffer invalidation (git-fixes). - xfs: fix s_maxbytes computation on 32-bit kernels (git-fixes). - xfs: hoist out xfs_resizefs_init_new_ags() (git-fixes). - xfs: move incore structures out of xfs_da_format.h (git-fixes). - xfs: quota: move to time64_t interfaces (bsc#1203387). - xfs: redefine xfs_ictimestamp_t (bsc#1203387). - xfs: redefine xfs_timestamp_t (bsc#1203387). - xfs: refactor remote attr value buffer invalidation (git-fixes). - xfs: remove obsolete AGF counter debugging (git-fixes). - xfs: rename `new' to `delta' in xfs_growfs_data_private() (git-fixes). - xfs: reserve data and rt quota at the same time (bsc#1203496). - xfs: slightly tweak an assert in xfs_fs_map_blocks (git-fixes). - xfs: store inode btree block counts in AGI header (bsc#1203387). - xfs: streamline xfs_attr3_leaf_inactive (git-fixes). - xfs: use a struct timespec64 for the in-core crtime (bsc#1203387). - xfs: use the finobt block counts to speed up mount times (bsc#1203387). - xfs: widen ondisk inode timestamps to deal with y2038+ (bsc#1203387). - xfs: widen ondisk quota expiration timestamps to handle y2038+ (bsc#1203387). - xhci: Do not show warning for reinit on known broken suspend (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4056-1 Released: Thu Nov 17 15:38:08 2022 Summary: Security update for systemd Type: security Severity: moderate References: 1204179,1204968,CVE-2022-3821 This update for systemd fixes the following issues: - CVE-2022-3821: Fixed bufferoverrun in format_timespan() function (bsc#1204968). - Import commit 56bee38fd0da18dad5fc5c5d12c02238a22b50e2 * 8a70235d8a core: Add trigger limit for path units * 93e544f3a0 core/mount: also add default before dependency for automount mount units * 5916a7748c logind: fix crash in logind on user-specified message string - Document udev naming scheme (bsc#1204179). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4066-1 Released: Fri Nov 18 10:43:00 2022 Summary: Recommended update for timezone Type: recommended Severity: important References: 1177460,1202324,1204649,1205156 This update for timezone fixes the following issues: Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156): - Mexico will no longer observe DST except near the US border - Chihuahua moves to year-round -06 on 2022-10-30 - Fiji no longer observes DST - In vanguard form, GMT is now a Zone and Etc/GMT a link - zic now supports links to links, and vanguard form uses this - Simplify four Ontario zones - Fix a Y2438 bug when reading TZif data - Enable 64-bit time_t on 32-bit glibc platforms - Omit large-file support when no longer needed - Jordan and Syria switch from +02/+03 with DST to year-round +03 - Palestine transitions are now Saturdays at 02:00 - Simplify three Ukraine zones into one - Improve tzselect on intercontinental Zones - Chile's DST is delayed by a week in September 2022 (bsc#1202324) - Iran no longer observes DST after 2022 - Rename Europe/Kiev to Europe/Kyiv - New `zic -R` command option - Vanguard form now uses %z ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4077-1 Released: Fri Nov 18 15:05:28 2022 Summary: Security update for sudo Type: security Severity: important References: 1190818,1203201,1204986,CVE-2022-43995 This update for sudo fixes the following issues: - CVE-2022-43995: Fixed a potential heap-based buffer over-read when entering a passwor dof sevencharacters or fewer and using the crypt() password backend (bsc#1204986). - Fix wrong information output in the error message (bsc#1190818). - Make sure SIGCHLD is not ignored when sudo is executed; fixes race condition (bsc#1203201). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4081-1 Released: Fri Nov 18 15:40:46 2022 Summary: Security update for dpkg Type: security Severity: low References: 1199944,CVE-2022-1664 This update for dpkg fixes the following issues: - CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944). The following package changes have been done: - bind-utils-9.16.6-150300.22.21.2 updated - curl-7.66.0-150200.4.42.1 updated - dbus-1-1.12.2-150100.8.14.1 updated - dhcp-client-4.3.6.P1-150000.6.17.1 updated - dhcp-4.3.6.P1-150000.6.17.1 updated - docker-20.10.17_ce-150000.169.1 updated - iputils-s20161105-150000.8.6.1 updated - kernel-default-5.3.18-150300.59.101.1 updated - libbind9-1600-9.16.6-150300.22.21.2 updated - libblkid1-2.36.2-150300.4.28.1 updated - libcurl4-7.66.0-150200.4.42.1 updated - libdbus-1-3-1.12.2-150100.8.14.1 updated - libdns1605-9.16.6-150300.22.21.2 updated - libexpat1-2.2.5-150000.3.25.1 updated - libfdisk1-2.36.2-150300.4.28.1 updated - libgpg-error0-1.42-150300.9.3.1 updated - libirs1601-9.16.6-150300.22.21.2 updated - libisc1606-9.16.6-150300.22.21.2 updated - libisccc1600-9.16.6-150300.22.21.2 updated - libisccfg1600-9.16.6-150300.22.21.2 updated - libksba8-1.3.5-150000.4.3.1 updated - libmount1-2.36.2-150300.4.28.1 updated - libns1604-9.16.6-150300.22.21.2 updated - libopenssl1_1-1.1.1d-150200.11.54.1 updated - libprotobuf-lite20-3.9.2-150200.4.19.2 updated - libsmartcols1-2.36.2-150300.4.28.1 updated - libsystemd0-246.16-150300.7.54.1 updated - libtasn1-6-4.13-150000.4.8.1 updated - libtasn1-4.13-150000.4.8.1 updated - libudev1-246.16-150300.7.54.1 updated - libuuid1-2.36.2-150300.4.28.1 updated - libxml2-2-2.9.7-150000.3.51.1 updated -libz1-1.2.11-150000.3.36.1 updated - nfs-client-2.1.1-150100.10.27.1 updated - openssh-clients-8.4p1-150300.3.12.2 updated - openssh-common-8.4p1-150300.3.12.2 updated - openssh-server-8.4p1-150300.3.12.2 updated - openssh-8.4p1-150300.3.12.2 updated - openssl-1_1-1.1.1d-150200.11.54.1 updated - pam-1.3.0-150000.6.61.1 updated - permissions-20181225-150200.23.20.1 updated - python-azure-agent-2.8.0.11-150100.3.26.1 updated - python3-apipkg-1.4-150000.3.4.1 updated - python3-bind-9.16.6-150300.22.21.2 updated - python3-cryptography-2.9.2-150200.13.1 updated - python3-iniconfig-1.1.1-150000.1.9.1 updated - runc-1.1.4-150000.36.1 updated - samba-client-libs-4.15.8+git.527.8d0c05d313e-150300.3.40.2 updated - sudo-1.9.5p2-150300.3.13.1 updated - systemd-sysvinit-246.16-150300.7.54.1 updated - systemd-246.16-150300.7.54.1 updated - timezone-2022f-150000.75.15.1 updated - udev-246.16-150300.7.54.1 updated - update-alternatives-1.19.0.4-150000.4.4.1 updated - util-linux-systemd-2.36.2-150300.4.28.1 updated - util-linux-2.36.2-150300.4.28.1 updated - xen-libs-4.14.5_08-150300.3.40.1 updated . Essential security patches for the SUSE container focusing on memory overflow issues and vulnerabilities leading to Denial of Service attacks.. SUSE Security Advisory, Container Updates, System Security, Critical Updates. . Severity: Critical. LinuxSecurity.com Team
Nov 22, 2022
•Critical
SuSE
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!