Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 555
Alerts This Week
Warning Icon 1 555

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is application sandboxing truly safe?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/155-is-application-sandboxing-truly-safe?task=poll.vote&format=json
155
radio
0
[{"id":500,"title":"Malware still escapes container walls.","votes":0,"type":"x","order":1,"pct":0,"resources":[]},{"id":501,"title":"Supply chains corrupt trusted packages.","votes":0,"type":"x","order":2,"pct":0,"resources":[]},{"id":502,"title":"Convenience consistently compromises strict security.","votes":1,"type":"x","order":3,"pct":100,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 13 articles for you...
100

SUSE: 2023:578-1 Important Security Update for Kernel and Services

The container suse-sles-15-sp5-chost-byos-v20230816-hvm-ssd-x86_64 was updated. The following patches have been included in this update:. SUSE Image Update Advisory: suse-sles-15-sp5-chost-byos-v20230816-hvm-ssd-x86_64 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:578-1 Image Tags : suse-sles-15-sp5-chost-byos-v20230816-hvm-ssd-x86_64:20230816 Image Release : Severity : important Type : security References : 1089497 1150305 1184758 1186673 1193629 1194557 1194869 1201399 1203300 1204563 1206418 1206627 1207129 1207805 1207894 1207948 1208003 1208788 1209536 1210273 1210323 1210627 1210780 1210799 1210825 1211026 1211079 1211131 1211243 1211738 1211811 1211867 1212256 1212301 1212375 1212445 1212496 1212502 1212525 1212604 1212613 1212756 1212766 1212806 1212846 1212879 1212901 1212905 1212928 1213004 1213008 1213049 1213059 1213061 1213167 1213170 1213171 1213172 1213173 1213174 1213189 1213205 1213206 1213226 1213233 1213237 1213245 1213247 1213252 1213258 1213259 1213263 1213264 1213272 1213286 1213287 1213304 1213384 1213386 1213417 1213443 1213472 1213487 1213493 1213504 1213514 1213517 1213523 1213524 1213533 1213543 1213578 1213585 1213586 1213588 1213601 1213620 1213632 1213653 1213705 1213713 1213715 1213747 1213756 1213759 1213777 1213810 1213812 1213853 1213856 1213857 1213863 1213867 1213870 1213871 1213872 1214054 CVE-2020-25720 CVE-2021-3429 CVE-2022-2127 CVE-2022-40982 CVE-2022-41409 CVE-2022-48468 CVE-2023-0459 CVE-2023-1786 CVE-2023-20569 CVE-2023-20593 CVE-2023-21400 CVE-2023-2156 CVE-2023-2166CVE-2023-2985 CVE-2023-31083 CVE-2023-3117 CVE-2023-31248 CVE-2023-32001 CVE-2023-3268 CVE-2023-33460 CVE-2023-3347 CVE-2023-3390 CVE-2023-3446 CVE-2023-34966 CVE-2023-34967 CVE-2023-34968 CVE-2023-35001 CVE-2023-3567 CVE-2023-36054 CVE-2023-3609 CVE-2023-3611 CVE-2023-3776 CVE-2023-3812 CVE-2023-3817 CVE-2023-38408 CVE-2023-38409 CVE-2023-3863 CVE-2023-4004 ----------------------------------------------------------------- The container suse-sles-15-sp5-chost-byos-v20230816-hvm-ssd-x86_64 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2143-1 Released: Tue May 9 14:49:45 2023 Summary: Security update for protobuf-c Type: security Severity: important References: 1210323,CVE-2022-48468 This update for protobuf-c fixes the following issues: - CVE-2022-48468: Fixed an unsigned integer overflow. (bsc#1210323) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2891-1 Released: Wed Jul 19 21:14:33 2023 Summary: Security update for curl Type: security Severity: moderate References: 1213237,CVE-2023-32001 This update for curl fixes the following issues: - CVE-2023-32001: Fixed TOCTOU race condition (bsc#1213237). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2901-1 Released: Thu Jul 20 09:49:16 2023 Summary: Recommended update for lvm2 Type: recommended Severity: important References: 1212613 This update for lvm2 fixes the following issues: - multipath_component_detection = 0 in lvm.conf does not have any effect (bsc#1212613) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2905-1 Released: Thu Jul 20 10:17:54 2023 Summary: Recommended update for fstrm Type: recommended Severity: moderate References: This update for fstrm fixes the following issues: - Update to 0.6.1: - fstrm_capture: ignore SIGPIPE, which will cause the interrupted connections to generate an EPIPE instead. - Fix truncation in snprintf calls in argument processing. - fstrm_capture: Fix output printf format. - Update to 0.6.0 It adds a new feature for fstrm_capture. It can perform output file rotation when a SIGUSR1 signal is received by fstrm_capture. (See the --gmtime or --localtime options.) This allows fstrm_capture's output file to be rotated by logrotate or a similar external utility. (Output rotation is suppressed if fstrm_capture is writing to stdout.) Update to 0.5.0 - Change license to modern MIT license for compatibility with GPLv2 software. Contact software@farsightsecurity.com for alternate licensing. - src/fstrm_replay.c: For OpenBSD and Posix portability include netinet/in.h and sys/socket.h to get struct sockaddr_in and the AF_* defines respectively. - Fix various compiler warnings. Update to 0.4.0 The C implementation of the Frame Streams data transport protocol, fstrm version 0.4.0, was released. It adds TCP support, a new tool, new documentation, and several improvements. - Added manual pages for fstrm_capture and fstrm_dump. - Added new tool, fstrm_replay, for replaying saved Frame Streams data to a socket connection. - Adds TCP support. Add tcp_writer to the core library which implements a bi-directional Frame Streams writer as a TCP socket client. Introduces new developer API: fstrm_tcp_writer_init, fstrm_tcp_writer_options_init, fstrm_tcp_writer_options_destroy, fstrm_tcp_writer_options_set_socket_address, and fstrm_tcp_writer_options_set_socket_port. - fstrm_capture: new options for reading from TCP socket. - fstrm_capture: add '-c' / '--connections' option to limit the number of concurrent connections it will accept. - fstrm_capture: add '-b / --buffer-size' option to set the read buffer size (effectively the maximum frame size) to avalue other than the default 256 KiB. - fstrm_capture: skip oversize messages to fix stalled connections caused by messages larger than the read highwater mark of the input buffer. Discarded messages are logged for the purposes of tuning the input buffer size. - fstrm_capture: complete sending of FINISH frame before closing connection. - Various test additions and improvements. ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2910-1 Released: Thu Jul 20 10:59:53 2023 Summary: Recommended update for grub2 Type: recommended Severity: important References: 1204563 This update for grub2 fixes the following issues: - grub2-once: Fix 'sh: terminal_output: command not found' error (bsc#1204563) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2918-1 Released: Thu Jul 20 12:00:17 2023 Summary: Recommended update for gpgme Type: recommended Severity: moderate References: 1089497 This update for gpgme fixes the following issues: gpgme: - Address failure handling issues when using gpg 2.2.6 via gpgme, as used by libzypp (bsc#1089497) libassuan: - Version upgrade to 2.5.5 in LTSS to address gpgme new requirements ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2922-1 Released: Thu Jul 20 18:34:03 2023 Summary: Recommended update for libfido2 Type: recommended Severity: moderate References: This update for libfido2 fixes the following issues: - Use openssl 1.1 still on SUSE Linux Enterprise 15 to avoid pulling unneeded openssl-3 dependency. (jsc#PED-4521) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2927-1 Released: Fri Jul 21 07:05:30 2023 Summary: Recommended update for wicked Type: recommended Severity: moderate References: 1194557,1203300,1211026,1212806 This update for wicked fixes the following issues: - Fix arp notify loop and burst sending(bsc#1212806) - Update to version 0.6.73 - Allow verify/notify counter and interval configuration - Handle ENOBUFS sending errors (bsc#1203300) - Improve environment variable handling - Refactor firmware extension definition - Enable, disable and revert cli commands - Ignore WIRELESS_EAP_AUTH within TLS (bsc#1211026) - Cleanup /var/run leftovers in extension scripts (bsc#1194557) - Output formatting improvements and Unicode support ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2929-1 Released: Fri Jul 21 10:09:07 2023 Summary: Security update for samba Type: security Severity: important References: 1212375,1213170,1213171,1213172,1213173,1213174,1213384,1213386,CVE-2020-25720,CVE-2022-2127,CVE-2023-3347,CVE-2023-34966,CVE-2023-34967,CVE-2023-34968 This update for samba fixes the following issues: samba was updated to version 4.17.9: - CVE-2022-2127: Fixed issue where lm_resp_len was not checked properly in winbindd_pam_auth_crap_send (bsc#1213174). - CVE-2023-34966: Fixed samba spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability (bsc#1213173). - CVE-2023-34967: Fixed samba spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability (bsc#1213172). - CVE-2023-34968: Fixed spotlight server-side Share Path Disclosure (bsc#1213171). - CVE-2023-3347: Fixed issue where SMB2 packet signing not enforced (bsc#1213170). - CVE-2020-25720: Fixed issue where creating child permission allowed full write to all attributes (bsc#1213386). Bugfixes: - Fixed trust relationship failure (bsc#1213384). - Backported --pidl-developer fixes. - Fixed smbd_scavenger crash when service smbd is stopped. - Fixed issue where vfs_fruit might cause a failing open for delete. - Fixed named crashes on DLZ zone update. - Fixed issue where winbind recurses into itself via rpcd_lsad. - Fixed cli_list looping 100% CPU against pre-lanman2 servers. - Fixed smbclient leaks fds with showacls. - Fixed aes256 smb3encryption algorithms not allowed in smb3_sid_parse(). - Fixed winbindd getting stuck on NT_STATUS_RPC_SEC_PKG_ERROR. - Fixed smbget memory leak if failed to download files recursively. - Fixed log flood: smbd_calculate_access_mask_fsp: Access denied: message level should be lower. - Fixed floating point exception (FPE) via cli_pull_send at source3/libsmb/clireadwrite.c. - Fixed test_tstream_more_tcp_user_timeout_spin fails intermittently on Rackspace GitLab runners. - Reduce flapping of ridalloc test. - Fixed unreliable large_ldap test. - Fixed filename parser not checking veto files smb.conf parameter. - Fixed mdssvc may crash when initializing. - Fixed broken large directory optimization for non-lcomp path elements - Fixed streams_depot failing to create streams. - Fixed shadow_copy2 and streams_depot issues. - Fixed wbinfo -u fails on ad dc with > 1000 users. - Fixed winbindd idmap child contacting the domain controller without a need. - Fixed idmap_autorid may fail to map sids of trusted domains for the first time. - Fixed idmap_hash doesn't use ID_TYPE_BOTH for reverse mappings. - Fixed net ads search -P doesn't work against servers in other domains. - Fixed DS ACEs might be inherited to unrelated object classes. - Fixed temporary smbXsrv_tcon_global.tdb can't be parsed. - Fixed setting veto files = /.*/ breaking listing directories (bsc#1212375). - Fixed dsgetdcname assuming local system uses IPv4. ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2945-1 Released: Mon Jul 24 09:37:30 2023 Summary: Security update for openssh Type: security Severity: important References: 1186673,1209536,1213004,1213008,1213504,CVE-2023-38408 This update for openssh fixes the following issues: - CVE-2023-38408: Fixed a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if those libraries were present on the victim's system and if the agent was forwarded to an attacker-controlled system. [bsc#1213504, CVE-2023-38408] - Close the right filedescriptor and also close fdh in read_hmac to avoid file descriptor leaks. [bsc#1209536] - Attempts to mitigate instances of secrets lingering in memory after a session exits. [bsc#1186673, bsc#1213004, bsc#1213008] ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:2965-1 Released: Tue Jul 25 12:30:22 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1213487,CVE-2023-3446 This update for openssl-1_1 fixes the following issues: - CVE-2023-3446: Fixed DH_check() excessive time with over sized modulus (bsc#1213487). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:2966-1 Released: Tue Jul 25 14:26:14 2023 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: This update for libxml2 fixes the following issues: - Build also for modern python version (jsc#PED-68) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3088-1 Released: Tue Aug 1 09:52:03 2023 Summary: Recommended update for systemd-presets-common-SUSE Type: recommended Severity: moderate References: 1212496 This update for systemd-presets-common-SUSE fixes the following issues: - Fix systemctl being called with an empty argument (bsc#1212496) - Don't call systemctl list-unit-files with an empty argument (bsc#1212496) - Add wtmpdb-update-boot.service and wtmpdb-rotate.timer ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3102-1 Released: Tue Aug 1 14:11:53 2023 Summary: Recommended update for openssl-1_1 Type: recommended Severity: moderate References: 1213517 This update for openssl-1_1 fixes the following issues: - Dont pass zero length input to EVP_Cipher(bsc#1213517) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3117-1 Released: Wed Aug 2 05:57:30 2023 Summary: Recommended update for hwinfo Type: recommended Severity: moderate References: 1212756 This update for hwinfo fixes the following issues: - Avoid linking problems with libsamba (bsc#1212756) - Update to version 21.85 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3170-1 Released: Thu Aug 3 08:02:27 2023 Summary: Recommended update for perl-Bootloader Type: recommended Severity: moderate References: 1201399,1208003,1210799 This update for perl-Bootloader fixes the following issues: - Use signed grub EFI binary when updating grub in default EFI location (bsc#1210799) - UEFI: update also default location, if it is controlled by SUSE (bsc#1210799, bsc#1201399) - Use `fw_platform_size` to distinguish between 32 bit and 64 bit UEFI platforms (bsc#1208003) - Add basic support for systemd-boot ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3172-1 Released: Thu Aug 3 08:36:43 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1150305,1193629,1194869,1207894,1208788,1211243,1211867,1212256,1212301,1212525,1212846,1212905,1213059,1213061,1213205,1213206,1213226,1213233,1213245,1213247,1213252,1213258,1213259,1213263,1213264,1213286,1213493,1213523,1213524,1213533,1213543,1213705,CVE-2023-20593,CVE-2023-2985,CVE-2023-3117,CVE-2023-31248,CVE-2023-3390,CVE-2023-35001,CVE-2023-3812 The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2023-2985: Fixed an use-after-free vulnerability in hfsplus_put_super in fs/hfsplus/super.c that could allow a local user to cause a denial of service (bsc#1211867). - CVE-2023-3117: Fixed an use-after-free vulnerability in the netfilter subsystem when processing named and anonymous sets in batch requests that could allow a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system (bsc#1213245). - CVE-2023-3390: Fixed an use-after-free vulnerability in the netfilter subsystem in net/netfilter/nf_tables_api.c that could allow a local attacker with user access to cause a privilege escalation issue (bsc#1212846). - CVE-2023-3812: Fixed an out-of-bounds memory access flaw in the TUN/TAP device driver functionality that could allow a local user to crash or potentially escalate their privileges on the system (bsc#1213543). - CVE-2023-20593: Fixed a ZenBleed issue in 'Zen 2' CPUs that could allow an attacker to potentially access sensitive information (bsc#1213286). - CVE-2023-31248: Fixed an use-after-free vulnerability in nft_chain_lookup_byid that could allow a local attacker to escalate their privilege (bsc#1213061). - CVE-2023-35001: Fixed an out-of-bounds memory access flaw in nft_byteorder that could allow a local attacker to escalate their privilege (bsc#1213059). The following non-security bugs were fixed: - Dropped patch that caused issues with k3s (bsc#1213705). - ASoC: Intel: sof_sdw: remove SOF_SDW_TGL_HDMI for MeteorLake devices (git-fixes). - ASoC: SOF: topology:Fix logic for copying tuples (git-fixes). - Bluetooth: ISO: Fix CIG auto-allocation to select configurable CIG (git-fixes). - Bluetooth: ISO: consider right CIS when removing CIG at cleanup (git-fixes). - Bluetooth: ISO: fix iso_conn related locking and validity issues (git-fixes). - Bluetooth: ISO: use hci_sync for setting CIG parameters (git-fixes). - Bluetooth: fix invalid-bdaddr quirk for non-persistent setup (git-fixes). - Bluetooth: fix use-bdaddr-property quirk (git-fixes). - Bluetooth: hci_bcm: do not mark valid bd_addr as invalid (git-fixes). - Bluetooth: hci_event: call disconnect callback before deleting conn (git-fixes). - Bluetooth: hci_sync: Avoid use-after-free in dbg for hci_remove_adv_monitor() (git-fixes). - Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync (git-fixes). - Enable NXP SNVS RTC driver for i.MX 8MQ/8MP (jsc#PED-4758) - PCI: s390: Fix use-after-free of PCI resources with per-function hotplug (bsc#1212525). - PCI: vmd: Fix uninitialized variable usage in vmd_enable_domain() (git-fixes). - Revert 'arm64: dts: zynqmp: Add address-cells property to interrupt (git-fixes) - Revert 'drm/i915: Disable DSB usage for now' (git-fixes). - USB: dwc2: Fix some error handling paths (git-fixes). - USB: gadget: udc: core: Offload usb_udc_vbus_handler processing (git-fixes). - USB: gadget: udc: core: Prevent soft_connect_store() race (git-fixes). - USB: typec: Fix fast_role_swap_current show function (git-fixes). - Update config and supported.conf files due to renaming. - acpi: Fix suspend with Xen PV (git-fixes). - adreno: Shutdown the GPU properly (git-fixes). - arm64/mm: mark private VM_FAULT_X defines as vm_fault_t (git-fixes) - arm64: dts: microchip: sparx5: do not use PSCI on reference boards (git-fixes) - arm64: vdso: Pass (void *) to virt_to_page() (git-fixes) - arm64: xor-neon: mark xor_arm64_neon_*() static (git-fixes) - can: bcm: Fix UAF in bcm_proc_show() (git-fixes). - ceph: add a dedicated private data for netfs rreq (bsc#1213205). - ceph: fix blindly expanding thereadahead windows (bsc#1213206). - cifs: add a warning when the in-flight count goes negative (bsc#1193629). - cifs: address unused variable warning (bsc#1193629). - cifs: do all necessary checks for credits within or before locking (bsc#1193629). - cifs: fix lease break oops in xfstest generic/098 (bsc#1193629). - cifs: fix max_credits implementation (bsc#1193629). - cifs: fix session state check in reconnect to avoid use-after-free issue (bsc#1193629). - cifs: fix session state check in smb2_find_smb_ses (bsc#1193629). - cifs: fix session state transition to avoid use-after-free issue (bsc#1193629). - cifs: fix sockaddr comparison in iface_cmp (bsc#1193629). - cifs: fix status checks in cifs_tree_connect (bsc#1193629). - cifs: log session id when a matching ses is not found (bsc#1193629). - cifs: new dynamic tracepoint to track ses not found errors (bsc#1193629). - cifs: prevent use-after-free by freeing the cfile later (bsc#1193629). - cifs: print all credit counters in DebugData (bsc#1193629). - cifs: print client_guid in DebugData (bsc#1193629). - cifs: print more detail when invalidate_inode_mapping fails (bsc#1193629). - cifs: print nosharesock value while dumping mount options (bsc#1193629). - codel: fix kernel-doc notation warnings (git-fixes). - cpufreq: tegra194: Fix module loading (git-fixes). - devlink: fix kernel-doc notation warnings (git-fixes). - dma-buf/dma-resv: Stop leaking on krealloc() failure (git-fixes). - drm/amd/amdgpu: introduce gc_*_mes_2.bin v2 (git-fixes). - drm/amd/amdgpu: limit one queue per gang (git-fixes). - drm/amd/amdgpu: update mes11 api def (git-fixes). - drm/amd/display (gcc13): fix enum mismatch (git-fixes). - drm/amd/display: Add Z8 allow states to z-state support list (git-fixes). - drm/amd/display: Add debug option to skip PSR CRTC disable (git-fixes). - drm/amd/display: Add minimum Z8 residency debug option (git-fixes). - drm/amd/display: Add missing WA and MCLK validation (git-fixes). - drm/amd/display: Change default Z8 watermark values (git-fixes). -drm/amd/display: Correct DML calculation to align HW formula (git-fixes). - drm/amd/display: Correct DML calculation to follow HW SPEC (git-fixes). - drm/amd/display: Do not update DRR while BW optimizations pending (git-fixes). - drm/amd/display: Enable HostVM based on rIOMMU active (git-fixes). - drm/amd/display: Enforce 60us prefetch for 200Mhz DCFCLK modes (git-fixes). - drm/amd/display: Ensure vmin and vmax adjust for DCE (git-fixes). - drm/amd/display: Fix 4to1 MPC black screen with DPP RCO (git-fixes). - drm/amd/display: Fix Z8 support configurations (git-fixes). - drm/amd/display: Fix a test CalculatePrefetchSchedule() (git-fixes). - drm/amd/display: Fix a test dml32_rq_dlg_get_rq_reg() (git-fixes). - drm/amd/display: Have Payload Properly Created After Resume (git-fixes). - drm/amd/display: Lowering min Z8 residency time (git-fixes). - drm/amd/display: Reduce sdp bw after urgent to 90% (git-fixes). - drm/amd/display: Refactor eDP PSR codes (git-fixes). - drm/amd/display: Remove FPU guards from the DML folder (git-fixes). - drm/amd/display: Remove optimization for VRR updates (git-fixes). - drm/amd/display: Remove stutter only configurations (git-fixes). - drm/amd/display: Update Z8 SR exit/enter latencies (git-fixes). - drm/amd/display: Update Z8 watermarks for DCN314 (git-fixes). - drm/amd/display: Update minimum stutter residency for DCN314 Z8 (git-fixes). - drm/amd/display: filter out invalid bits in pipe_fuses (git-fixes). - drm/amd/display: fix PSR-SU/DSC interoperability support (git-fixes). - drm/amd/display: fix a divided-by-zero error (git-fixes). - drm/amd/display: fixed dcn30+ underflow issue (git-fixes). - drm/amd/display: limit timing for single dimm memory (git-fixes). - drm/amd/display: populate subvp cmd info only for the top pipe (git-fixes). - drm/amd/display: set dcn315 lb bpp to 48 (git-fixes). - drm/amd/pm: add missing NotifyPowerSource message mapping for SMU13.0.7 (git-fixes). - drm/amd/pm: avoid potential UBSAN issue on legacy asics (git-fixes). - drm/amd/pm: conditionallydisable pcie lane switching for some sienna_cichlid SKUs (git-fixes). - drm/amd/pm: fix possible power mode mismatch between driver and PMFW (git-fixes). - drm/amd/pm: resolve reboot exception for si oland (git-fixes). - drm/amd/pm: reverse mclk and fclk clocks levels for SMU v13.0.4 (git-fixes). - drm/amd/pm: reverse mclk clocks levels for SMU v13.0.5 (git-fixes). - drm/amd/pm: workaround for compute workload type on some skus (git-fixes). - drm/amd: Add a new helper for loading/validating microcode (git-fixes). - drm/amd: Do not allow s0ix on APUs older than Raven (git-fixes). - drm/amd: Load MES microcode during early_init (git-fixes). - drm/amd: Use `amdgpu_ucode_*` helpers for MES (git-fixes). - drm/amdgpu/gfx11: Adjust gfxoff before powergating on gfx11 as well (git-fixes). - drm/amdgpu/gfx11: update gpu_clock_counter logic (git-fixes). - drm/amdgpu/gfx: set cg flags to enter/exit safe mode (git-fixes). - drm/amdgpu/gmc11: implement get_vbios_fb_size() (git-fixes). - drm/amdgpu/jpeg: Remove harvest checking for JPEG3 (git-fixes). - drm/amdgpu/mes11: enable reg active poll (git-fixes). - drm/amdgpu/vcn: Disable indirect SRAM on Vangogh broken BIOSes (git-fixes). - drm/amdgpu/vkms: relax timer deactivation by hrtimer_try_to_cancel (git-fixes). - drm/amdgpu: Do not set struct drm_driver.output_poll_changed (git-fixes). - drm/amdgpu: Fix desktop freezed after gpu-reset (git-fixes). - drm/amdgpu: Fix memcpy() in sienna_cichlid_append_powerplay_table function (git-fixes). - drm/amdgpu: Fix sdma v4 sw fini error (git-fixes). - drm/amdgpu: Fix usage of UMC fill record in RAS (git-fixes). - drm/amdgpu: Force signal hw_fences that are embedded in non-sched jobs (git-fixes). - drm/amdgpu: add mes resume when do gfx post soft reset (git-fixes). - drm/amdgpu: change reserved vram info print (git-fixes). - drm/amdgpu: declare firmware for new MES 11.0.4 (git-fixes). - drm/amdgpu: enable tmz by default for GC 11.0.1 (git-fixes). - drm/amdgpu: fix amdgpu_irq_put call trace in gmc_v10_0_hw_fini (git-fixes). - drm/amdgpu:fix amdgpu_irq_put call trace in gmc_v11_0_hw_fini (git-fixes). - drm/amdgpu: fix an amdgpu_irq_put() issue in gmc_v9_0_hw_fini() (git-fixes). - drm/amdgpu: refine get gpu clock counter method (git-fixes). - drm/amdgpu: remove deprecated MES version vars (git-fixes). - drm/amdgpu: reserve the old gc_11_0_*_mes.bin (git-fixes). - drm/amdgpu: set gfx9 onwards APU atomics support to be true (git-fixes). - drm/amdgpu: vcn_4_0 set instance 0 init sched score to 1 (git-fixes). - drm/bridge: anx7625: Convert to i2c's .probe_new() (git-fixes). - drm/bridge: anx7625: Fix refcount bug in anx7625_parse_dt() (git-fixes). - drm/bridge: anx7625: Prevent endless probe loop (git-fixes). - drm/bridge: it6505: Move a variable assignment behind a null pointer check in receive_timing_debugfs_show() (git-fixes). - drm/bridge: tc358767: Switch to devm MIPI-DSI helpers (git-fixes). - drm/bridge: tc358768: Add atomic_get_input_bus_fmts() implementation (git-fixes). - drm/bridge: tc358768: fix TCLK_TRAILCNT computation (git-fixes). - drm/bridge: tc358768: fix THS_TRAILCNT computation (git-fixes). - drm/bridge: tc358768: fix THS_ZEROCNT computation (git-fixes). - drm/bridge: ti-sn65dsi83: Fix enable error path (git-fixes). - drm/client: Fix memory leak in drm_client_target_cloned (git-fixes). - drm/display/dp_mst: Fix payload addition on a disconnected sink (git-fixes). - drm/display: Do not block HDR_OUTPUT_METADATA on unknown EOTF (git-fixes). - drm/drm_vma_manager: Add drm_vma_node_allow_once() (git-fixes). - drm/dsc: fix DP_DSC_MAX_BPP_DELTA_* macro values (git-fixes). - drm/dsc: fix drm_edp_dsc_sink_output_bpp() DPCD high byte usage (git-fixes). - drm/etnaviv: move idle mapping reaping into separate function (git-fixes). - drm/etnaviv: reap idle mapping if it does not match the softpin address (git-fixes). - drm/i915/dp_mst: Add the MST topology state for modesetted CRTCs (bsc#1213493). - drm/i915/fbdev: lock the fbdev obj before vma pin (git-fixes). - drm/i915/gt: Cleanup partial engine discovery failures (git-fixes). -drm/i915/guc: Add error-capture init warnings when needed (git-fixes). - drm/i915/guc: Fix missing ecodes (git-fixes). - drm/i915/guc: Limit scheduling properties to avoid overflow (git-fixes). - drm/i915/guc: Rename GuC register state capture node to be more obvious (git-fixes). - drm/i915/mtl: update scaler source and destination limits for MTL (git-fixes). - drm/i915/sdvo: Grab mode_config.mutex during LVDS init to avoid WARNs (git-fixes). - drm/i915/sseu: fix max_subslices array-index-out-of-bounds access (git-fixes). - drm/i915/tc: Fix TC port link ref init for DP MST during HW readout (git-fixes). - drm/i915: Allow panel fixed modes to have differing sync polarities (git-fixes). - drm/i915: Check pipe source size when using skl+ scalers (git-fixes). - drm/i915: Do panel VBT init early if the VBT declares an explicit panel type (git-fixes). - drm/i915: Fix TypeC mode initialization during system resume (git-fixes). - drm/i915: Fix a memory leak with reused mmap_offset (git-fixes). - drm/i915: Fix negative value passed as remaining time (git-fixes). - drm/i915: Fix one wrong caching mode enum usage (git-fixes). - drm/i915: Introduce intel_panel_init_alloc() (git-fixes). - drm/i915: Never return 0 if not all requests retired (git-fixes). - drm/i915: Populate encoder-> devdata for DSI on icl+ (git-fixes). - drm/i915: Print return value on error (git-fixes). - drm/i915: Use _MMIO_PIPE() for SKL_BOTTOM_COLOR (git-fixes). - drm/meson: Fix return type of meson_encoder_cvbs_mode_valid() (git-fixes). - drm/msm/a5xx: really check for A510 in a5xx_gpu_init (git-fixes). - drm/msm/adreno: Simplify read64/write64 helpers (git-fixes). - drm/msm/adreno: fix runtime PM imbalance at unbind (git-fixes). - drm/msm/disp/dpu: get timing engine status from intf status register (git-fixes). - drm/msm/dpu: Add DSC hardware blocks to register snapshot (git-fixes). - drm/msm/dpu: Assign missing writeback log_mask (git-fixes). - drm/msm/dpu: Set DPU_DATA_HCTL_EN for in INTF_SC7180_MASK (git-fixes). - drm/msm/dpu: clean updpu_kms_get_clk_rate() returns (git-fixes). - drm/msm/dpu: set DSC flush bit correctly at MDP CTL flush register (git-fixes). - drm/msm/hdmi: use devres helper for runtime PM management (git-fixes). - drm/panel: boe-tv101wum-nl6: Ensure DSI writes succeed during disable (git-fixes). - drm/panel: simple: Add Powertip PH800480T013 drm_display_mode flags (git-fixes). - drm/panel: simple: Add connector_type for innolux_at043tn24 (git-fixes). - drm/rockchip: dw_hdmi: cleanup drm encoder during unbind (git-fixes). - drm/ttm: Do not leak a resource on swapout move error (git-fixes). - drm/virtio: Fix memory leak in virtio_gpu_object_create() (git-fixes). - drm/virtio: Simplify error handling of virtio_gpu_object_create() (git-fixes). - drm/vmwgfx: Refactor resource manager's hashtable to use linux/hashtable implementation (git-fixes). - drm/vmwgfx: Refactor resource validation hashtable to use linux/hashtable implementation (git-fixes). - drm/vmwgfx: Refactor ttm reference object hashtable to use linux/hashtable (git-fixes). - drm/vmwgfx: Remove ttm object hashtable (git-fixes). - drm/vmwgfx: Remove vmwgfx_hashtab (git-fixes). - drm/vmwgfx: Write the driver id registers (git-fixes). - drm: Add fixed-point helper to get rounded integer values (git-fixes). - drm: Add missing DP DSC extended capability definitions (git-fixes). - drm: Optimize drm buddy top-down allocation method (git-fixes). - drm: buddy_allocator: Fix buddy allocator init on 32-bit systems (git-fixes). - drm: panel-orientation-quirks: Add quirk for DynaBook K50 (git-fixes). - drm: rcar-du: Add quirk for H3 ES1.x pclk workaround (git-fixes). - drm: rcar-du: Fix setting a reserved bit in DPLLCR (git-fixes). - drm: use mgr-> dev in drm_dbg_kms in drm_dp_add_payload_part2 (git-fixes). - fuse: ioctl: translate ENOSYS in outarg (bsc#1213524). - fuse: revalidate: do not invalidate if interrupted (bsc#1213523). - i2c: tegra: Set ACPI node as primary fwnode (bsc#1213226). - irqchip/gic-v3: Claim iomem resources (bsc#1213533) - irqchip/gicv3: Handle resourcerequest failure consistently (bsc#1213533) - irqchip/gicv3: Workaround for NVIDIA erratum T241-FABRIC-4 (bsc#1213533) - kABI: do not check external trampolines for signature (kabi bsc#1207894 bsc#1211243). - kabi/severities: Add VAS symbols changed due to recent fix VAS accelerators are directly tied to the architecture, there is no reason to have out-of-tree production drivers - kabi/severities: ignore kABI of i915 module It's exported only for its sub-module, not really used by externals - kabi/severities: ignore kABI of vmwgfx The driver exports a function unnecessarily without used by anyone else. Ignore the kABI changes. - memcg: drop kmem.limit_in_bytes (bsc#1208788, bsc#1212905). - net: mana: Add support for vlan tagging (bsc#1212301). - net: phy: prevent stale pointer dereference in phy_init() (git-fixes). - net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() (git-fixes). - net: qrtr: start MHI channel after endpoit creation (git-fixes). - nilfs2: reject devices with insufficient block count (git-fixes). - ocfs2: Switch to security_inode_init_security() (git-fixes). - ocfs2: check new file size on fallocate call (git-fixes). - ocfs2: fix use-after-free when unmounting read-only filesystem (git-fixes). - perf/x86/amd/core: Always clear status for idx (bsc#1213233). - pie: fix kernel-doc notation warning (git-fixes). - powerpc/64: Only WARN if __pa()/__va() called with bad addresses (bsc#1194869). - powerpc/64s: Fix VAS mm use after free (bsc#1194869). - powerpc/book3s64/mm: Fix DirectMap stats in /proc/meminfo (bsc#1194869). - powerpc/bpf: Fix use of user_pt_regs in uapi (bsc#1194869). - powerpc/ftrace: Remove ftrace init tramp once kernel init is complete (bsc#1194869). - powerpc/interrupt: Do not read MSR from interrupt_exit_kernel_prepare() (bsc#1194869). - powerpc/mm/dax: Fix the condition when checking if altmap vmemap can cross-boundary (bsc#1150305 ltc#176097 git-fixes). - powerpc/mm: Switch obsolete dssall to .long (bsc#1194869). - powerpc/powernv/sriov: perform null check on iovbefore dereferencing iov (bsc#1194869). - powerpc/powernv/vas: Assign real address to rx_fifo in vas_rx_win_attr (bsc#1194869). - powerpc/prom_init: Fix kernel config grep (bsc#1194869). - powerpc/pseries/vas: Hold mmap_mutex after mmap lock during window close (jsc#PED-542 git-fixes). - powerpc/secvar: fix refcount leak in format_show() (bsc#1194869). - powerpc/xics: fix refcount leak in icp_opal_init() (bsc#1194869). - powerpc: clean vdso32 and vdso64 directories (bsc#1194869). - powerpc: define get_cycles macro for arch-override (bsc#1194869). - powerpc: update ppc_save_regs to save current r1 in pt_regs (bsc#1194869). - rpm/check-for-config-changes: ignore also RISCV_ISA_* and DYNAMIC_SIGFRAME They depend on CONFIG_TOOLCHAIN_HAS_*. - rsi: remove kernel-doc comment marker (git-fixes). - s390/ap: fix status returned by ap_aqic() (git-fixes bsc#1213259). - s390/ap: fix status returned by ap_qact() (git-fixes bsc#1213258). - s390/debug: add _ASM_S390_ prefix to header guard (git-fixes bsc#1213263). - s390/pci: clean up left over special treatment for function zero (bsc#1212525). - s390/pci: only add specific device in zpci_bus_scan_device() (bsc#1212525). - s390/pci: remove redundant pci_bus_add_devices() on new bus (bsc#1212525). - s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() (git-fixes bsc#1213252). - s390: define RUNTIME_DISCARD_EXIT to fix link error with GNU ld < 2.36 (git-fixes bsc#1213264). - s390: discard .interp section (git-fixes bsc#1213247). - security: keys: Modify mismatched function name (git-fixes). - selftests/ir: fix build with ancient kernel headers (git-fixes). - selftests: cgroup: fix unsigned comparison with less than zero (git-fixes). - selftests: forwarding: Fix packet matching in mirroring selftests (git-fixes). - selftests: tc: add 'ct' action kconfig dep (git-fixes). - selftests: tc: add ConnTrack procfs kconfig (git-fixes). - selftests: tc: set timeout to 15 minutes (git-fixes). - signal/powerpc: On swapcontext failure force SIGSEGV (bsc#1194869). - signal: Replaceforce_sigsegv(SIGSEGV) with force_fatal_sig(SIGSEGV) (bsc#1194869). - smb3: do not reserve too many oplock credits (bsc#1193629). - smb3: missing null check in SMB2_change_notify (bsc#1193629). - smb: client: fix broken file attrs with nodfs mounts (bsc#1193629). - smb: client: fix missed ses refcounting (git-fixes). - smb: client: fix parsing of source mount option (bsc#1193629). - smb: client: fix shared DFS root mounts with different prefixes (bsc#1193629). - smb: client: fix warning in CIFSFindFirst() (bsc#1193629). - smb: client: fix warning in CIFSFindNext() (bsc#1193629). - smb: client: fix warning in cifs_match_super() (bsc#1193629). - smb: client: fix warning in cifs_smb3_do_mount() (bsc#1193629). - smb: client: fix warning in generic_ip_connect() (bsc#1193629). - smb: client: improve DFS mount check (bsc#1193629). - smb: client: remove redundant pointer 'server' (bsc#1193629). - smb: delete an unnecessary statement (bsc#1193629). - smb: move client and server files to common directory fs/smb (bsc#1193629). - smb: remove obsolete comment (bsc#1193629). - soundwire: bus_type: Avoid lockdep assert in sdw_drv_probe() (git-fixes). - soundwire: cadence: Drain the RX FIFO after an IO timeout (git-fixes). - soundwire: stream: Add missing clear of alloc_slave_rt (git-fixes). - spi: bcm63xx: fix max prepend length (git-fixes). - swsmu/amdgpu_smu: Fix the wrong if-condition (git-fixes). - tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation (git-fixes). - wifi: airo: avoid uninitialized warning in airo_get_rate() (git-fixes). - wifi: ath10k: Trigger STA disconnect after reconfig complete on hardware restart (git-fixes). - wifi: ath11k: Add missing check for ioremap (git-fixes). - wifi: rtw89: debug: fix error code in rtw89_debug_priv_send_h2c_set() (git-fixes). - x86/amd_nb: Add PCI ID for family 19h model 78h (git-fixes). - x86/platform/uv: Add platform resolving #defines for misc GAM_MMIOH_REDIRECT* (bsc#1212256 jsc#PED-4718). - x86/platform/uv: Fix printed information in calc_mmioh_map (bsc#1212256jsc#PED-4718). - x86/platform/uv: Helper functions for allocating and freeing conversion tables (bsc#1212256 jsc#PED-4718). - x86/platform/uv: Introduce helper function uv_pnode_to_socket (bsc#1212256 jsc#PED-4718). - x86/platform/uv: Remove remaining BUG_ON() and BUG() calls (bsc#1212256 jsc#PED-4718). - x86/platform/uv: UV support for sub-NUMA clustering (bsc#1212256 jsc#PED-4718). - x86/platform/uv: Update UV platform code for SNC (bsc#1212256 jsc#PED-4718). - x86/platform/uv: When searching for minimums, start at INT_MAX not 99999 (bsc#1212256 jsc#PED-4718). - x86: Fix .brk attribute in linker script (git-fixes). - xfs: clean up the rtbitmap fsmap backend (git-fixes). - xfs: do not deplete the reserve pool when trying to shrink the fs (git-fixes). - xfs: do not reverse order of items in bulk AIL insertion (git-fixes). - xfs: fix getfsmap reporting past the last rt extent (git-fixes). - xfs: fix integer overflows in the fsmap rtbitmap and logdev backends (git-fixes). - xfs: fix interval filtering in multi-step fsmap queries (git-fixes). - xfs: fix logdev fsmap query result filtering (git-fixes). - xfs: fix off-by-one error when the last rt extent is in use (git-fixes). - xfs: fix uninitialized variable access (git-fixes). - xfs: make fsmap backend function key parameters const (git-fixes). - xfs: make the record pointer passed to query_range functions const (git-fixes). - xfs: pass explicit mount pointer to rtalloc query functions (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3196-1 Released: Fri Aug 4 10:02:04 2023 Summary: Recommended update for protobuf-c Type: recommended Severity: moderate References: 1213443 This update for protobuf-c fixes the following issues: - Include executables required to generate Protocol Buffers glue code in the devel subpackage (bsc#1213443) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3217-1 Released: Mon Aug 7 16:51:10 2023 Summary: Recommended update for cryptsetup Type: recommended Severity: moderate References: 1211079 This update for cryptsetup fixes the following issues: - Handle system with low memory and no swap space (bsc#1211079) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3242-1 Released: Tue Aug 8 18:19:40 2023 Summary: Security update for openssl-1_1 Type: security Severity: moderate References: 1213853,CVE-2023-3817 This update for openssl-1_1 fixes the following issues: - CVE-2023-3817: Fixed a potential DoS due to excessive time spent checking DH q parameter value. (bsc#1213853) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3253-1 Released: Wed Aug 9 10:52:10 2023 Summary: Recommended update for bind Type: recommended Severity: moderate References: 1213049 This update for bind fixes the following issues: - Add dnstap support (jsc#PED-4852) - Log named-checkconf output (bsc#1213049) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3276-1 Released: Fri Aug 11 10:20:40 2023 Summary: Recommended update for apparmor Type: recommended Severity: moderate References: 1213472 This update for apparmor fixes the following issues: - Add pam_apparmor README (bsc#1213472) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3282-1 Released: Fri Aug 11 10:26:23 2023 Summary: Recommended update for blog Type: recommended Severity: moderate References: This update for blog fixes the following issues: - Fix big endian cast problems to be able to read commands and ansers as well as passphrases ----------------------------------------------------------------- Advisory ID: SUSE-feature-2023:3283-1 Released: Fri Aug 11 10:28:34 2023 Summary: Feature update for cloud-init Type: feature Severity: moderate References: 1184758,1210273,1212879,CVE-2021-3429,CVE-2023-1786 This update for cloud-init fixes the following issues: - Default route is not configured (bsc#1212879) - cloud-final service failing in powerVS (bsc#1210273) - Randomly generated passwords logged in clear-text to world-readable file (bsc#1184758, CVE-2021-3429) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3285-1 Released: Fri Aug 11 10:30:38 2023 Summary: Recommended update for shadow Type: recommended Severity: moderate References: 1206627,1213189 This update for shadow fixes the following issues: - Prevent lock files from remaining after power interruptions (bsc#1213189) - Add --prefix support to passwd, chpasswd and chage (bsc#1206627) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3301-1 Released: Mon Aug 14 07:24:59 2023 Summary: Security update for libyajl Type: security Severity: moderate References: 1212928,CVE-2023-33460 This update for libyajl fixes the following issues: - CVE-2023-33460: Fixed memory leak which could cause out-of-memory in server (bsc#1212928). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3311-1 Released: Mon Aug 14 16:23:36 2023 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1206418,1207129,1207948,1210627,1210780,1210825,1211131,1211738,1211811,1212445,1212502,1212604,1212766,1212901,1213167,1213272,1213287,1213304,1213417,1213578,1213585,1213586,1213588,1213601,1213620,1213632,1213653,1213713,1213715,1213747,1213756,1213759,1213777,1213810,1213812,1213856,1213857,1213863,1213867,1213870,1213871,1213872,CVE-2022-40982,CVE-2023-0459,CVE-2023-20569,CVE-2023-21400,CVE-2023-2156,CVE-2023-2166,CVE-2023-31083,CVE-2023-3268,CVE-2023-3567,CVE-2023-3609,CVE-2023-3611,CVE-2023-3776,CVE-2023-38409,CVE-2023-3863,CVE-2023-4004 The SUSE Linux Enterprise 15 SP5 kernel was updated to receive varioussecurity and bugfixes. The following security bugs were fixed: - CVE-2022-40982: Fixed transient execution attack called 'Gather Data Sampling' (bsc#1206418). - CVE-2023-0459: Fixed information leak in __uaccess_begin_nospec (bsc#1211738). - CVE-2023-20569: Fixed side channel attack ‘Inception’ or ‘RAS Poisoning’ (bsc#1213287). - CVE-2023-21400: Fixed several memory corruptions due to improper locking in io_uring (bsc#1213272). - CVE-2023-2156: Fixed a flaw in the networking subsystem within the handling of the RPL protocol (bsc#1211131). - CVE-2023-2166: Fixed NULL pointer dereference in can_rcv_filter (bsc#1210627). - CVE-2023-31083: Fixed race condition in hci_uart_tty_ioctl (bsc#1210780). - CVE-2023-3268: Fixed an out of bounds memory access flaw in relay_file_read_start_pos in the relayfs (bsc#1212502). - CVE-2023-3567: Fixed a use-after-free in vcs_read in drivers/tty/vt/vc_screen.c (bsc#1213167). - CVE-2023-3609: Fixed reference counter leak leading to overflow in net/sched (bsc#1213586). - CVE-2023-3611: Fixed an out-of-bounds write in net/sched sch_qfq(bsc#1213585). - CVE-2023-3776: Fixed improper refcount update in cls_fw leads to use-after-free (bsc#1213588). - CVE-2023-38409: Fixed an issue in set_con2fb_map in drivers/video/fbdev/core/fbcon.c. Because an assignment occurs only for the first vc, the fbcon_registered_fb and fbcon_display arrays can be desynchronized in fbcon_mode_deleted (the con2fb_map points at the old fb_info) (bsc#1213417). - CVE-2023-3863: Fixed a use-after-free flaw in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC. This flaw allowed a local user with special privileges to impact a kernel information leak issue (bsc#1213601). - CVE-2023-4004: Fixed improper element removal netfilter nft_set_pipapo (bsc#1213812). The following non-security bugs were fixed: - ACPI: CPPC: Add ACPI disabled check to acpi_cpc_valid() (bsc#1212445). - ACPI: CPPC: Add definition for undefined FADT preferred PM profile value (bsc#1212445). - ACPI/IORT: Remove erroneousid_count check in iort_node_get_rmr_info() (git-fixes). - ACPI: utils: Fix acpi_evaluate_dsm_typed() redefinition error (git-fixes). - afs: Adjust ACK interpretation to try and cope with NAT (git-fixes). - afs: Fix access after dec in put functions (git-fixes). - afs: Fix afs_getattr() to refetch file status if callback break occurred (git-fixes). - afs: Fix dynamic root getattr (git-fixes). - afs: Fix fileserver probe RTT handling (git-fixes). - afs: Fix infinite loop found by xfstest generic/676 (git-fixes). - afs: Fix lost servers_outstanding count (git-fixes). - afs: Fix server-> active leak in afs_put_server (git-fixes). - afs: Fix setting of mtime when creating a file/dir/symlink (git-fixes). - afs: Fix updating of i_size with dv jump from server (git-fixes). - afs: Fix vlserver probe RTT handling (git-fixes). - afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked (git-fixes). - afs: Use refcount_t rather than atomic_t (git-fixes). - afs: Use the operation issue time instead of the reply time for callbacks (git-fixes). - ALSA: emu10k1: roll up loops in DSP setup code for Audigy (git-fixes). - ALSA: hda/realtek: Add quirk for Clevo NS70AU (git-fixes). - ALSA: hda/realtek: Add support for DELL Oasis 13/14/16 laptops (git-fixes). - ALSA: hda/realtek: Enable Mute LED on HP Laptop 15s-eq2xxx (git-fixes). - ALSA: hda/realtek: Fix generic fixup definition for cs35l41 amp (git-fixes). - ALSA: hda/realtek - remove 3k pull low procedure (git-fixes). - ALSA: hda/realtek: Support ASUS G713PV laptop (git-fixes). - ALSA: hda/relatek: Enable Mute LED on HP 250 G8 (git-fixes). - ALSA: usb-audio: Add FIXED_RATE quirk for JBL Quantum610 Wireless (git-fixes). - ALSA: usb-audio: Add new quirk FIXED_RATE for JBL Quantum810 Wireless (git-fixes). - ALSA: usb-audio: Add quirk for Microsoft Modern Wireless Headset (bsc#1207129). - ALSA: usb-audio: Always initialize fixed_rate in snd_usb_find_implicit_fb_sync_format() (git-fixes). - ALSA: usb-audio: Apply mutex around snd_usb_endpoint_set_params() (git-fixes). - ALSA:usb-audio: Avoid superfluous endpoint setup (git-fixes). - ALSA: usb-audio: Avoid unnecessary interface change at EP close (git-fixes). - ALSA: usb-audio: Clear fixed clock rate at closing EP (git-fixes). - ALSA: usb-audio: Correct the return code from snd_usb_endpoint_set_params() (git-fixes). - ALSA: usb-audio: Drop superfluous interface setup at parsing (git-fixes). - ALSA: usb-audio: Fix possible NULL pointer dereference in snd_usb_pcm_has_fixed_rate() (git-fixes). - ALSA: usb-audio: Fix wrong kfree issue in snd_usb_endpoint_free_all (git-fixes). - ALSA: usb-audio: More refactoring of hw constraint rules (git-fixes). - ALSA: usb-audio: Properly refcounting clock rate (git-fixes). - ALSA: usb-audio: Rate limit usb_set_interface error reporting (git-fixes). - ALSA: usb-audio: Refcount multiple accesses on the single clock (git-fixes). - ALSA: usb-audio: Split endpoint setups for hw_params and prepare (take#2) (git-fixes). - ALSA: usb-audio: Update for native DSD support quirks (git-fixes). - ALSA: usb-audio: Use atomic_try_cmpxchg in ep_state_update (git-fixes). - ALSA: usb-audio: Workaround for XRUN at prepare (git-fixes). - amd-pstate: Fix amd_pstate mode switch (git-fixes). - ASoC: amd: acp: fix for invalid dai id handling in acp_get_byte_count() (git-fixes). - ASoC: atmel: Fix the 8K sample parameter in I2SC master (git-fixes). - ASoc: codecs: ES8316: Fix DMIC config (git-fixes). - ASoC: codecs: wcd934x: fix resource leaks on component remove (git-fixes). - ASoC: codecs: wcd938x: fix codec initialisation race (git-fixes). - ASoC: codecs: wcd938x: fix dB range for HPHL and HPHR (git-fixes). - ASoC: codecs: wcd938x: fix missing clsh ctrl error handling (git-fixes). - ASoC: codecs: wcd938x: fix soundwire initialisation race (git-fixes). - ASoC: codecs: wcd-mbhc-v2: fix resource leaks on component remove (git-fixes). - ASoC: da7219: Check for failure reading AAD IRQ events (git-fixes). - ASoC: da7219: Flush pending AAD IRQ when suspending (git-fixes). - ASoC: fsl_sai: Disable bit clock with transmitter(git-fixes). - ASoC: fsl_spdif: Silence output on stop (git-fixes). - ASoC: rt5640: Fix sleep in atomic context (git-fixes). - ASoC: rt5682-sdw: fix for JD event handling in ClockStop Mode0 (git-fixes). - ASoC: rt711: fix for JD event handling in ClockStop Mode0 (git-fixes). - ASoC: rt711-sdca: fix for JD event handling in ClockStop Mode0 (git-fixes). - ASoC: SOF: ipc3-dtrace: uninitialized data in dfsentry_trace_filter_write() (git-fixes). - ASoC: tegra: Fix ADX byte map (git-fixes). - ASoC: tegra: Fix AMX byte map (git-fixes). - ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register (git-fixes). - ata: pata_ns87415: mark ns87560_tf_read static (git-fixes). - block, bfq: Fix division by zero error on zero wsum (bsc#1213653). - block: Fix a source code comment in include/uapi/linux/blkzoned.h (git-fixes). - bus: mhi: add new interfaces to handle MHI channels directly (bsc#1207948). - bus: mhi: host: add destroy_device argument to mhi_power_down() (bsc#1207948). - can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED (git-fixes). - ceph: do not let check_caps skip sending responses for revoke msgs (bsc#1213856). - coda: Avoid partial allocation of sig_inputArgs (git-fixes). - cpufreq: amd-pstate: add amd-pstate driver parameter for mode selection (bsc#1212445). - cpufreq: amd-pstate: Add AMD P-State frequencies attributes (bsc#1212445). - cpufreq: amd-pstate: Add AMD P-State performance attributes (bsc#1212445). - cpufreq: amd-pstate: Add boost mode support for AMD P-State (bsc#1212445). - cpufreq: amd-pstate: add driver working mode switch support (bsc#1212445). - cpufreq: amd-pstate: Add -> fast_switch() callback (bsc#1212445). - cpufreq: amd-pstate: Add fast switch function for AMD P-State (bsc#1212445). - cpufreq: amd-pstate: Add guided autonomous mode (bsc#1212445). - cpufreq: amd-pstate: Add guided mode control support via sysfs (bsc#1212445). - cpufreq: amd-pstate: Add more tracepoint for AMD P-State module (bsc#1212445). - cpufreq: amd-pstate: Add resume and suspend callbacks(bsc#1212445). - cpufreq: amd-pstate: Add trace for AMD P-State module (bsc#1212445). - cpufreq: amd-pstate: avoid uninitialized variable use (bsc#1212445). - cpufreq: amd-pstate: change amd-pstate driver to be built-in type (bsc#1212445). - cpufreq: amd-pstate: convert sprintf with sysfs_emit() (bsc#1212445). - cpufreq: amd-pstate: cpufreq: amd-pstate: reset MSR_AMD_PERF_CTL register at init (bsc#1212445). - cpufreq: amd-pstate: Expose struct amd_cpudata (bsc#1212445). - cpufreq: amd-pstate: Fix initial highest_perf value (bsc#1212445). - cpufreq: amd-pstate: Fix invalid write to MSR_AMD_CPPC_REQ (bsc#1212445). - cpufreq: amd-pstate: Fix Kconfig dependencies for AMD P-State (bsc#1212445). - cpufreq: amd-pstate: fix kernel hang issue while amd-pstate unregistering (bsc#1212445). - cpufreq: amd-pstate: Fix struct amd_cpudata kernel-doc comment (bsc#1212445). - cpufreq: amd-pstate: fix white-space (bsc#1212445). - cpufreq: amd_pstate: fix wrong lowest perf fetch (bsc#1212445). - cpufreq: amd-pstate: implement amd pstate cpu online and offline callback (bsc#1212445). - cpufreq: amd-pstate: implement Pstate EPP support for the AMD processors (bsc#1212445). - cpufreq: amd-pstate: implement suspend and resume callbacks (bsc#1212445). - cpufreq: amd-pstate: Introduce a new AMD P-State driver to support future processors (bsc#1212445). - cpufreq: amd-pstate: Introduce the support for the processors with shared memory solution (bsc#1212445). - cpufreq: amd-pstate: Let user know amd-pstate is disabled (bsc#1212445). - cpufreq: amd-pstate: Make amd-pstate EPP driver name hyphenated (bsc#1212445). - cpufreq: amd-pstate: Make varaiable mode_state_machine static (bsc#1212445). - cpufreq: amd_pstate: map desired perf into pstate scope for powersave governor (bsc#1212445). - cpufreq: amd-pstate: optimize driver working mode selection in amd_pstate_param() (bsc#1212445). - cpufreq: amd-pstate: Remove fast_switch_possible flag from active driver (bsc#1212445). - cpufreq: amd-pstate: remove MODULE_LICENSE in non-modules(bsc#1212445). - cpufreq: amd-pstate: Set a fallback policy based on preferred_profile (bsc#1212445). - cpufreq: amd-pstate: simplify cpudata pointer assignment (bsc#1212445). - cpufreq: amd-pstate: Update policy-> cur in amd_pstate_adjust_perf() (bsc#1212445). - cpufreq: amd-pstate: update pstate frequency transition delay time (bsc#1212445). - cpufreq: amd-pstate: Write CPPC enable bit per-socket (bsc#1212445). - crypto: kpp - Add helper to set reqsize (git-fixes). - crypto: qat - Use helper to set reqsize (git-fixes). - dlm: fix missing lkb refcount handling (git-fixes). - dlm: fix plock invalid read (git-fixes). - Documentation: cpufreq: amd-pstate: Move amd_pstate param to alphabetical order (bsc#1212445). - Documentation: devices.txt: reconcile serial/ucc_uart minor numers (git-fixes). - drm/amd/display: Add monitor specific edid quirk (git-fixes). - drm/amd/display: Add polling method to handle MST reply packet (bsc#1213578). - drm/amd/display: check TG is non-null before checking if enabled (git-fixes). - drm/amd/display: Correct `DMUB_FW_VERSION` macro (git-fixes). - drm/amd/display: Disable MPC split by default on special asic (git-fixes). - drm/amd/display: fix access hdcp_workqueue assert (git-fixes). - drm/amd/display: fix seamless odm transitions (git-fixes). - drm/amd/display: Keep PHY active for DP displays on DCN31 (git-fixes). - drm/amd/display: only accept async flips for fast updates (git-fixes). - drm/amd/display: Only update link settings after successful MST link train (git-fixes). - drm/amd/display: phase3 mst hdcp for multiple displays (git-fixes). - drm/amd/display: Remove Phantom Pipe Check When Calculating K1 and K2 (git-fixes). - drm/amd/display: save restore hdcp state when display is unplugged from mst hub (git-fixes). - drm/amd/display: Unlock on error path in dm_handle_mst_sideband_msg_ready_event() (git-fixes). - drm/amd: Fix an error handling mistake in psp_sw_init() (git-fixes). - drm/amdgpu: add the fan abnormal detection feature (git-fixes). - drm/amdgpu: avoid restoreprocess run into dead loop (git-fixes). - drm/amdgpu: fix clearing mappings for BOs that are always valid in VM (git-fixes). - drm/amdgpu: Fix minmax warning (git-fixes). - drm/amd/pm: add abnormal fan detection for smu 13.0.0 (git-fixes). - drm/amd/pm: conditionally disable pcie lane/speed switching for SMU13 (git-fixes). - drm/amd/pm: re-enable the gfx imu when smu resume (git-fixes). - drm/amd/pm: share the code around SMU13 pcie parameters update (git-fixes). - drm/atomic: Allow vblank-enabled + self-refresh 'disable' (git-fixes). - drm/atomic: Fix potential use-after-free in nonblocking commits (git-fixes). - drm/bridge: tc358768: Add atomic_get_input_bus_fmts() implementation (git-fixes). - drm/bridge: tc358768: fix TCLK_TRAILCNT computation (git-fixes). - drm/bridge: tc358768: fix THS_TRAILCNT computation (git-fixes). - drm/bridge: tc358768: fix THS_ZEROCNT computation (git-fixes). - drm/bridge: ti-sn65dsi86: Fix auxiliary bus lifetime (git-fixes). - drm/client: Fix memory leak in drm_client_modeset_probe (git-fixes). - drm/dp_mst: Clear MSG_RDY flag before sending new message (bsc#1213578). - drm: Fix null pointer dereference in drm_dp_atomic_find_time_slots() (bsc#1213578). - drm/i915: Do not preserve dpll_hw_state for slave crtc in Bigjoiner (git-fixes). - drm/i915/dpt: Use shmem for dpt objects (git-fixes). - drm/i915: Fix an error handling path in igt_write_huge() (git-fixes). - drm/i915/tc: Fix system resume MST mode restore for DP-alt sinks (git-fixes). - drm/msm/adreno: Fix snapshot BINDLESS_DATA size (git-fixes). - drm/msm/disp/dpu: get timing engine status from intf status register (git-fixes). - drm/msm/dpu: drop enum dpu_core_perf_data_bus_id (git-fixes). - drm/msm/dpu: Set DPU_DATA_HCTL_EN for in INTF_SC7180_MASK (git-fixes). - drm/msm: Fix IS_ERR_OR_NULL() vs NULL check in a5xx_submit_in_rb() (git-fixes). - drm/radeon: Fix integer overflow in radeon_cs_parser_init (git-fixes). - drm/ttm: fix bulk_move corruption when adding a entry (git-fixes). - drm/ttm: fix warning that we shouldn't mix &&and || (git-fixes). - drm/vmwgfx: Fix Legacy Display Unit atomic drm support (bsc#1213632). - drm/vmwgfx: Remove explicit and broken vblank handling (bsc#1213632). - drm/vmwgfx: Remove rcu locks from user resources (bsc#1213632). - fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe (git-fixes). - fbdev: imxfb: Removed unneeded release_mem_region (git-fixes). - fbdev: imxfb: warn about invalid left/right margin (git-fixes). - file: always lock position for FMODE_ATOMIC_POS (bsc#1213759). - fs: dlm: add midcomms init/start functions (git-fixes). - fs: dlm: do not set stop rx flag after node reset (git-fixes). - fs: dlm: filter user dlm messages for kernel locks (git-fixes). - fs: dlm: fix log of lowcomms vs midcomms (git-fixes). - fs: dlm: fix race between test_bit() and queue_work() (git-fixes). - fs: dlm: fix race in lowcomms (git-fixes). - fs: dlm: handle -EBUSY first in lock arg validation (git-fixes). - fs: dlm: move sending fin message into state change handling (git-fixes). - fs: dlm: retry accept() until -EAGAIN or error returns (git-fixes). - fs: dlm: return positive pid value for F_GETLK (git-fixes). - fs: dlm: start midcomms before scand (git-fixes). - fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() (git-fixes). - FS: JFS: Check for read-only mounted filesystem in txBegin (git-fixes). - FS: JFS: Fix null-ptr-deref Read in txBegin (git-fixes). - fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev (git-fixes). - gve: Set default duplex configuration to full (git-fixes). - gve: unify driver name usage (git-fixes). - hwmon: (adm1275) Allow setting sample averaging (git-fixes). - hwmon: (k10temp) Enable AMD3255 Proc to show negative temperature (git-fixes). - hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled (git-fixes). - hwmon: (pmbus/adm1275) Fix problems with temperature monitoring on ADM1272 (git-fixes). - i2c: xiic: Defer xiic_wakeup() and __xiic_start_xfer() in xiic_process() (git-fixes). - i2c: xiic: Do not try to handle more interruptevents after error (git-fixes). - iavf: check for removal state before IAVF_FLAG_PF_COMMS_FAILED (git-fixes). - iavf: fix a deadlock caused by rtnl and driver's lock circular dependencies (git-fixes). - iavf: Fix out-of-bounds when setting channels on remove (git-fixes). - iavf: fix potential deadlock on allocation failure (git-fixes). - iavf: fix reset task race with iavf_remove() (git-fixes). - iavf: Fix use-after-free in free_netdev (git-fixes). - iavf: Move netdev_update_features() into watchdog task (git-fixes). - iavf: use internal state to free traffic IRQs (git-fixes). - iavf: Wait for reset in callbacks which trigger it (git-fixes). - IB/hfi1: Use bitmap_zalloc() when applicable (git-fixes) - ice: Fix max_rate check while configuring TX rate limits (git-fixes). - ice: Fix memory management in ice_ethtool_fdir.c (git-fixes). - ice: handle extts in the miscellaneous interrupt thread (git-fixes). - igc: Check if hardware TX timestamping is enabled earlier (git-fixes). - igc: Enable and fix RX hash usage by netstack (git-fixes). - igc: Fix inserting of empty frame for launchtime (git-fixes). - igc: Fix Kernel Panic during ndo_tx_timeout callback (git-fixes). - igc: Fix launchtime before start of cycle (git-fixes). - igc: Fix race condition in PTP tx code (git-fixes). - igc: Handle PPS start time programming for past time values (git-fixes). - igc: Prevent garbled TX queue with XDP ZEROCOPY (git-fixes). - igc: Remove delay during TX ring configuration (git-fixes). - igc: set TP bit in 'supported' and 'advertising' fields of ethtool_link_ksettings (git-fixes). - igc: Work around HW bug causing missing timestamps (git-fixes). - Input: i8042 - add Clevo PCX0DX to i8042 quirk table (git-fixes). - Input: iqs269a - do not poll during ATI (git-fixes). - Input: iqs269a - do not poll during suspend or resume (git-fixes). - jffs2: fix memory leak in jffs2_do_fill_super (git-fixes). - jffs2: fix memory leak in jffs2_do_mount_fs (git-fixes). - jffs2: fix memory leak in jffs2_scan_medium (git-fixes). - jffs2: fixuse-after-free in jffs2_clear_xattr_subsystem (git-fixes). - jffs2: GC deadlock reading a page that is used in jffs2_write_begin() (git-fixes). - jffs2: reduce stack usage in jffs2_build_xattr_subsystem() (git-fixes). - jfs: jfs_dmap: Validate db_l2nbperpage while mounting (git-fixes). - kABI fix after Restore kABI for NVidia vGPU driver (bsc#1210825). - kabi/severities: relax kABI for ath11k local symbols (bsc#1207948) - kselftest: vDSO: Fix accumulation of uninitialized ret when CLOCK_REALTIME is undefined (git-fixes). - KVM: arm64: Do not read a HW interrupt pending state in user context (git-fixes) - KVM: arm64: Warn if accessing timer pending state outside of vcpu (bsc#1213620) - KVM: Do not null dereference ops-> destroy (git-fixes) - KVM: downgrade two BUG_ONs to WARN_ON_ONCE (git-fixes) - KVM: Initialize debugfs_dentry when a VM is created to avoid NULL (git-fixes) - KVM: s390: pv: fix index value of replaced ASCE (git-fixes bsc#1213867). - KVM: VMX: Inject #GP, not #UD, if SGX2 ENCLS leafs are unsupported (git-fixes). - KVM: VMX: Inject #GP on ENCLS if vCPU has paging disabled (CR0.PG==0) (git-fixes). - KVM: VMX: restore vmx_vmexit alignment (git-fixes). - KVM: x86: Account fastpath-only VM-Exits in vCPU stats (git-fixes). - leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename (git-fixes). - libceph: harden msgr2.1 frame segment length checks (bsc#1213857). - MAINTAINERS: Add AMD P-State driver maintainer entry (bsc#1212445). - m ALSA: usb-audio: Add quirk for Tascam Model 12 (git-fixes). - md: add error_handlers for raid0 and linear (bsc#1212766). - media: staging: atomisp: select V4L2_FWNODE (git-fixes). - mhi_power_down() kABI workaround (bsc#1207948). - mmc: core: disable TRIM on Kingston EMMC04G-M627 (git-fixes). - mmc: sdhci: fix DMA configure compatibility issue when 64bit DMA mode is used (git-fixes). - net: ena: fix shift-out-of-bounds in exponential backoff (git-fixes). - net: mana: Batch ringing RX queue doorbell on receiving packets (bsc#1212901). - net: mana: Use the correctWQE count for ringing RQ doorbell (bsc#1212901). - net/mlx5: DR, Support SW created encap actions for FW table (git-fixes). - net/mlx5e: Check for NOT_READY flag state after locking (git-fixes). - net/mlx5e: fix double free in mlx5e_destroy_flow_table (git-fixes). - net/mlx5e: fix memory leak in mlx5e_fs_tt_redirect_any_create (git-fixes). - net/mlx5e: fix memory leak in mlx5e_ptp_open (git-fixes). - net/mlx5e: XDP, Allow growing tail for XDP multi buffer (git-fixes). - net/mlx5e: xsk: Set napi_id to support busy polling on XSK RQ (git-fixes). - net: phy: marvell10g: fix 88x3310 power up (git-fixes). - net/sched: sch_qfq: refactor parsing of netlink parameters (bsc#1213585). - net/sched: sch_qfq: reintroduce lmax bound check for MTU (bsc#1213585). - nfsd: add encoding of op_recall flag for write delegation (git-fixes). - nfsd: fix double fget() bug in __write_ports_addfd() (git-fixes). - nfsd: Fix sparse warning (git-fixes). - nfsd: Remove open coding of string copy (git-fixes). - nfsv4.1: Always send a RECLAIM_COMPLETE after establishing lease (git-fixes). - nfsv4.1: freeze the session table upon receiving NFS4ERR_BADSESSION (git-fixes). - nvme: do not reject probe due to duplicate IDs for single-ported PCIe devices (git-fixes). - nvme: fix the NVME_ID_NS_NVM_STS_MASK definition (git-fixes). - nvme-pci: fix DMA direction of unmapping integrity data (git-fixes). - nvme-pci: remove nvme_queue from nvme_iod (git-fixes). - octeontx2-af: Move validation of ptp pointer before its usage (git-fixes). - octeontx2-pf: Add additional check for MCAM rules (git-fixes). - octeontx-af: fix hardware timestamp configuration (git-fixes). - PCI: Add function 1 DMA alias quirk for Marvell 88SE9235 (git-fixes). - PCI/PM: Avoid putting EloPOS E2/S2/H2 PCIe Ports in D3cold (git-fixes). - phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() (git-fixes). - pinctrl: amd: Detect internal GPIO0 debounce handling (git-fixes). - pinctrl: amd: Do not show `Invalid config param` errors (git-fixes). - pinctrl: amd: Fix mistakein handling clearing pins at startup (git-fixes). - pinctrl: amd: Only use special debounce behavior for GPIO 0 (git-fixes). - pinctrl: amd: Use amd_pinconf_set() for all config options (git-fixes). - platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100 (git-fixes). - RDMA/bnxt_re: Fix hang during driver unload (git-fixes) - RDMA/bnxt_re: Prevent handling any completions after qp destroy (git-fixes) - RDMA/core: Update CMA destination address on rdma_resolve_addr (git-fixes) - RDMA/irdma: Add missing read barriers (git-fixes) - RDMA/irdma: Fix data race on CQP completion stats (git-fixes) - RDMA/irdma: Fix data race on CQP request done (git-fixes) - RDMA/irdma: Fix op_type reporting in CQEs (git-fixes) - RDMA/irdma: Report correct WC error (git-fixes) - RDMA/mlx4: Make check for invalid flags stricter (git-fixes) - RDMA/mthca: Fix crash when polling CQ for shared QPs (git-fixes) - regmap: Account for register length in SMBus I/O limits (git-fixes). - regmap: Drop initial version of maximum transfer length fixes (git-fixes). - Restore kABI for NVidia vGPU driver (bsc#1210825). - Revert 'ALSA: usb-audio: Drop superfluous interface setup at parsing' (git-fixes). - Revert 'debugfs, coccinelle: check for obsolete DEFINE_SIMPLE_ATTRIBUTE() usage' (git-fixes). - Revert 'Drop AMDGPU patches for fixing regression (bsc#1213304,bsc#1213777)' - Revert 'iavf: Detach device during reset task' (git-fixes). - Revert 'iavf: Do not restart Tx queues after reset task failure' (git-fixes). - Revert 'NFSv4: Retry LOCK on OLD_STATEID during delegation return' (git-fixes). - Revert 'usb: dwc3: core: Enable AutoRetry feature in the controller' (git-fixes). - Revert 'usb: gadget: tegra-xudc: Fix error check in tegra_xudc_powerdomain_init()' (git-fixes). - Revert 'usb: xhci: tegra: Fix error check' (git-fixes). - Revert 'xhci: add quirk for host controllers that do not update endpoint DCS' (git-fixes). - Revive drm_dp_mst_hpd_irq() function (bsc#1213578). - rxrpc, afs: Fix selection of abort codes (git-fixes). - s390/bpf:Add expoline to tail calls (git-fixes bsc#1213870). - s390/dasd: fix hanging device after quiesce/resume (git-fixes bsc#1213810). - s390/dasd: print copy pair message only for the correct error (git-fixes bsc#1213872). - s390/decompressor: specify __decompress() buf len to avoid overflow (git-fixes bsc#1213863). - s390: introduce nospec_uses_trampoline() (git-fixes bsc#1213870). - s390/ipl: add missing intersection check to ipl_report handling (git-fixes bsc#1213871). - s390/qeth: Fix vipa deletion (git-fixes bsc#1213713). - s390/vmem: fix empty page tables cleanup under KASAN (git-fixes bsc#1213715). - scftorture: Count reschedule IPIs (git-fixes). - scsi: lpfc: Abort outstanding ELS cmds when mailbox timeout error is detected (bsc#1213756). - scsi: lpfc: Avoid -Wstringop-overflow warning (bsc#1213756). - scsi: lpfc: Clean up SLI-4 sysfs resource reporting (bsc#1213756). - scsi: lpfc: Copyright updates for 14.2.0.14 patches (bsc#1213756). - scsi: lpfc: Fix a possible data race in lpfc_unregister_fcf_rescan() (bsc#1213756). - scsi: lpfc: Fix incorrect big endian type assignment in bsg loopback path (bsc#1213756). - scsi: lpfc: Fix incorrect big endian type assignments in FDMI and VMID paths (bsc#1213756). - scsi: lpfc: Fix lpfc_name struct packing (bsc#1213756). - scsi: lpfc: Make fabric zone discovery more robust when handling unsolicited LOGO (bsc#1213756). - scsi: lpfc: Pull out fw diagnostic dump log message from driver's trace buffer (bsc#1213756). - scsi: lpfc: Qualify ndlp discovery state when processing RSCN (bsc#1213756). - scsi: lpfc: Refactor cpu affinity assignment paths (bsc#1213756). - scsi: lpfc: Remove extra ndlp kref decrement in FLOGI cmpl for loop topology (bsc#1213756). - scsi: lpfc: Replace all non-returning strlcpy() with strscpy() (bsc#1213756). - scsi: lpfc: Replace one-element array with flexible-array member (bsc#1213756). - scsi: lpfc: Revise ndlp kref handling for dev_loss_tmo_callbk and lpfc_drop_node (bsc#1213756). - scsi: lpfc: Set Establish Image Pair service parameter only forTarget Functions (bsc#1213756). - scsi: lpfc: Simplify fcp_abort transport callback log message (bsc#1213756). - scsi: lpfc: Update lpfc version to 14.2.0.14 (bsc#1213756). - scsi: lpfc: Use struct_size() helper (bsc#1213756). - scsi: qla2xxx: Adjust IOCB resource on qpair create (bsc#1213747). - scsi: qla2xxx: Array index may go out of bound (bsc#1213747). - scsi: qla2xxx: Avoid fcport pointer dereference (bsc#1213747). - scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport() (bsc#1213747). - scsi: qla2xxx: Correct the index of array (bsc#1213747). - scsi: qla2xxx: Drop useless LIST_HEAD (bsc#1213747). - scsi: qla2xxx: Fix buffer overrun (bsc#1213747). - scsi: qla2xxx: Fix command flush during TMF (bsc#1213747). - scsi: qla2xxx: Fix deletion race condition (bsc#1213747). - scsi: qla2xxx: Fix end of loop test (bsc#1213747). - scsi: qla2xxx: Fix erroneous link up failure (bsc#1213747). - scsi: qla2xxx: Fix error code in qla2x00_start_sp() (bsc#1213747). - scsi: qla2xxx: fix inconsistent TMF timeout (bsc#1213747). - scsi: qla2xxx: Fix NULL pointer dereference in target mode (bsc#1213747). - scsi: qla2xxx: Fix potential NULL pointer dereference (bsc#1213747). - scsi: qla2xxx: Fix session hang in gnl (bsc#1213747). - scsi: qla2xxx: Fix TMF leak through (bsc#1213747). - scsi: qla2xxx: Limit TMF to 8 per function (bsc#1213747). - scsi: qla2xxx: Pointer may be dereferenced (bsc#1213747). - scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue (bsc#1213747). - scsi: qla2xxx: Replace one-element array with DECLARE_FLEX_ARRAY() helper (bsc#1213747). - scsi: qla2xxx: Silence a static checker warning (bsc#1213747). - scsi: qla2xxx: Turn off noisy message log (bsc#1213747). - scsi: qla2xxx: Update version to 10.02.08.400-k (bsc#1213747). - scsi: qla2xxx: Update version to 10.02.08.500-k (bsc#1213747). - scsi: qla2xxx: Use vmalloc_array() and vcalloc() (bsc#1213747). - selftests: rtnetlink: remove netdevsim device after ipsec offload test (git-fixes). - serial: qcom-geni: drop bogus runtime pm state update(git-fixes). - serial: sifive: Fix sifive_serial_console_setup() section (git-fixes). - series: udpate metadata Refresh - sfc: fix crash when reading stats while NIC is resetting (git-fixes). - sfc: fix XDP queues mode with legacy IRQ (git-fixes). - sfc: use budget for TX completions (git-fixes). - soundwire: qcom: update status correctly with mask (git-fixes). - staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() (git-fixes). - staging: r8712: Fix memory leak in _r8712_init_xmit_priv() (git-fixes). - SUNRPC: always free ctxt when freeing deferred request (git-fixes). - SUNRPC: double free xprt_ctxt while still in use (git-fixes). - SUNRPC: Fix trace_svc_register() call site (git-fixes). - SUNRPC: Fix UAF in svc_tcp_listen_data_ready() (git-fixes). - SUNRPC: Remove dead code in svc_tcp_release_rqst() (git-fixes). - SUNRPC: remove the maximum number of retries in call_bind_status (git-fixes). - svcrdma: Prevent page release when nothing was received (git-fixes). - tpm_tis: Explicitly check for error code (git-fixes). - tty: n_gsm: fix UAF in gsm_cleanup_mux (git-fixes). - tty: serial: fsl_lpuart: add earlycon for imx8ulp platform (git-fixes). - ubifs: Add missing iput if do_tmpfile() failed in rename whiteout (git-fixes). - ubifs: do_rename: Fix wrong space budget when target inode's nlink > 1 (git-fixes). - ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers (git-fixes). - ubifs: Fix AA deadlock when setting xattr for encrypted file (git-fixes). - ubifs: Fix build errors as symbol undefined (git-fixes). - ubifs: Fix deadlock in concurrent rename whiteout and inode writeback (git-fixes). - ubifs: Fix memory leak in alloc_wbufs() (git-fixes). - ubifs: Fix memory leak in do_rename (git-fixes). - ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() (git-fixes). - ubifs: Fix to add refcount once page is set private (git-fixes). - ubifs: Fix 'ui-> dirty' race between do_tmpfile() and writeback work (git-fixes). - ubifs: Fix wrong dirty space budget for dirty inode(git-fixes). - ubifs: Free memory for tmpfile name (git-fixes). - ubifs: Rectify space amount budget for mkdir/tmpfile operations (git-fixes). - ubifs: Rectify space budget for ubifs_symlink() if symlink is encrypted (git-fixes). - ubifs: Rectify space budget for ubifs_xrename() (git-fixes). - ubifs: Rename whiteout atomically (git-fixes). - ubifs: rename_whiteout: correct old_dir size computing (git-fixes). - ubifs: rename_whiteout: Fix double free for whiteout_ui-> data (git-fixes). - ubifs: Reserve one leb for each journal head while doing budget (git-fixes). - ubifs: Re-statistic cleaned znode count if commit failed (git-fixes). - ubifs: setflags: Make dirtied_ino_d 8 bytes aligned (git-fixes). - ubifs: ubifs_writepage: Mark page dirty after writing inode failed (git-fixes). - Update config files: enable CONFIG_X86_AMD_PSTATE (bsc#1212445) - usb: dwc2: platform: Improve error reporting for problems during .remove() (git-fixes). - usb: dwc3: do not reset device side if dwc3 was configured as host-only (git-fixes). - usb: dwc3: pci: skip BYT GPIO lookup table for hardwired phy (git-fixes). - usb: gadget: core: remove unbalanced mutex_unlock in usb_gadget_activate (git-fixes). - USB: serial: option: add LARA-R6 01B PIDs (git-fixes). - usb: typec: Iterate pds array when showing the pd list (git-fixes). - usb: typec: Set port-> pd before adding device for typec_port (git-fixes). - usb: typec: Use sysfs_emit_at when concatenating the string (git-fixes). - usb: xhci-mtk: set the dma max_seg_size (git-fixes). - vhost_net: revert upend_idx only on retriable error (git-fixes). - vhost: support PACKED when setting-getting vring_base (git-fixes). - virtio_net: Fix error unwinding of XDP initialization (git-fixes). - virtio-net: Maintain reverse cleanup order (git-fixes). - wifi: ath11k: add support for suspend in power down state (bsc#1207948). - wifi: ath11k: handle irq enable/disable in several code path (bsc#1207948). - wifi: ath11k: handle thermal device registeration together with MAC (bsc#1207948). - wifi: ath11k:remove MHI LOOPBACK channels (bsc#1207948). - wifi: ray_cs: Drop useless status variable in parse_addr() (git-fixes). - wifi: ray_cs: Utilize strnlen() in parse_addr() (git-fixes). - wl3501_cs: use eth_hw_addr_set() (git-fixes). - x86/PVH: obtain VGA console info in Dom0 (git-fixes). - xen/blkfront: Only check REQ_FUA for writes (git-fixes). - xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() (git-fixes). - xfs: AIL needs asynchronous CIL forcing (bsc#1211811). - xfs: async CIL flushes need pending pushes to be made stable (bsc#1211811). - xfs: attach iclog callbacks in xlog_cil_set_ctx_write_state() (bsc#1211811). - xfs: CIL work is serialised, not pipelined (bsc#1211811). - xfs: do not run shutdown callbacks on active iclogs (bsc#1211811). - xfs: drop async cache flushes from CIL commits (bsc#1211811). - xfs: factor out log write ordering from xlog_cil_push_work() (bsc#1211811). - xfs: move the CIL workqueue to the CIL (bsc#1211811). - xfs: move xlog_commit_record to xfs_log_cil.c (bsc#1211811). - xfs: order CIL checkpoint start records (bsc#1211811). - xfs: pass a CIL context to xlog_write() (bsc#1211811). - xfs: rework xlog_state_do_callback() (bsc#1211811). - xfs: run callbacks before waking waiters in xlog_state_shutdown_callbacks (bsc#1211811). - xfs: separate out log shutdown callback processing (bsc#1211811). - xfs: wait iclog complete before tearing down AIL (bsc#1211811). - xfs: XLOG_STATE_IOERROR must die (bsc#1211811). - xhci: Fix resume issue of some ZHAOXIN hosts (git-fixes). - xhci: Fix TRB prefetch issue of ZHAOXIN hosts (git-fixes). - xhci: Show ZHAOXIN xHCI root hub speed correctly (git-fixes). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3325-1 Released: Wed Aug 16 08:26:08 2023 Summary: Security update for krb5 Type: security Severity: important References: 1214054,CVE-2023-36054 This update for krb5 fixes the following issues: - CVE-2023-36054: Fixed a DoS that could be triggered by an authenticated remoteuser. (bsc#1214054) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:3327-1 Released: Wed Aug 16 08:45:25 2023 Summary: Security update for pcre2 Type: security Severity: moderate References: 1213514,CVE-2022-41409 This update for pcre2 fixes the following issues: - CVE-2022-41409: Fixed integer overflow vulnerability in pcre2test that allows attackers to cause a denial of service via negative input (bsc#1213514). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:3330-1 Released: Wed Aug 16 08:59:33 2023 Summary: Recommended update for python-pyasn1 Type: recommended Severity: important References: 1207805 This update for python-pyasn1 fixes the following issues: - To avoid users of this package having to recompile bytecode files, change the mtime of any __init__.py. (bsc#1207805) The following package changes have been done: - apparmor-abstractions-3.0.4-150500.11.3.1 updated - apparmor-parser-3.0.4-150500.11.3.1 updated - bind-utils-9.16.42-150500.8.7.1 updated - blog-2.26-150300.4.6.1 updated - cloud-init-config-suse-23.1-150100.8.66.1 updated - cloud-init-23.1-150100.8.66.1 updated - curl-8.0.1-150400.5.26.1 updated - grub2-i386-pc-2.06-150500.29.3.1 updated - grub2-x86_64-efi-2.06-150500.29.3.1 updated - grub2-x86_64-xen-2.06-150500.29.3.1 updated - grub2-2.06-150500.29.3.1 updated - hwinfo-21.85-150500.3.3.1 updated - kernel-default-5.14.21-150500.55.19.1 updated - krb5-1.20.1-150500.3.3.1 updated - libapparmor1-3.0.4-150500.11.3.1 updated - libassuan0-2.5.5-150000.4.5.2 updated - libblogger2-2.26-150300.4.6.1 updated - libcryptsetup12-2.4.3-150400.3.3.1 updated - libcurl4-8.0.1-150400.5.26.1 updated - libdevmapper1_03-2.03.16_1.02.185-150500.7.3.1 updated - libfido2-1-1.13.0-150400.5.6.1 updated - libfstrm0-0.6.1-150300.9.3.1 added - libopenssl1_1-1.1.1l-150500.17.15.1 updated - libpcre2-8-0-10.39-150400.4.9.1 updated - libprotobuf-c1-1.3.2-150200.3.6.1 added -libxml2-2-2.10.3-150500.5.5.1 updated - libyajl2-2.1.0-150000.4.6.1 updated - login_defs-4.8.1-150400.10.9.1 updated - openssh-clients-8.4p1-150300.3.22.1 updated - openssh-common-8.4p1-150300.3.22.1 updated - openssh-server-8.4p1-150300.3.22.1 updated - openssh-8.4p1-150300.3.22.1 updated - openssl-1_1-1.1.1l-150500.17.15.1 updated - perl-Bootloader-0.944-150400.3.6.1 updated - python3-bind-9.16.42-150500.8.7.1 updated - python3-pyasn1-0.4.2-150000.3.5.1 updated - samba-client-libs-4.17.9+git.367.dae41ffdd1f-150500.3.5.1 updated - samba-libs-4.17.9+git.367.dae41ffdd1f-150500.3.5.1 updated - shadow-4.8.1-150400.10.9.1 updated - systemd-presets-common-SUSE-15-150500.20.3.1 updated - wicked-service-0.6.73-150500.3.10.1 updated - wicked-0.6.73-150500.3.10.1 updated - libopenssl3-3.0.8-150500.5.3.1 removed . Crucial notifications regarding SUSE image, tackling numerous security problems such as DoS vulnerabilities, alongside essential updates.. SUSE Linux, Security Update, DoS Vulnerability, Kernel Fixes. . LinuxSecurity.com Team

Calendar%202 Aug 20, 2023 SuSE
98

RedHat: RHSA-2023-3664-01 Moderate OpenShift Jenkins Update

Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Jenkins image and Jenkins agent base image security update Advisory ID: RHSA-2023:3664-01 Product: OpenShift Developer Tools and Services Advisory URL: https://access.redhat.com/errata/RHSA-2023:3664 Issue date: 2023-06-19 CVE Names: CVE-2021-3782 CVE-2021-46848 CVE-2022-1304 CVE-2022-1705 CVE-2022-2795 CVE-2022-2880 CVE-2022-3627 CVE-2022-3970 CVE-2022-28327 CVE-2022-32148 CVE-2022-35737 CVE-2022-36227 CVE-2022-41715 CVE-2022-41717 CVE-2022-42898 CVE-2022-47629 CVE-2023-0361 CVE-2023-2491 CVE-2023-22490 CVE-2023-23946 CVE-2023-24329 CVE-2023-25652 CVE-2023-25815 CVE-2023-27535 CVE-2023-29007 ==================================================================== 1. Summary: Release of Bug Advisories for the OpenShift Jenkins image and Jenkins agent base image. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Release of Security Advisory for the OpenShift Jenkins image and Jenkins agent base image. Security Fix(es): * golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) * golang: net/http/httputil:ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working (CVE-2022-32148) * golang: net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 5. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-11182 - Jenkins images based on rhel8 are wrongly tagged with rhel7 OCPBUGS-13653 - [release-4.11] Bump Jenkins and Plugin versions OCPBUGS-14114 - Update ImageStreams to use new Jenkins and Jenkins Agent Base images OCPBUGS-1438 - [release-411] Jenkins install-plugins script does not ignore updates to locked plugin versions OCPBUGS-14646 - Bump Jenkins plugins to latest versions 6.References: https://access.redhat.com/security/cve/CVE-2021-3782 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-1705 https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-3627 https://access.redhat.com/security/cve/CVE-2022-3970 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-32148 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-47629 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-2491 https://access.redhat.com/security/cve/CVE-2023-22490 https://access.redhat.com/security/cve/CVE-2023-23946 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-25652 https://access.redhat.com/security/cve/CVE-2023-25815 https://access.redhat.com/security/cve/CVE-2023-27535 https://access.redhat.com/security/cve/CVE-2023-29007 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBZJBOlNzjgjWX9erEAQgdPxAAh1Y9lOd+r2eO3rZEIgWjMHVWFdkaesI9 leeQl2YnQGRayU9ZBQsNRYal5rb5+ISN4fnccEjHJ8Y0D6ATkLHqA/nXEzkV3+Go McLMN6JqzGrJ/jA7jhEoXGalIYYtfz5EYQ69wNtj5e63RUdNX+d7cqyiqQ+qE89j uz9xoACp0zjuqL2YMiu2J2oTqEPVKFhNMU7j2GKzIWRUj8wnphWK9wzB+Wl6G/RS Gr1l6FU53kkkxu6PQWWzO57uh2hIuBs3Z5a/bYRJoWI9meg/Rb2ro4Pr52v0wBRb AhqXYJAGJlWhFuAgi06b2VNW4zvHt7gS8r8/rAVji+3VeS/bHR47x/Jsq+W+bAZh lZHcL+ByT2kh8kvlEATlevaizpYBF1Uqx1xBMwZ5OvbpnGOhy1sJPWidkGHvBkA3 SuJ4gZaOO79rpyr6zaosMJwvvZC+/E4kxgEwbdDscRtGs8XVIqVYb1hU+7jsrqr3 epp8F2XKT8hmoK9+vS0B2Z+yXe1ba2e4TZTWBmHo7VaeHGZ5NCuQ/M3cW+WBM6Tv DJK8mXjSt/7CklGVL0Ji/L7yIGFdp9GT7fYY3uOYH6jQgq4kzZTdAVBpI/X66H9U jqXHieGJcRjU7fp0DhLgOBbCbbTDtxp+O6yoyziD8qTdc7O9H5MMTuoFwJb9/CYW nlT0/YlHeks=YZWk -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Enhanced OpenShift Jenkins image and core agent flagged Moderate threat level by Red Hat, rectifying significant security vulnerabilities.. OpenShift Jenkins, Security Advisory, Image Update, Agent Base, Red Hat. . LinuxSecurity.com Team

Calendar%202 Jun 19, 2023 Red Hat
98

Red Hat OpenShift: RHSA-2023-2710-01 Moderate: Single Sign-On Image Update

A new image is available for Red Hat Single Sign-On 7.6.3, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Single Sign-On 7.6.3 for OpenShift image security update Advisory ID: RHSA-2023:2710-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2023:2710 Issue date: 2023-05-10 CVE Names: CVE-2021-0341 CVE-2022-4492 CVE-2022-38752 CVE-2022-41854 CVE-2022-41881 CVE-2022-45787 CVE-2023-0361 CVE-2023-0482 CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968 ==================================================================== 1. Summary: A new image is available for Red Hat Single Sign-On 7.6.3, running on Red Hat OpenShift Container Platform from the release of 3.11 up to the release of 4.12.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services. This erratum releases a new image for Red Hat Single Sign-On 7.6.3 for use within the Red Hat OpenShift Container Platform (from therelease of 3.11up to the release of 4.12.0) cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release. Security Fix(es): * okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341) * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492) * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752) * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854) * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881) * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider (CVE-2022-45787) * RESTEasy: creation of insecure temp files (CVE-2023-0482) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2129710 - CVE-2022-38752 snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode 2151988 - CVE-2022-41854 dev-java/snakeyaml: DoS via stack overflow 2153260 - CVE-2022-4492 undertow: Server identity in https connection is not checked by the undertow client 2153379 - CVE-2022-41881 codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS 2154086 - CVE-2021-0341 okhttp: information disclosure via improperly used cryptographic function 2158916 - CVE-2022-45787 apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider 2166004 - CVE-2023-0482 RESTEasy: creation of insecure temp files 5.References: https://access.redhat.com/security/cve/CVE-2021-0341 https://access.redhat.com/security/cve/CVE-2022-4492 https://access.redhat.com/security/cve/CVE-2022-38752 https://access.redhat.com/security/cve/CVE-2022-41854 https://access.redhat.com/security/cve/CVE-2022-41881 https://access.redhat.com/security/cve/CVE-2022-45787 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0482 https://access.redhat.com/security/cve/CVE-2023-21930 https://access.redhat.com/security/cve/CVE-2023-21937 https://access.redhat.com/security/cve/CVE-2023-21938 https://access.redhat.com/security/cve/CVE-2023-21939 https://access.redhat.com/security/cve/CVE-2023-21954 https://access.redhat.com/security/cve/CVE-2023-21967 https://access.redhat.com/security/cve/CVE-2023-21968 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBZFvaOtzjgjWX9erEAQg2+A/+OdNvUaOHT3XdOuCFi6It3ltdIBRSNWht nvJBfZn26/jCUlTMlaxKk/0Bpu6ZRDFtMy84BthGHGmzatr2dOe609HUA5rCihpX jD/V8GhyeYjoySoTrb25cR5EvGax6AERwU7rjfYiMiobSDJ9KzIQlY7upfsKJybR yCxhUi1UBEMS/u+NGsn0fRi6HBZpqAavbhE0ekkOY50b2740R0fBOBVOed9soiAr jh79WftpT8tbWGy06Ps4tgr6I+KsT692yaO8lWymkiqrXGzKiJHlEi1ewfndUcZc aBXo8b0HxQS2RXagrXOPBWqQe8x0okSEtErW4/UUmDPeZZN0YsfdKj7mRKoN20/L keGkUMIppCRAdMn2SL0m+alE//aw0VIk1DgmfW1fh92f9AcoCo0j2YXcoELWULIH IQ/Fq1JDmIddewS8SN5LZCxUFZ3F2IRnKGjcOHhe0s575hQDQ6JpTFe6OS7VuK65 oEIDvZVLn7O8IgU1hf/HaI15AbOprQoS1qj70gZh8u1Xc82t1trFf/Cas+jtEIRA 0+a/BQbhxpXe5ujFLGDuqWFc805gGfSf6dclMNJWrjFZIjHOY8DJMauaNt4AV17r PYvLlVSlt8ke1ADuYxH0KwrkDhq6kpOlBLaTwRTSrbQ3VLadT/4xIW6Fu3awhzKI hbRyeh4APRs=6dZN -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Important security notice regarding the Red Hat Single Sign-On 7.6.3 image updates applicable to OpenShift environments and theconsequential effects involved.. Red Hat, Single Sign-On, OpenShift, Container Image, Security Update. . LinuxSecurity.com Team

Calendar%202 May 10, 2023 Red Hat
100

SUSE: 2023:1280-2 Urgent: Rancher Elemental Builder Image Upgrade

The container rancher/elemental-builder-image/5.3 was updated. The following patches have been included in this update:. SUSE Container Update Advisory: rancher/elemental-builder-image/5.3 ----------------------------------------------------------------- Container Advisory ID : SUSE-CU-2023:1280-1 Container Tags : rancher/elemental-builder-image/5.3:0.2.5 , rancher/elemental-builder-image/5.3:0.2.5-4.2.6 , rancher/elemental-builder-image/5.3:latest Container Release : 4.2.6 Severity : critical Type : security References : 1119687 1130325 1130326 1141883 1150137 1157818 1158812 1158958 1158959 1158960 1159491 1159715 1159847 1159850 1160309 1160438 1160439 1164719 1172091 1172115 1172234 1172236 1172240 1173641 1175622 1179584 1187810 1188882 1189036 1189802 1195773 1196125 1196205 1200581 1201225 1201590 1201783 1203274 1204357 1204867 1206337 1206579 1207064 1209165 1209234 1209372 1209667 928700 928701 944832 CVE-2015-3414 CVE-2015-3415 CVE-2018-20346 CVE-2019-16168 CVE-2019-19244 CVE-2019-19317 CVE-2019-19603 CVE-2019-19645 CVE-2019-19646 CVE-2019-19880 CVE-2019-19923 CVE-2019-19924 CVE-2019-19925 CVE-2019-19926 CVE-2019-19959 CVE-2019-20218 CVE-2019-9936 CVE-2019-9937 CVE-2020-13434 CVE-2020-13435 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-15358 CVE-2020-9327 CVE-2021-36690 CVE-2022-34903 CVE-2022-3515 CVE-2022-35737 CVE-2022-46908 CVE-2022-47629 ----------------------------------------------------------------- The container rancher/elemental-builder-image/5.3 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:788-1 Released: Thu Mar 28 11:55:062019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1119687,CVE-2018-20346 This update for sqlite3 to version 3.27.2 fixes the following issue: Security issue fixed: - CVE-2018-20346: Fixed a remote code execution vulnerability in FTS3 (Magellan) (bsc#1119687). Release notes: https://sqlite.org/releaselog/3_27_2.html ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:1127-1 Released: Thu May 2 09:39:24 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1130325,1130326,CVE-2019-9936,CVE-2019-9937 This update for sqlite3 to version 3.28.0 fixes the following issues: Security issues fixed: - CVE-2019-9936: Fixed a heap-based buffer over-read, when running fts5 prefix queries inside transaction (bsc#1130326). - CVE-2019-9937: Fixed a denial of service related to interleaving reads and writes in a single transaction with an fts5 virtual table (bsc#1130325). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2019:2218-1 Released: Mon Aug 26 11:29:57 2019 Summary: Recommended update for pinentry Type: recommended Severity: moderate References: 1141883 This update for pinentry fixes the following issues: - Fix a dangling pointer in qt/main.cpp that caused crashes. (bsc#1141883) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2019:2533-1 Released: Thu Oct 3 15:02:50 2019 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1150137,CVE-2019-16168 This update for sqlite3 fixes the following issues: Security issue fixed: - CVE-2019-16168: Fixed improper validation of sqlite_stat1 field that could lead to denial of service (bsc#1150137). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2021:2320-1 Released: Wed Jul 14 17:01:06 2021 Summary: Security update for sqlite3 Type: security Severity: important References: 1157818,1158812,1158958,1158959,1158960,1159491,1159715,1159847,1159850,1160309,1160438,1160439,1164719,1172091,1172115,1172234,1172236,1172240,1173641,928700,928701,CVE-2015-3414,CVE-2015-3415,CVE-2019-19244,CVE-2019-19317,CVE-2019-19603,CVE-2019-19645,CVE-2019-19646,CVE-2019-19880,CVE-2019-19923,CVE-2019-19924,CVE-2019-19925,CVE-2019-19926,CVE-2019-19959,CVE-2019-20218,CVE-2020-13434,CVE-2020-13435,CVE-2020-13630,CVE-2020-13631,CVE-2020-13632,CVE-2020-15358,CVE-2020-9327 This update for sqlite3 fixes the following issues: - Update to version 3.36.0 - CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization (bsc#1173641) - CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator (bsc#1164719) - CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error (bsc#1160439) - CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input (bsc#1160438) - CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference (bsc#1160309) - CVE-2019-19924: improper error handling in sqlite3WindowRewrite() (bsc#1159850) - CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive (bsc#1159847) - CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c (bsc#1159715) - CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference (bsc#1159491) - CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name (bsc#1158960) - CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns (bsc#1158959) - CVE-2019-19645: alter.c allows attackers to trigger infinite recursion viacertain types of self-referential views in conjunction with ALTER TABLE statements (bsc#1158958) - CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service (bsc#1158812) - CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage (bsc#1157818) - CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability (bsc#928701) - CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names (bsc#928700) - CVE-2020-13434: integer overflow in sqlite3_str_vappendf (bsc#1172115) - CVE-2020-13630: (bsc#1172234: use-after-free in fts3EvalNextRow - CVE-2020-13631: virtual table allowed to be renamed to one of its shadow tables (bsc#1172236) - CVE-2020-13632: NULL pointer dereference via crafted matchinfo() query (bsc#1172240) - CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:2546-1 Released: Mon Jul 25 14:43:22 2022 Summary: Security update for gpg2 Type: security Severity: important References: 1196125,1201225,CVE-2022-34903 This update for gpg2 fixes the following issues: - CVE-2022-34903: Fixed a status injection vulnerability (bsc#1201225). - Use AES as default cipher instead of 3DES when we are in FIPS mode. (bsc#1196125) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:3304-1 Released: Mon Sep 19 11:43:25 2022 Summary: Recommended update for libassuan Type: recommended Severity: moderate References: This update for libassuan fixes the following issues: - Add a timeout for writing to a SOCKS5 proxy - Add workaround for a problem with LD_LIBRARY_PATH on newer systems - Fix issue in the logging code - Fix some build trivialities - Upgradeautoconf ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3307-1 Released: Mon Sep 19 13:26:51 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1189802,1195773,1201783,CVE-2021-36690,CVE-2022-35737 This update for sqlite3 fixes the following issues: - CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are used in a string argument to a C API (bnc#1201783). - CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a column has no collating sequence (bsc#1189802). - Package the Tcl bindings here again so that we only ship one copy of SQLite (bsc#1195773). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:3683-1 Released: Fri Oct 21 11:48:39 2022 Summary: Security update for libksba Type: security Severity: critical References: 1204357,CVE-2022-3515 This update for libksba fixes the following issues: - CVE-2022-3515: Fixed a possible overflow in the TLV parser (bsc#1204357). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4062-1 Released: Fri Nov 18 09:05:07 2022 Summary: Recommended update for libusb-1_0 Type: recommended Severity: moderate References: 1201590 This update for libusb-1_0 fixes the following issues: - Fix regression where some devices no longer work if they have a configuration value of 0 (bsc#1201590) ----------------------------------------------------------------- Advisory ID: SUSE-feature-2022:4601-1 Released: Wed Dec 21 12:23:59 2022 Summary: Feature update for GNOME 41 Type: feature Severity: moderate References: 1175622,1179584,1188882,1196205,1200581,1203274,1204867,944832 This update for GNOME 41 fixes the following issues: atkmm1_6: - Version update from 2.28.1 to 2.28.3 (jsc#PED-2235): * Meson build: Avoid unnecessary configuration warnings * Meson build: Perl is not required by new versions of mm-common * Meson build: Require meson > = 0.55.0 * Meson build: Specify 'check' option in run_command(). Will be necessary with future versions of Meson. * Require atk > = 2.12.0 Not a new requirement, but previously it was not specified in configure.ac and meson.build * Support building with Visual Studio 2022 eog: - Version update from 41.1 to 41.2 (jsc#PED-2235): * eog-window: use correct type for display_profile * Fix discovery of Evince for multi-page images evince: - Version update 41.3 to 41.4 (jsc#PED-2235): * shell: Fix failures when thumbnail extraction takes too long * Fix build with meson 0.60.0 and newer evolution: - Ensure evolution-devel is forward compatible with evolution-data-server-devel in a same major version (jsc#PED-2235) evolution-data-center: - Version update from 3.42.4 to 3.42.5 (jsc#PED-2235): * Google OAuth out-of-band (oob) flow will be deprecated folks: - Version update 0.15.3 to 0.15.5 (jsc#PED-2235): * vapi: Add missing generic type argument * Fix docs build against newer eds version * Fix build against newer eds version * Remove volatile keyword from tests gcr: - Version update 3.41.0 to 3.41.1 (jsc#PED-2235): * Add G_SPAWN_CLOEXEC_PIPES flag to all the g_spawn commands * Add gi-docgen dependency which is needed by the docs * Fix build with meson 0.60.0 and newer * Fix build without systemd * Several CI fixes geocode-glib: - Version update from 3.26.2 to 3.26.4 (jsc#PED-2235): * Fix to a test data file not being installed, and a bug fix for a bug in the libsoup3 port * Add support for libsoup 3.x gjs: - Version update from 1.70.1 to 1.70.2 (jsc#PED-2235): * Build and compatibility fixes backported from the development branch * Reverse order of running-from-source checks - Require xorg-x11-Xvfb for proper package build (bsc#1203274) glib2: - Version update from 2.70.4 to 2.70.5 (jsc#PED-2235): * Bugs fixed: glgo#GNOME/GLib#2620, glgo#GNOME/GLib!2537, glgo#GNOME/GLib!2555 * Split gtk-docs from -devel package, theseare not needed during building projects using glib2 gnome-control-center: - Fix the size of logo icon in About system (bsc#1200581) - Version update from 41.4 to 41.7 (jsc#PED-2235): * Cellular: Remove duplicate line from .desktop * Info: Allow changing 'Device Name' by pressing 'Enter' * Info: Remove trailing space after CPU name * Keyboard: Fix crash resetting all keyboard shortcuts * Keyboard: Fix leaks * Network: Fix saving passwords for non-wifi connections * Network: Fix critical when opening VPN details page * Wacom: Fix leaks gnome-desktop: - Version update from 41.2 to 41.8 (jsc#PED-2235): * Version increase but no actual changes gnome-music: - Version update from 41.0 to 41.1 (jsc#PED-2235): * Ensure the correct album is played * Fix build with meson 0.61.0 and newer * Fix crash on empty selection * Fix incorrect playlist import * Fix time displayed in RTL languages * Improve async queue work * Make random shuffle actually random * Make shuffle random * Speed increase on first startup on larger collections * Time is reversed in RTL gnome-remote-desktop: - Version update from 41.2 to 41.3 (jsc#PED-2235): * Add Icelandic translation gnome-session: - Clear error messages that can be ignored because expected to happen for GDM sessions (bsc#1204867) - Add fix for gnome-session to exit immediately when lost name on bus (bsc#1175622, bsc#1188882) gnome-shell: - Disable offline update suggestion before shutdown/reboot in SLE and openSUSE Leap (bsc#944832) - Version update from 41.4 to 41.9 (jsc#PED-2235): * Allow extension updates with only Extension Manager installed * Allow more intermediate icon sizes in app grid * Disable workspace switching while in search. * Do not create systemd scope for D-Bus activated apps * Fix calendar to correctly align world clocks header in RTL * Fix drag placeholder position in dash in RTL locales * Fix edge case where windows stay dimmed after a modal is closed * Fix feedback when turning on a11y featuresby keyboard * Fix focus tracking in magnifier on wayland * Fix fractional timezone offsets in world clock * Fix glitches in overview transition * Fix logging in with realmd * Fix memory leak * Fix opening device settings for enterprise WPA networks * Fix programatically set scrollview fade * Fix regression in ibus support * Fix unresponsive top bar in overview when in fullscreen * Handle monitor changes during startup animation * Hide overview after 'Show Details' from app context menu * Improve Belgian on-screen keyboard layout * Improve CSS shadow appearance * Make sure startup animation completes * Misc. bug fixes and cleanups * Only close messages via delete key if they can be closed * Respect IM hint for candidates list in on-screen keyboard gnome-software: - Disable offline update feature in SUSE Linux Enterprise and openSUSE Leap (bsc#944832) - Version update from 41.4 to 41.5 (jsc#PED-2235): * Added several appstream-related fixed * Disable scroll-by-mouse-wheel on featured carousel * Ensure details page shows app provided on command line gnome-terminal: - Version update from 3.42.2 to 3.42.3 (jsc#PED-2235): * Fix build with meson 0.61.0 and newer * window: Use a normal menu for the popup menu gnome-user-docs: - Version update from 41.1 to 41.5 (jsc#PED-2235): * Added missing icon for network-wired-symbolic gspell: - Version update from 1.8.4 to 1.10.0 (jsc#PED-2235): * Build: distribute more files in tarballs * Documentation improvements gtkmm3: - Version update from 3.24.5 to 3.24.6 (jsc#PED-2235): * Build with Meson: MSVC build: Support Visual Studio 2022 * Check if Perl is required for building documentation * Don't use deprecated python3.path() and execute (..., gui_app...) * GTK: TreeValueProxy: Declare copy constructor = default, avoiding warnings from the claing++ compiler * Object::_release_c_instance(): Unref orphan managed widgets * SizeGroup demo: Set active items in the combo boxs, so something is shown * Specify'check' option in run_command() gtk-vnc: - Version update from 1.3.0 to 1.3.1 (jsc#PED-2235): * Add 'check' arg to meson run_command() * Fix invalid use of subprojects with meson * Support ZRLE encoding for zero size alpha cursors gupnp-av: - Version update from 0.12.11 to 0.14.1 (jsc#PED-2235): * Add utility function to format GDateTime to the iso variant DIDL expects * Allow to be used as a subproject * Drop autotools * Fix stripping @refID * Fix unsetting subtitleFileType * Make Feature derivable again * Obsolete code removal. * Port to modern GObject * Remove hand-written ref-counting, use RcBox/AtomicRcBox instead. * Switch to meson build system, following upstream - Rename libgupnp-av-1_0-2 subpackage to libgupnp-av-1_0-3, correcting the package name to match the provided library - Conflict with the wrongly provided libgupnp-av-1_0-2 gvfs: - Version update from 1.48.1 to 1.48.2 (jsc#PED-2235): * sftp: Adapt on new OpenSSH password prompts * smb: Rework anonymous handling to avoid EINVAL * smb: Ignore EINVAL for kerberos/ccache login libgsf: - Version update from 1.14.48 to 1.14.50 (jsc#PED-2235): * Fix error handling problem when writing ole files * Fix problems with non-western text in OLE properties * Use g_date_time_new_from_iso8601 and g_date_time_format_iso8601 when available libmediaart: - Version update from 1.9.5 to 1.9.6 (jsc#PED-2235): * build: Add introspection/vapi/tests options * build: Use library() to optionally build a static library libnma: - Version update from 1.8.32 to 1.8.40 (jsc#PED-2235): * Ad-Hoc networks now default to using WPA2 instead of WEP * Add possibility of building libnma-gtk4 library with Gtk4 support * Do not allow setting empty 802.1x domain for EAP TLS * Fixed keyboard accelerator for certificate chooser * Fixed libnma-gtk4 version of mobile-wizard * Include OWE wireless security option * The GtkBuilder files for Gtk4 are now included in the release tarball * WEP is no longer provided as an optionfor connecting to hidden networks due to its deprecated status - New sub-packages libnma-gtk4-0, typelib-1_0-NMA4-1_0 and libnma-gtk4-devel - Split out documentation files in own docs sub-package libnotify: - Version update from 0.7.10 to 0.7.12 (jsc#PED-2235): * Delete unused notifynotification.xml * Fix potential build errors with old glib version we require * docs/notify-send: Add --transient option to manpage * notification: Bookend calling NotifyActionCallback with temporary reference * notification: Include sender-pid hint by default if not provided * notify-send: Add debug message about server not supporting persistence * notify-send: Add explicit option to create transient notifications * notify-send: Add support for boolean hints * notify-send: Move server capabilities check to a separate function * notify-send: Support passing any hint value, by parsing variant strings libpeas: - Version update from 1.30.0 to 1.32.0 (jsc#PED-2235): * Icon licenses have been corrected * Parallel build system operation fixes * Use gi-docgen for documentation * Various build warnings squashed * Various GIR data that should not have been exported was removed - Stop packaging the demo files/sub-package librsvg: - Version update from 2.52.6 to 2.52.9 (jsc#PED-2235): * Catch circular references when rendering patterns * Fix regressions when computing element geometries * Fix regression outputting all text as paths libsecret: - Version update from 0.20.4 to 0.20.5 (jsc#PED-2235): * Add bash-completion for secret-tool * Add locking capabilities to secret tool * Add support for TPM2 based secret storage * Create default collection after DBus.Error.UnknownObject * Detect local storage in snaps in the same way as flatpaks * Drop autotools-based build * GI annotation and documentation fixes * Port documentation to gi-docgen * Use G_GNUC_NULL_TERMINATED where appropriate collection, methods, prompt: Port to GTask * secret-file-backend: Avoid closing the same filedescriptor twice mutter: - Version update from 41.5 to 41.9 (jsc#PED-2235): * Fix '--replace option' * Fix missing root window properties after XWayland start * Fix night light without GAMMA_LUT property * KMS: Survive missing GAMMA_LUT property * wayland: Fix rotation transform * Misc. bug fixes nautilus: - Version update from 41.2 to 41.5(jsc#PED-2235): * Drag-and-drop bugfixes * HighContrast style fixes orca: - Version update from 41.1 to 41.3 (jsc#PED-2235): * Add more event-flood detection and handling for improved performance * Fix bug causing accessing preferences to fail for Esperanto * Web: Fix bug causing widgets descending from off-screen label elements to be skipped over * Web: Fix presentation of the FluentUI react dialog (and any other dialog which has an ARIA document-role descendant) * WebKitGtk: Fail gracefully when structural navigation commands are used in WebKitGtk 2.36.x python-cairo: - Add python3-cairo to SUSE Linux Enterprise Micro 5.3 as it is now required by python3-gobject-cairo python-gobject: - Add dependency on python-cairo to python-gobject-cairo: The introspection wrapper needs pycairo (bsc#1179584) - Version update from 3.42.0 to 3.42.2 (jsc#PED-2235): * Add a workaround for a PyPy 3.9+ bug when threads are used * Do not error out for unknown scopes * Prompt an error instead of crashing when marshaling unsupported fundamental types in some cases * Fix a crash/refcounting error in case marshaling a hash table fails * Fix crashes when marshaling zero terminated arrays for certain item types * Implement DynamicImporter.find_spec() to silence deprecation warning * Make the test suite pass again with PyPy * Some test/CI fixes * gtk overrides: Do not override Treeview.enable_model_drag_xx for GTK4 * gtk overrides: restore Gtk.ListStore.insert_with_valuesv with newer GTK4 * interface: Fix leak when overriding GInterfaceInfo * setup.py: look up pycairo headers without importing the module trackers-python: - Allow systemcalls used by gstreamer (bsc#1196205) - Version update from 3.2.2 to 3.2.1 (jsc#PED-2235): * Backport seccomp rules for rseq and mbind syscalls vala: - Version update from 0.54.6 to 0.54.8 (jsc#PED-2235): * Add missing TraverseVisitor.visit_data_type() * Add support for 'copy_/free_function' metadata for compact classes * Catch and throw possible inner error of lock statements * Clear SemanticAnalyzer.current_{symbol,source_file} when not needed anymore * Don't count instance-parameter when checking for backwards closure reference * Fix a few binding errors * Free empty stack list for code contexts * Handle duplicated and unnamed symbols. * Improve UI parsing and handling of nested objects and properties * Make sure to drop our 'trap' jump target in case of an error * Move dynamic property errors to semantic analyzer pass * Require lvalue access of delegate target/destroy 'fields' * Show source location when reporting deprecations * Transform assignment of an array element as needed * manual: Update from wiki.gnome.org * parser: Improve handling of nullable VarType in with-statement * parser: Reduce the source reference of main block method to its beginning xdg-desktop-portal-gnome: - Version update from 0.54.6 to 0.54.8 (jsc#PED-2235): * Properly bind property in Lockdown portal ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4628-1 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1206337,CVE-2022-46908 This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:56-1 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Type: security Severity: moderate References: 1206579,CVE-2022-47629 This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:1963-1 Released: Mon Apr 24 15:03:10 2023 Summary: Recommended update for grub2 Type: recommended Severity: moderate References: 1187810,1189036,1207064,1209165,1209234,1209372,1209667 This update for grub2 fixes the following issues: - Fix aarch64 kiwi image's file not found due to '/@' prepended to path in btrfs filesystem. (bsc#1209165) - Make grub more robust against storage race condition causing system boot failures (bsc#1189036) - Fix unknown filesystem error on disks with 4096 sector size (bsc#1207064, bsc#1209234) - Fix installation over serial console ends up in infinite boot loop (bsc#1187810, bsc#1209667, bsc#1209372) The following package changes have been done: - libusb-1_0-0-1.0.24-150400.3.3.1 added - libsqlite3-0-3.39.3-150000.3.20.1 added - libksba8-1.3.5-150000.4.6.1 added - libassuan0-2.5.5-150000.4.3.1 added - libnpth0-1.5-2.11 added - libglib-2_0-0-2.70.5-150400.3.3.1 added - pinentry-1.1.0-4.3.1 added - gpg2-2.2.27-150300.3.5.1 added - libgpgme11-1.16.0-150400.1.80 added - grub2-2.06-150400.11.30.1 updated - grub2-i386-pc-2.06-150400.11.30.1 updated . Urgent SUSE notice concerning rancher/elemental-builder-image/5.3. This crucial security patch encompasses numerous resolutions.. Security Advisory, Rancher Image, SUSE Container Update, Patches, Software Security. . LinuxSecurity.com Team

Calendar%202 Apr 27, 2023 SuSE
100

SUSE: 2023:8-2 Critical Vulnerability Patch for Docker Image

The container suse-sles-15-sp4-chost-byos-v20230111-x86_64-gen2 was updated. The following patches have been included in this update:. SUSE Image Update Advisory: suse-sles-15-sp4-chost-byos-v20230111-x86_64-gen2 ----------------------------------------------------------------- Image Advisory ID : SUSE-IU-2023:8-1 Image Tags : suse-sles-15-sp4-chost-byos-v20230111-x86_64-gen2:20230111 Image Release : Severity : important Type : security References : 1065729 1144337 1156395 1164051 1175622 1177460 1179584 1184350 1188882 1189297 1190256 1191410 1193629 1194869 1195391 1196205 1199467 1200107 1200581 1200723 1202341 1203092 1203183 1203274 1203391 1203511 1203960 1204000 1204228 1204405 1204414 1204423 1204585 1204631 1204636 1204693 1204743 1204779 1204780 1204810 1204850 1204867 1205000 1205007 1205100 1205111 1205113 1205128 1205130 1205149 1205153 1205220 1205264 1205266 1205272 1205282 1205284 1205331 1205332 1205377 1205427 1205428 1205473 1205502 1205507 1205514 1205521 1205567 1205616 1205617 1205653 1205671 1205679 1205683 1205700 1205705 1205709 1205711 1205744 1205764 1205796 1205797 1205882 1205993 1206028 1206035 1206036 1206037 1206045 1206046 1206047 1206048 1206049 1206050 1206051 1206056 1206057 1206071 1206072 1206075 1206077 1206113 1206114 1206147 1206149 1206207 1206212 1206308 1206309 1206337 1206579 1206622 944832 CVE-2022-2602 CVE-2022-3176 CVE-2022-3491 CVE-2022-3520 CVE-2022-3566 CVE-2022-3567 CVE-2022-3591 CVE-2022-3635 CVE-2022-3643 CVE-2022-3705 CVE-2022-3707 CVE-2022-3903 CVE-2022-4095 CVE-2022-4129 CVE-2022-4139 CVE-2022-4141 CVE-2022-41850CVE-2022-41858 CVE-2022-42328 CVE-2022-42329 CVE-2022-42895 CVE-2022-42896 CVE-2022-4292 CVE-2022-4293 CVE-2022-43551 CVE-2022-43552 CVE-2022-4378 CVE-2022-43945 CVE-2022-4415 CVE-2022-45869 CVE-2022-45888 CVE-2022-45934 CVE-2022-46908 CVE-2022-47629 ----------------------------------------------------------------- The container suse-sles-15-sp4-chost-byos-v20230111-x86_64-gen2 was updated. The following patches have been included in this update: ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4585-1 Released: Tue Dec 20 12:52:24 2022 Summary: Security update for the Linux Kernel Type: security Severity: important References: 1065729,1156395,1164051,1184350,1189297,1190256,1193629,1194869,1202341,1203183,1203391,1203511,1203960,1204228,1204405,1204414,1204631,1204636,1204693,1204780,1204810,1204850,1205007,1205100,1205111,1205113,1205128,1205130,1205149,1205153,1205220,1205264,1205282,1205331,1205332,1205427,1205428,1205473,1205507,1205514,1205521,1205567,1205616,1205617,1205653,1205671,1205679,1205683,1205700,1205705,1205709,1205711,1205744,1205764,1205796,1205882,1205993,1206035,1206036,1206037,1206045,1206046,1206047,1206048,1206049,1206050,1206051,1206056,1206057,1206113,1206114,1206147,1206149,1206207,CVE-2022-2602,CVE-2022-3176,CVE-2022-3566,CVE-2022-3567,CVE-2022-3635,CVE-2022-3643,CVE-2022-3707,CVE-2022-3903,CVE-2022-4095,CVE-2022-4129,CVE-2022-4139,CVE-2022-41850,CVE-2022-41858,CVE-2022-42328,CVE-2022-42329,CVE-2022-42895,CVE-2022-42896,CVE-2022-4378,CVE-2022-43945,CVE-2022-45869,CVE-2022-45888,CVE-2022-45934 The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2022-4378: Fixed stack overflow in __do_proc_dointvec (bsc#1206207). - CVE-2022-42328: Guests could trigger denial of service via the netback driver (bsc#1206114). - CVE-2022-42329: Guests could trigger denial of service viathe netback driver (bsc#1206113). - CVE-2022-3643: Guests could trigger NIC interface reset/abort/crash via netback driver (bsc#1206113). - CVE-2022-3635: Fixed a use-after-free in the tst_timer() of the file drivers/atm/idt77252.c (bsc#1204631). - CVE-2022-41850: Fixed a race condition in roccat_report_event() in drivers/hid/hid-roccat.c (bsc#1203960). - CVE-2022-45934: Fixed a integer wraparound via L2CAP_CONF_REQ packets in l2cap_config_req in net/bluetooth/l2cap_core.c (bsc#1205796). - CVE-2022-3567: Fixed a to race condition in inet6_stream_ops()/inet6_dgram_ops() (bsc#1204414). - CVE-2022-41858: Fixed a denial of service in sl_tx_timeout() in drivers/net/slip (bsc#1205671). - CVE-2022-43945: Fixed a buffer overflow in the NFSD implementation (bsc#1205128). - CVE-2022-4095: Fixed a use-after-free in rtl8712 driver (bsc#1205514). - CVE-2022-3903: Fixed a denial of service with the Infrared Transceiver USB driver (bsc#1205220). - CVE-2022-45869: Fixed a race condition in the x86 KVM subsystem which could cause a denial of service (bsc#1205882). - CVE-2022-45888: Fixed a use-after-free during physical removal of a USB devices when using drivers/char/xillybus/xillyusb.c (bsc#1205764). - CVE-2022-4139: Fixed an issue with the i915 driver that allowed the GPU to access any physical memory (bsc#1205700). - CVE-2022-4129: Fixed a denial of service with the Layer 2 Tunneling Protocol (L2TP). A missing lock when clearing sk_user_data can lead to a race condition and NULL pointer dereference. (bsc#1205711) - CVE-2022-42896: Fixed a use-after-free vulnerability in the net/bluetooth/l2cap_core.c's l2cap_connect() and l2cap_le_connect_req() which may have allowed code execution and leaking kernel memory (respectively) remotely via Bluetooth (bsc#1205709). - CVE-2022-42895: Fixed an information leak in the net/bluetooth/l2cap_core.c's l2cap_parse_conf_req() which can be used to leak kernel pointers remotely (bsc#1205705). - CVE-2022-3566: Fixed a race condition in the functions tcp_getsockopt/tcp_setsockopt. Themanipulation leads to a race condition (bsc#1204405). - CVE-2022-2602: Fixed a local privilege escalation vulnerability involving Unix socket Garbage Collection and io_uring (bsc#1204228). - CVE-2022-3176: Fixed a use-after-free in io_uring related to signalfd_poll() and binder_poll() (bsc#1203391). - CVE-2022-3707: Fixed a double free in the Intel GVT-g graphics driver (bsc#1204780). The following non-security bugs were fixed: - ACPI: APEI: Fix integer overflow in ghes_estatus_pool_init() (git-fixes). - ACPI: HMAT: Fix initiator registration for single-initiator systems (git-fixes). - ACPI: HMAT: remove unnecessary variable initialization (git-fixes). - ACPI: scan: Add LATT2021 to acpi_ignore_dep_ids[] (git-fixes). - ACPI: x86: Add another system to quirk list for forcing StorageD3Enable (git-fixes). - ALSA: dice: fix regression for Lexicon I-ONIX FW810S (git-fixes). - ALSA: hda/ca0132: add quirk for EVGA Z390 DARK (git-fixes). - ALSA: hda/hdmi - enable runtime pm for more AMD display audio (git-fixes). - ALSA: hda/realtek: Add Positivo C6300 model quirk (git-fixes). - ALSA: hda/realtek: Add quirk for ASUS Zenbook using CS35L41 (git-fixes). - ALSA: hda/realtek: Fix the speaker output on Samsung Galaxy Book Pro 360 (bsc#1205100). - ALSA: hda/realtek: fix speakers for Samsung Galaxy Book Pro (bsc#1205100). - ALSA: hda: fix potential memleak in 'add_widget_node' (git-fixes). - ALSA: usb-audio: Add DSD support for Accuphase DAC-60 (git-fixes). - ALSA: usb-audio: Add quirk entry for M-Audio Micro (git-fixes). - ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open() (git-fixes). - ALSA: usb-audio: Remove redundant workaround for Roland quirk (bsc#1205111). - ALSA: usb-audio: Yet more regression for for the delayed card registration (bsc#1205111). - ALSA: usb-audio: add quirk to fix Hamedal C20 disconnect issue (git-fixes). - ARM: at91: rm9200: fix usb device clock id (git-fixes). - ARM: dts: am335x-pcm-953: Define fixed regulators in root node (git-fixes). - ARM: dts: at91: sam9g20ek: enable udc vbusgpio pinctrl (git-fixes). - ARM: dts: imx6q-prti6q: Fix ref/tcxo-clock-frequency properties (git-fixes). - ARM: dts: imx6qdl-gw59{10,13}: fix user pushbutton GPIO offset (git-fixes). - ARM: dts: imx7: Fix NAND controller size-cells (git-fixes). - ARM: mxs: fix memory leak in mxs_machine_init() (git-fixes). - ASoC: Intel: bytcht_es8316: Add quirk for the Nanote UMPC-01 (git-fixes). - ASoC: Intel: sof_sdw: add quirk variant for LAPBC710 NUC15 (git-fixes). - ASoC: codecs: jz4725b: Fix spelling mistake 'Sourc' -> 'Source', 'Routee' -> 'Route' (git-fixes). - ASoC: codecs: jz4725b: add missed Line In power control bit (git-fixes). - ASoC: codecs: jz4725b: fix capture selector naming (git-fixes). - ASoC: codecs: jz4725b: fix reported volume for Master ctl (git-fixes). - ASoC: codecs: jz4725b: use right control for Capture Volume (git-fixes). - ASoC: core: Fix use-after-free in snd_soc_exit() (git-fixes). - ASoC: fsl_asrc fsl_esai fsl_sai: allow CONFIG_PM=N (git-fixes). - ASoC: fsl_sai: use local device pointer (git-fixes). - ASoC: max98373: Add checks for devm_kcalloc (git-fixes). - ASoC: mt6660: Keep the pm_runtime enables before component stuff in mt6660_i2c_probe (git-fixes). - ASoC: ops: Fix bounds check for _sx controls (git-fixes). - ASoC: rt1019: Fix the TDM settings (git-fixes). - ASoC: sgtl5000: Reset the CHIP_CLK_CTRL reg on remove (git-fixes). - ASoC: soc-pcm: Do not zero TDM masks in __soc_pcm_open() (git-fixes). - ASoC: soc-utils: Remove __exit for snd_soc_util_exit() (git-fixes). - ASoC: stm32: dfsdm: manage cb buffers cleanup (git-fixes). - ASoC: tas2764: Fix set_tdm_slot in case of single slot (git-fixes). - ASoC: tas2770: Fix set_tdm_slot in case of single slot (git-fixes). - ASoC: wm8962: Add an event handler for TEMP_HP and TEMP_SPK (git-fixes). - Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() (git-fixes). - Bluetooth: Fix not cleanup led when bt_init fails (git-fixes). - Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM (git-fixes). - Bluetooth: L2CAP: Fixattempting to access uninitialized memory (git-fixes). - Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm (git-fixes). - Decrease the number of SMB3 smbdirect client SGEs (bsc#1193629). - Drivers: hv: Always reserve framebuffer region for Gen1 VMs (git-fixes). - Drivers: hv: Fix syntax errors in comments (git-fixes). - Drivers: hv: Never allocate anything besides framebuffer from framebuffer memory region (git-fixes). - Drivers: hv: fix repeated words in comments (git-fixes). - Drivers: hv: remove duplicate word in a comment (git-fixes). - Drivers: hv: vmbus: Accept hv_sock offers in isolated guests (git-fixes). - Drivers: hv: vmbus: Add VMbus IMC device to unsupported list (git-fixes). - Drivers: hv: vmbus: Do not wait for the ACPI device upon initialization (git-fixes). - Drivers: hv: vmbus: Fix kernel-doc (git-fixes). - Drivers: hv: vmbus: Optimize vmbus_on_event (git-fixes). - Drivers: hv: vmbus: Release cpu lock in error case (git-fixes). - Drivers: hv: vmbus: Use PCI_VENDOR_ID_MICROSOFT for better discoverability (git-fixes). - Drivers: hv: vmbus: fix double free in the error path of vmbus_add_channel_work() (git-fixes). - Drivers: hv: vmbus: fix possible memory leak in vmbus_device_register() (git-fixes). - Drivers: hv: vmbus: fix typo in comment (git-fixes). - Fix formatting of client smbdirect RDMA logging (bsc#1193629). - HID: core: fix shift-out-of-bounds in hid_report_raw_event (git-fixes). - HID: hid-lg4ff: Add check for empty lbuf (git-fixes). - HID: hyperv: fix possible memory leak in mousevsc_probe() (git-fixes). - HID: playstation: add initial DualSense Edge controller support (git-fixes). - HID: saitek: add madcatz variant of MMO7 mouse device ID (git-fixes). - Handle variable number of SGEs in client smbdirect send (bsc#1193629). - IB/hfi1: Correctly move list in sc_disable() (git-fixes) - IB: Set IOVA/LENGTH on IB_MR in core/uverbs layers (git-fixes) - Input: goodix - try resetting the controller when no config is set (git-fixes). - Input: i8042 - fix leaking of platform device on moduleremoval (git-fixes). - Input: iforce - invert valid length check when fetching device IDs (git-fixes). - Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send() (git-fixes). - Input: soc_button_array - add Acer Switch V 10 to dmi_use_low_level_irq[] (git-fixes). - Input: soc_button_array - add use_low_level_irq module parameter (git-fixes). - Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode (git-fixes). - KVM: Move wiping of the kvm-> vcpus array to common code (git-fixes). - KVM: SEV: Mark nested locking of vcpu-> lock (git-fixes). - KVM: SVM: Disable SEV-ES support if MMIO caching is disable (git-fixes). - KVM: SVM: Stuff next_rip on emulated INT3 injection if NRIPS is supported (git-fixes). - KVM: SVM: adjust register allocation for __svm_vcpu_run() (git-fixes). - KVM: SVM: move guest vmsave/vmload back to assembly (git-fixes). - KVM: SVM: replace regs argument of __svm_vcpu_run() with vcpu_svm (git-fixes). - KVM: SVM: retrieve VMCB from assembly (git-fixes). - KVM: VMX: Add helper to check if the guest PMU has PERF_GLOBAL_CTRL (git-fixes). - KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS (git-fixes). - KVM: VMX: Mark all PERF_GLOBAL_(OVF)_CTRL bits reserved if there's no vPMU (git-fixes). - KVM: VMX: clear vmx_x86_ops.sync_pir_to_irr if APICv is disabled (bsc#1205007). - KVM: VMX: fully disable SGX if SECONDARY_EXEC_ENCLS_EXITING unavailable (git-fixes). - KVM: nVMX: Always enable TSC scaling for L2 when it was enabled for L1 (git-fixes). - KVM: nVMX: Attempt to load PERF_GLOBAL_CTRL on nVMX xfer iff it exists (git-fixes). - KVM: nVMX: Rename handle_vm{on,off}() to handle_vmx{on,off}() (git-fixes). - KVM: s390: Add a routine for setting userspace CPU state (git-fixes jsc#PED-611). - KVM: s390: Simplify SIGP Set Arch handling (git-fixes jsc#PED-611). - KVM: s390: pv: do not allow userspace to set the clock under PV (git-fixes). - KVM: s390: pv: leak the topmost page table when destroy fails (git-fixes). - KVM: x86/mmu: Fix wrong/misleading comments in TDPMMU fast zap (git-fixes). - KVM: x86/mmu: WARN if old _or_ new SPTE is REMOVED in non-atomic path (git-fixes). - KVM: x86/mmu: fix memoryleak in kvm_mmu_vendor_module_init() (git-fixes). - KVM: x86/pmu: Fix and isolate TSX-specific performance event logic (git-fixes). - KVM: x86/pmu: Update AMD PMC sample period to fix guest NMI-watchdog (git-fixes). - KVM: x86/pmu: Use different raw event masks for AMD and Intel (git-fixes). - KVM: x86/svm: Account for family 17h event renumberings in amd_pmc_perf_hw_id (git-fixes). - KVM: x86: Fully initialize 'struct kvm_lapic_irq' in kvm_pv_kick_cpu_op() (git-fixes). - KVM: x86: Hide IA32_PLATFORM_DCA_CAP[31:0] from the guest (git-fixes). - KVM: x86: Mask off reserved bits in CPUID.80000001H (git-fixes). - KVM: x86: Mask off reserved bits in CPUID.80000006H (git-fixes). - KVM: x86: Mask off reserved bits in CPUID.80000008H (git-fixes). - KVM: x86: Mask off reserved bits in CPUID.8000001AH (git-fixes). - KVM: x86: Report error when setting CPUID if Hyper-V allocation fails (git-fixes). - KVM: x86: Retry page fault if MMU reload is pending and root has no sp (bsc#1205744). - KVM: x86: Signal #GP, not -EPERM, on bad WRMSR(MCi_CTL/STATUS) (git-fixes). - KVM: x86: Treat #DBs from the emulator as fault-like (code and DR7.GD=1) (git-fixes). - KVM: x86: Use __try_cmpxchg_user() to emulate atomic accesses (git-fixes). - KVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits (git-fixes). - KVM: x86: avoid loading a vCPU after .vm_destroy was called (git-fixes). - KVM: x86: emulator: em_sysexit should update ctxt-> mode (git-fixes). - KVM: x86: emulator: introduce emulator_recalc_and_set_mode (git-fixes). - KVM: x86: emulator: update the emulation mode after CR0 write (git-fixes). - KVM: x86: emulator: update the emulation mode after rsm (git-fixes). - KVM: x86: use a separate asm-offsets.c file (git-fixes). - MIPS: Loongson: Use hwmon_device_register_with_groups() to register hwmon (git-fixes). - NFC: nci: Bounds check struct nfc_target arrays (git-fixes). - NFC: nci: fixmemory leak in nci_rx_data_packet() (git-fixes). - PCI: Move PCI_VENDOR_ID_MICROSOFT/PCI_DEVICE_ID_HYPERV_VIDEO definitions to pci_ids.h (git-fixes). - PCI: hv: Add validation for untrusted Hyper-V values (git-fixes). - PCI: hv: Fix the definition of vector in hv_compose_msi_msg() (git-fixes). - RDMA/cm: Fix memory leak in ib_cm_insert_listen (git-fixes) - RDMA/cm: Use SLID in the work completion as the DLID in responder side (git-fixes) - RDMA/cma: Use output interface for net_dev check (git-fixes) - RDMA/core: Fix null-ptr-deref in ib_core_cleanup() (git-fixes) - RDMA/hfi1: Prevent panic when SDMA is disabled (git-fixes) - RDMA/hfi1: Prevent use of lock before it is initialized (git-fixes) - RDMA/hfi1: fix potential memory leak in setup_base_ctxt() (git-fixes) - RDMA/hns: Correct the type of variables participating in the shift operation (git-fixes) - RDMA/hns: Disable local invalidate operation (git-fixes) - RDMA/hns: Fix incorrect clearing of interrupt status register (git-fixes) - RDMA/hns: Fix supported page size (git-fixes) - RDMA/hns: Fix wrong fixed value of qp-> rq.wqe_shift (git-fixes) - RDMA/hns: Remove magic number (git-fixes) - RDMA/hns: Remove the num_cqc_timer variable (git-fixes) - RDMA/hns: Remove the num_qpc_timer variable (git-fixes) - RDMA/hns: Remove unnecessary check for the sgid_attr when modifying QP (git-fixes) - RDMA/hns: Replace tab with space in the right-side comments (git-fixes) - RDMA/hns: Use hr_reg_xxx() instead of remaining roce_set_xxx() (git-fixes) - RDMA/irdma: Fix deadlock in irdma_cleanup_cm_core() (git-fixes) - RDMA/irdma: Use s/g array in post send only when its valid (git-fixes) - RDMA/mlx5: Set local port to one when accessing counters (git-fixes) - RDMA/qedr: clean up work queue on failure in qedr_alloc_resources() (git-fixes) - RDMA/rtrs-clt: Use the right sg_cnt after ib_dma_map_sg (git-fixes) - RDMA/rtrs-srv: Fix modinfo output for stringify (git-fixes) - RDMA/rxe: Limit the number of calls to each tasklet (git-fixes) - RDMA/rxe: Remove useless pkt parameters(git-fixes) - Reduce client smbdirect max receive segment size (bsc#1193629). - SCSI: scsi_probe_lun: retry INQUIRY after timeout (bsc#1189297). - SMB3: fix lease break timeout when multiple deferred close handles for the same file (bsc#1193629). - USB: bcma: Make GPIO explicitly optional (git-fixes). - USB: serial: option: add Fibocom FM160 0x0111 composition (git-fixes). - USB: serial: option: add Sierra Wireless EM9191 (git-fixes). - USB: serial: option: add u-blox LARA-L6 modem (git-fixes). - USB: serial: option: add u-blox LARA-R6 00B modem (git-fixes). - USB: serial: option: remove old LARA-R6 PID (git-fixes). - arcnet: fix potential memory leak in com20020_probe() (git-fixes). - arm64/syscall: Include asm/ptrace.h in syscall_wrapper header (git-fixes). - arm64: Add AMPERE1 to the Spectre-BHB affected list (git-fixes). - arm64: Fix bit-shifting UB in the MIDR_CPU_MODEL() macro (git-fixes) - arm64: dts: imx8: correct clock order (git-fixes). - arm64: dts: imx8mm: Fix NAND controller size-cells (git-fixes). - arm64: dts: imx8mn: Fix NAND controller size-cells (git-fixes). - arm64: dts: juno: Add thermal critical trip points (git-fixes). - arm64: dts: ls1088a: specify clock frequencies for the MDIO controllers (git-fixes). - arm64: dts: ls208xa: specify clock frequencies for the MDIO controllers (git-fixes). - arm64: dts: lx2160a: specify clock frequencies for the MDIO controllers (git-fixes). - arm64: dts: qcom: sa8155p-adp: Specify which LDO modes are allowed (git-fixes). - arm64: dts: qcom: sm8150-xperia-kumano: Specify which LDO modes are allowed (git-fixes). - arm64: dts: qcom: sm8250-xperia-edo: Specify which LDO modes are allowed (git-fixes). - arm64: dts: qcom: sm8350-hdk: Specify which LDO modes are allowed (git-fixes). - arm64: dts: rockchip: add enable-strobe-pulldown to emmc phy on nanopi4 (git-fixes). - arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency (git-fixes). - arm64: efi: Fix handling of misaligned runtime regions and drop warning (git-fixes). - arm64: entry:avoid kprobe recursion (git-fixes). - arm64: errata: Add Cortex-A55 to the repeat tlbi list (git-fixes). Enable CONFIG_ARM64_ERRATUM_2441007, too - arm64: errata: Remove AES hwcap for COMPAT tasks (git-fixes) Enable CONFIG_ARM64_ERRATUM_1742098 in arm64/default - arm64: fix rodata=full again (git-fixes) - ata: libata-core: do not issue non-internal commands once EH is pending (git-fixes). - ata: libata-scsi: fix SYNCHRONIZE CACHE (16) command failure (git-fixes). - ata: libata-scsi: simplify __ata_scsi_queuecmd() (git-fixes). - ata: libata-transport: fix double ata_host_put() in ata_tport_add() (git-fixes). - ata: libata-transport: fix error handling in ata_tdev_add() (git-fixes). - ata: libata-transport: fix error handling in ata_tlink_add() (git-fixes). - ata: libata-transport: fix error handling in ata_tport_add() (git-fixes). - audit: fix undefined behavior in bit shift for AUDIT_BIT (git-fixes). - blk-cgroup: fix missing put device in error path from blkg_conf_pref() (git-fixes). - blk-mq: Properly init requests from blk_mq_alloc_request_hctx() (git-fixes). - blk-mq: do not create hctx debugfs dir until q-> debugfs_dir is created (git-fixes). - blk-mq: fix io hung due to missing commit_rqs (git-fixes). - blk-wbt: call rq_qos_add() after wb_normal is initialized (git-fixes). - blktrace: Trace remapped requests correctly (git-fixes). - block/rnbd-srv: Set keep_id to true after mutex_trylock (git-fixes). - block: add bio_start_io_acct_time() to control start_time (git-fixes). - block: blk_queue_enter() / __bio_queue_enter() must return -EAGAIN for nowait (git-fixes). - block: drop unused includes in (git-fixes). - bridge: switchdev: Fix memory leaks when changing VLAN protocol (git-fixes). - btrfs: check if root is readonly while setting security xattr (bsc#1206147). - btrfs: do not allow compression on nodatacow files (bsc#1206149). - btrfs: export a helper for compression hard check (bsc#1206149). - btrfs: fix processing of delayed data refs during backref walking (bsc#1206056). - btrfs: fix processing ofdelayed tree block refs during backref walking (bsc#1206057). - btrfs: prevent subvol with swapfile from being deleted (bsc#1206035). - btrfs: send: always use the rbtree based inode ref management infrastructure (bsc#1206036). - btrfs: send: fix failures when processing inodes with no links (bsc#1206036). - btrfs: send: fix send failure of a subcase of orphan inodes (bsc#1206036). - btrfs: send: fix sending link commands for existing file paths (bsc#1206036). - btrfs: send: introduce recorded_ref_alloc and recorded_ref_free (bsc#1206036). - btrfs: send: refactor arguments of get_inode_info() (bsc#1206036). - btrfs: send: remove unused found_type parameter to lookup_dir_item_inode() (bsc#1206036). - btrfs: send: remove unused type parameter to iterate_inode_ref_t (bsc#1206036). - btrfs: send: use boolean types for current inode status (bsc#1206036). - bus: sunxi-rsb: Remove the shutdown callback (git-fixes). - bus: sunxi-rsb: Support atomic transfers (git-fixes). - ca8210: Fix crash by zero initializing data (git-fixes). - can: af_can: fix NULL pointer dereference in can_rx_register() (git-fixes). - can: cc770: cc770_isa_probe(): add missing free_cc770dev() (git-fixes). - can: etas_es58x: es58x_init_netdev(): free netdev when register_candev() (git-fixes). - can: j1939: j1939_send_one(): fix missing CAN header initialization (git-fixes). - can: m_can: Add check for devm_clk_get (git-fixes). - can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods (git-fixes). - can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() (git-fixes). - capabilities: fix potential memleak on error path from vfs_getxattr_alloc() (git-fixes). - capabilities: fix undefined behavior in bit shift for CAP_TO_MASK (git-fixes). - ceph: allow ceph.dir.rctime xattr to be updatable (bsc#1206050). - ceph: avoid putting the realm twice when decoding snaps fails (bsc#1206051). - ceph: do not update snapshot context when there is no new snapshot (bsc#1206047). - ceph: fix inode reference leakage inceph_get_snapdir() (bsc#1206048). - ceph: fix memory leak in ceph_readdir when note_last_dentry returns error (bsc#1206049). - ceph: properly handle statfs on multifs setups (bsc#1206045). - ceph: switch netfs read ops to use rreq-> inode instead of rreq-> mapping-> host (bsc#1206046). - char: tpm: Protect tpm_pm_suspend with locks (git-fixes). - cifs: Add constructor/destructors for tcon-> cfid (bsc#1193629). - cifs: Add helper function to check smb1+ server (bsc#1193629). - cifs: Do not access tcon-> cfids-> cfid directly from is_path_accessible (bsc#1193629). - cifs: Do not use tcon-> cfid directly, use the cfid we get from open_cached_dir (bsc#1193629). - cifs: Fix connections leak when tlink setup failed (git-fixes). - cifs: Fix memory leak on the deferred close (bsc#1193629). - cifs: Fix memory leak when build ntlmssp negotiate blob failed (bsc#1193629). - cifs: Fix pages array leak when writedata alloc failed in cifs_writedata_alloc() (bsc#1193629). - cifs: Fix pages leak when writedata alloc failed in cifs_write_from_iter() (bsc#1193629). - cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message (bsc#1193629). - cifs: Fix wrong return value checking when GETFLAGS (git-fixes). - cifs: Fix xid leak in cifs_copy_file_range() (bsc#1193629). - cifs: Fix xid leak in cifs_create() (bsc#1193629). - cifs: Fix xid leak in cifs_flock() (bsc#1193629). - cifs: Fix xid leak in cifs_get_file_info_unix() (bsc#1193629). - cifs: Fix xid leak in cifs_ses_add_channel() (bsc#1193629). - cifs: Make tcon contain a wrapper structure cached_fids instead of cached_fid (bsc#1193629). - cifs: Move cached-dir functions into a separate file (bsc#1193629). - cifs: Replace a couple of one-element arrays with flexible-array members (bsc#1193629). - cifs: Use after free in debug code (git-fixes). - cifs: Use help macro to get the header preamble size (bsc#1193629). - cifs: Use help macro to get the mid header size (bsc#1193629). - cifs: add check for returning value of SMB2_close_init (git-fixes). - cifs: add check for returningvalue of SMB2_set_info_init (git-fixes). - cifs: add missing spinlock around tcon refcount (bsc#1193629). - cifs: alloc_mid function should be marked as static (bsc#1193629). - cifs: always initialize struct msghdr smb_msg completely (bsc#1193629). - cifs: always iterate smb sessions using primary channel (bsc#1193629). - cifs: avoid deadlocks while updating iface (bsc#1193629). - cifs: avoid unnecessary iteration of tcp sessions (bsc#1193629). - cifs: avoid use of global locks for high contention data (bsc#1193629). - cifs: cache the dirents for entries in a cached directory (bsc#1193629). - cifs: change iface_list from array to sorted linked list (bsc#1193629). - cifs: destage dirty pages before re-reading them for cache=none (bsc#1193629). - cifs: do not send down the destination address to sendmsg for a SOCK_STREAM (bsc#1193629). - cifs: drop the lease for cached directories on rmdir or rename (bsc#1193629). - cifs: during reconnect, update interface if necessary (bsc#1193629). - cifs: enable caching of directories for which a lease is held (bsc#1193629). - cifs: find and use the dentry for cached non-root directories also (bsc#1193629). - cifs: fix double-fault crash during ntlmssp (bsc#1193629). - cifs: fix lock length calculation (bsc#1193629). - cifs: fix memory leaks in session setup (bsc#1193629). - cifs: fix missing unlock in cifs_file_copychunk_range() (git-fixes). - cifs: fix race condition with delayed threads (bsc#1193629). - cifs: fix skipping to incorrect offset in emit_cached_dirents (bsc#1193629). - cifs: fix small mempool leak in SMB2_negotiate() (bsc#1193629). - cifs: fix static checker warning (bsc#1193629). - cifs: fix uninitialised var in smb2_compound_op() (bsc#1193629). - cifs: fix use-after-free caused by invalid pointer `hostname` (bsc#1193629). - cifs: fix use-after-free on the link name (bsc#1193629). - cifs: fix wrong unlock before return from cifs_tree_connect() (bsc#1193629). - cifs: improve handlecaching (bsc#1193629). - cifs: improve symlink handling for smb2+ (bsc#1193629). -cifs: lease key is uninitialized in smb1 paths (bsc#1193629). - cifs: lease key is uninitialized in two additional functions when smb1 (bsc#1193629). - cifs: list_for_each() -> list_for_each_entry() (bsc#1193629). - cifs: misc: fix spelling typo in comment (bsc#1193629). - cifs: move from strlcpy with unused retval to strscpy (bsc#1193629). - cifs: periodically query network interfaces from server (bsc#1193629). - cifs: populate empty hostnames for extra channels (bsc#1193629). - cifs: prevent copying past input buffer boundaries (bsc#1193629). - cifs: remove 'cifs_' prefix from init/destroy mids functions (bsc#1193629). - cifs: remove initialization value (bsc#1193629). - cifs: remove minor build warning (bsc#1193629). - cifs: remove redundant initialization to variable mnt_sign_enabled (bsc#1193629). - cifs: remove remaining build warnings (bsc#1193629). - cifs: remove some camelCase and also some static build warnings (bsc#1193629). - cifs: remove unnecessary (void*) conversions (bsc#1193629). - cifs: remove unnecessary locking of chan_lock while freeing session (bsc#1193629). - cifs: remove unnecessary type castings (bsc#1193629). - cifs: remove unused server parameter from calc_smb_size() (bsc#1193629). - cifs: remove useless DeleteMidQEntry() (bsc#1193629). - cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl() (bsc#1193629). - cifs: replace kfree() with kfree_sensitive() for sensitive data (bsc#1193629). - cifs: return correct error in -> calc_signature() (bsc#1193629). - cifs: return errors during session setup during reconnects (bsc#1193629). - cifs: revalidate mapping when doing direct writes (bsc#1193629). - cifs: secmech: use shash_desc directly, remove sdesc (bsc#1193629). - cifs: set rc to -ENOENT if we can not get a dentry for the cached dir (bsc#1193629). - cifs: skip extra NULL byte in filenames (bsc#1193629). - cifs: store a pointer to a fid in the cfid structure instead of the struct (bsc#1193629). - cifs: truncate the inode and mapping when we simulate fcollapse (bsc#1193629). - cifs:update cifs_ses::ip_addr after failover (bsc#1193629). - cifs: update internal module number (bsc#1193629). - cifs: use ALIGN() and round_up() macros (bsc#1193629). - cifs: use LIST_HEAD() and list_move() to simplify code (bsc#1193629). - cifs: when a channel is not found for server, log its connection id (bsc#1193629). - cifs: when insecure legacy is disabled shrink amount of SMB1 code (bsc#1193629). - clocksource/drivers/hyperv: add data structure for reference TSC MSR (git-fixes). - cpufreq: intel_pstate: Handle no_turbo in frequency invariance (jsc#PED-849). - cpufreq: intel_pstate: Support Sapphire Rapids OOB mode (jsc#PED-849). - cpuidle: intel_idle: Drop redundant backslash at line end (jsc#PED-1936). - dm btree remove: fix use after free in rebalance_children() (git-fixes). - dm crypt: make printing of the key constant-time (git-fixes). - dm era: commit metadata in postsuspend after worker stops (git-fixes). - dm integrity: fix memory corruption when tag_size is less than digest size (git-fixes). - dm mirror log: clear log bits up to BITS_PER_LONG boundary (git-fixes). - dm raid: fix accesses beyond end of raid member array (git-fixes). - dm stats: add cond_resched when looping over entries (git-fixes). - dm thin: fix use-after-free crash in dm_sm_register_threshold_callback (git-fixes). - dm: fix double accounting of flush with data (git-fixes). - dm: interlock pending dm_io and dm_wait_for_bios_completion (git-fixes). - dm: properly fix redundant bio-based IO accounting (git-fixes). - dm: remove unnecessary assignment statement in alloc_dev() (git-fixes). - dm: return early from dm_pr_call() if DM device is suspended (git-fixes). - dm: revert partial fix for redundant bio-based IO accounting (git-fixes). - dma-buf: fix racing conflict of dma_heap_add() (git-fixes). - dmaengine: at_hdmac: Check return code of dma_async_device_register (git-fixes). - dmaengine: at_hdmac: Do not allow CPU to reorder channel enable (git-fixes). - dmaengine: at_hdmac: Do not call the complete callback ondevice_terminate_all (git-fixes). - dmaengine: at_hdmac: Do not start transactions at tx_submit level (git-fixes). - dmaengine: at_hdmac: Fix at_lli struct definition (git-fixes). - dmaengine: at_hdmac: Fix completion of unissued descriptor in case of errors (git-fixes). - dmaengine: at_hdmac: Fix concurrency over descriptor (git-fixes). - dmaengine: at_hdmac: Fix concurrency over the active list (git-fixes). - dmaengine: at_hdmac: Fix concurrency problems by removing atc_complete_all() (git-fixes). - dmaengine: at_hdmac: Fix descriptor handling when issuing it to hardware (git-fixes). - dmaengine: at_hdmac: Fix impossible condition (git-fixes). - dmaengine: at_hdmac: Fix premature completion of desc in issue_pending (git-fixes). - dmaengine: at_hdmac: Free the memset buf without holding the chan lock (git-fixes). - dmaengine: at_hdmac: Protect atchan-> status with the channel lock (git-fixes). - dmaengine: at_hdmac: Start transfer for cyclic channels in issue_pending (git-fixes). - dmaengine: mv_xor_v2: Fix a resource leak in mv_xor_v2_remove() (git-fixes). - dmaengine: pxa_dma: use platform_get_irq_optional (git-fixes). - dmaengine: ti: k3-udma-glue: fix memory leak when register device fail (git-fixes). - docs, kprobes: Fix the wrong location of Kprobes (git-fixes). - docs/core-api: expand Fedora instructions for GCC plugins (git-fixes). - drm/amd/display: Add HUBP surface flip interrupt handler (git-fixes). - drm/amdgpu: disable BACO on special BEIGE_GOBY card (git-fixes). - drm/amdkfd: Fix NULL pointer dereference in svm_migrate_to_ram() (git-fixes). - drm/amdkfd: Migrate in CPU page fault use current mm (git-fixes). - drm/amdkfd: avoid recursive lock in migrations back to RAM (git-fixes). - drm/amdkfd: handle CPU fault on COW mapping (git-fixes). - drm/drv: Fix potential memory leak in drm_dev_init() (git-fixes). - drm/hyperv: Add ratelimit on error message (git-fixes). - drm/hyperv: Do not overwrite dirt_needed value set by host (git-fixes). - drm/i915/dmabuf: fix sg_table handling in map_dma_buf(git-fixes). - drm/i915/sdvo: Filter out invalid outputs more sensibly (git-fixes). - drm/i915/sdvo: Setup DDC fully before output init (git-fixes). - drm/imx: imx-tve: Fix return type of imx_tve_connector_mode_valid (git-fixes). - drm/msm/hdmi: Remove spurious IRQF_ONESHOT flag (git-fixes). - drm/msm/hdmi: fix IRQ lifetime (git-fixes). - drm/panel: simple: set bpc field for logic technologies displays (git-fixes). - drm/rockchip: dsi: Force synchronous probe (git-fixes). - drm/vc4: Fix missing platform_unregister_drivers() call in vc4_drm_register() (git-fixes). - drm/vc4: kms: Fix IS_ERR() vs NULL check for vc4_kms (git-fixes). - drm: Fix potential null-ptr-deref in drm_vblank_destroy_worker() (git-fixes). - dt-bindings: power: gpcv2: add power-domains property (git-fixes). - e1000e: Fix TX dispatch condition (git-fixes). - e100: Fix possible use after free in e100_xmit_prepare (git-fixes). - efi/tpm: Pass correct address to memblock_reserve (git-fixes). - efi: random: Use 'ACPI reclaim' memory for random seed (git-fixes). - efi: random: reduce seed size to 32 bytes (git-fixes). - firmware: arm_scmi: Make Rx chan_setup fail on memory errors (git-fixes). - firmware: arm_scmi: Suppress the driver's bind attributes (git-fixes). - firmware: coreboot: Register bus in module init (git-fixes). - fm10k: Fix error handling in fm10k_init_module() (git-fixes). - ftrace: Fix null pointer dereference in ftrace_add_mod() (git-fixes). - ftrace: Fix the possible incorrect kernel message (git-fixes). - ftrace: Fix use-after-free for dynamic ftrace_ops (git-fixes). - ftrace: Optimize the allocation for mcount entries (git-fixes). - fuse: add file_modified() to fallocate (bsc#1205332). - fuse: fix readdir cache race (bsc#1205331). - gpio: amd8111: Fix PCI device reference count leak (git-fixes). - hamradio: fix issue of dev reference count leakage in bpq_device_event() (git-fixes). - hv_netvsc: Fix potential dereference of NULL pointer (git-fixes). - hv_netvsc: Fix race between VF offering and VF association message from host(bsc#1204850). - hv_netvsc: Print value of invalid ID in netvsc_send_{completion,tx_complete}() (git-fixes). - hv_sock: Add validation for untrusted Hyper-V values (git-fixes). - hv_sock: Check hv_pkt_iter_first_raw()'s return value (git-fixes). - hv_sock: Copy packets sent by Hyper-V out of the ring buffer (git-fixes). - hwmon: (coretemp) Check for null before removing sysfs attrs (git-fixes). - hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() (git-fixes). - hwmon: (i5500_temp) fix missing pci_disable_device() (git-fixes). - hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails (git-fixes). - hwmon: (ina3221) Fix shunt sum critical calculation (git-fixes). - hwmon: (ltc2947) fix temperature scaling (git-fixes). - i2c: i801: add lis3lv02d's I2C address for Vostro 5568 (git-fixes). - i2c: imx: Only DMA messages with I2C_M_DMA_SAFE flag set (git-fixes). - i2c: npcm7xx: Fix error handling in npcm_i2c_init() (git-fixes). - i2c: piix4: Fix adapter not be removed in piix4_remove() (git-fixes). - i2c: tegra: Allocate DMA memory for DMA engine (git-fixes). - i2c: xiic: Add platform module alias (git-fixes). - ibmvnic: Free rwi on reset success (bsc#1184350 ltc#191533 git-fixes). - ieee802154: cc2520: Fix error return code in cc2520_hw_init() (git-fixes). - iio: adc: at91_adc: fix possible memory leak in at91_adc_allocate_trigger() (git-fixes). - iio: adc: mp2629: fix potential array out of bound access (git-fixes). - iio: adc: mp2629: fix wrong comparison of channel (git-fixes). - iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails (git-fixes). - iio: health: afe4403: Fix oob read in afe4403_read_raw (git-fixes). - iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw (git-fixes). - iio: light: apds9960: fix wrong register for gesture gain (git-fixes). - iio: light: rpr0521: add missing Kconfig dependencies (git-fixes). - iio: ms5611: Simplify IO callback parameters (git-fixes). - iio: pressure: ms5611: changed hardcoded SPI speed to value limited(git-fixes). - iio: pressure: ms5611: fixed value compensation bug (git-fixes). - iio: trigger: sysfs: fix possible memory leak in iio_sysfs_trig_init() (git-fixes). - init/Kconfig: fix CC_HAS_ASM_GOTO_TIED_OUTPUT test with dash (git-fixes). - intel_idle: Add AlderLake support (jsc#PED-824). - intel_idle: Fix SPR C6 optimization (jsc#PED-824 jsc#PED-1936). - intel_idle: Fix the 'preferred_cstates' module parameter (jsc#PED-824 jsc#PED-1936). - intel_idle: make SPR C1 and C1E be independent (jsc#PED-1936). - io-wq: Remove duplicate code in io_workqueue_create() (bnc#1205113). - io-wq: do not retry task_work creation failure on fatal conditions (bnc#1205113). - io-wq: ensure we exit if thread group is exiting (git-fixes). - io-wq: exclusively gate signal based exit on get_signal() return (git-fixes). - io-wq: fix cancellation on create-worker failure (bnc#1205113). - io-wq: fix silly logic error in io_task_work_match() (bnc#1205113). - io_uring: correct __must_hold annotation (git-fixes). - io_uring: drop ctx-> uring_lock before acquiring sqd-> lock (git-fixes). - io_uring: ensure IORING_REGISTER_IOWQ_MAX_WORKERS works with SQPOLL (git-fixes). - io_uring: fix io_timeout_remove locking (git-fixes). - io_uring: fix missing mb() before waitqueue_active (git-fixes). - io_uring: fix missing sigmask restore in io_cqring_wait() (git-fixes). - io_uring: fix possible poll event lost in multi shot mode (git-fixes). - io_uring: pin SQPOLL data before unlocking ring lock (git-fixes). - ipv6: ping: fix wrong checksum for large frames (bsc#1203183). - kABI: Fix kABI after 'KVM: x86/pmu: Use different raw event masks for AMD and Intel' (git-fixes). - kbuild: Unify options for BTF generation for vmlinux and modules (bsc#1204693). - kexec: turn all kexec_mutex acquisitions into trylocks (git-fixes). - mISDN: fix misuse of put_device() in mISDN_register_device() (git-fixes). - mISDN: fix possible memory leak in mISDN_dsp_element_register() (git-fixes). - mac80211: radiotap: Use BIT() instead of shifts (git-fixes). - mac802154: fixmissing INIT_LIST_HEAD in ieee802154_if_add() (git-fixes). - macsec: Fix invalid error code set (git-fixes). - macsec: add missing attribute validation for offload (git-fixes). - macsec: clear encryption keys from the stack after setting up offload (git-fixes). - macsec: delete new rxsc when offload fails (git-fixes). - macsec: fix detection of RXSCs when toggling offloading (git-fixes). - macsec: fix secy-> n_rx_sc accounting (git-fixes). - md/raid5: Ensure stripe_fill happens on non-read IO with journal (git-fixes). - md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk() (git-fixes). - md: Replace snprintf with scnprintf (git-fixes, bsc#1164051). - media: cros-ec-cec: limit msg.len to CEC_MAX_MSG_SIZE (git-fixes). - media: dvb-frontends/drxk: initialize err to 0 (git-fixes). - media: meson: vdec: fix possible refcount leak in vdec_probe() (git-fixes). - media: rkisp1: Do not pass the quantization to rkisp1_csm_config() (git-fixes). - media: rkisp1: Initialize color space on resizer sink and source pads (git-fixes). - media: rkisp1: Use correct macro for gradient registers (git-fixes). - media: rkisp1: Zero v4l2_subdev_format fields in when validating links (git-fixes). - media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE (git-fixes). - media: v4l: subdev: Fail graciously when getting try data for NULL state (git-fixes). - misc/vmw_vmci: fix an infoleak in vmci_host_do_receive_datagram() (git-fixes). - mmc: core: Fix ambiguous TRIM and DISCARD arg (git-fixes). - mmc: core: properly select voltage range without power cycle (git-fixes). - mmc: cqhci: Provide helper for resetting both SDHCI and CQHCI (git-fixes). - mmc: mmc_test: Fix removal of debugfs file (git-fixes). - mmc: sdhci-brcmstb: Enable Clock Gating to save power (git-fixes). - mmc: sdhci-brcmstb: Fix SDHCI_RESET_ALL for CQHCI (git-fixes). - mmc: sdhci-brcmstb: Re-organize flags (git-fixes). - mmc: sdhci-esdhc-imx: correct CQHCI exit halt state check (git-fixes). - mmc: sdhci-esdhc-imx: use the correct host caps for MMC_CAP_8_BIT_DATA(git-fixes). - mmc: sdhci-of-arasan: Fix SDHCI_RESET_ALL for CQHCI (git-fixes). - mmc: sdhci-pci-o2micro: fix card detect fail issue caused by CD# debounce timeout (git-fixes). - mmc: sdhci-pci: Fix possible memory leak caused by missing pci_dev_put() (git-fixes). - mmc: sdhci-sprd: Fix no reset data and command after voltage switch (git-fixes). - mmc: sdhci-tegra: Fix SDHCI_RESET_ALL for CQHCI (git-fixes). - mmc: sdhci_am654: Fix SDHCI_RESET_ALL for CQHCI (git-fixes). - mms: sdhci-esdhc-imx: Fix SDHCI_RESET_ALL for CQHCI (git-fixes). - mtd: parsers: bcm47xxpart: Fix halfblock reads (git-fixes). - mtd: parsers: bcm47xxpart: print correct offset on read error (git-fixes). - mtd: spi-nor: intel-spi: Disable write protection only if asked (git-fixes). - nbd: Fix incorrect error handle when first_minor is illegal in nbd_dev_add (git-fixes). - net/smc: Avoid overwriting the copies of clcsock callback functions (git-fixes). - net/smc: Fix an error code in smc_lgr_create() (git-fixes). - net/smc: Fix possible access to freed memory in link clear (git-fixes). - net/smc: Fix possible leaked pernet namespace in smc_init() (git-fixes). - net/smc: Fix slab-out-of-bounds issue in fallback (git-fixes). - net/smc: Fix sock leak when release after smc_shutdown() (git-fixes). - net/smc: Forward wakeup to smc socket waitqueue after fallback (git-fixes). - net/smc: Only save the original clcsock callback functions (git-fixes). - net/smc: Send directly when TCP_CORK is cleared (git-fixes). - net/smc: kABI workarounds for struct smc_link (git-fixes). - net/smc: kABI workarounds for struct smc_sock (git-fixes). - net/smc: send directly on setting TCP_NODELAY (git-fixes). - net/x25: Fix skb leak in x25_lapb_receive_frame() (git-fixes). - net: ethernet: nixge: fix NULL dereference (git-fixes). - net: ethernet: renesas: ravb: Fix promiscuous mode after system resumed (git-fixes). - net: ethernet: ti: am65-cpsw: fix error handling in am65_cpsw_nuss_probe() (git-fixes). - net: hyperv: remove use of bpf_op_t (git-fixes). - net: mdio: fixunbalanced fwnode reference count in mdio_device_release() (git-fixes). - net: mdiobus: fix unbalanced node reference count (git-fixes). - net: phy: fix null-ptr-deref while probe() failed (git-fixes). - net: phy: marvell: add sleep time after enabling the loopback bit (git-fixes). - net: phy: mscc: macsec: clear encryption keys when freeing a flow (git-fixes). - net: smsc95xx: add support for Microchip EVB-LAN8670-USB (git-fixes). - net: stmmac: work around sporadic tx issue on link-up (git-fixes). - net: thunderbolt: Fix error handling in tbnet_init() (git-fixes). - net: thunderbolt: fix memory leak in tbnet_open() (git-fixes). - net: thunderx: Fix the ACPI memory leak (git-fixes). - net: usb: qmi_wwan: add Telit 0x103a composition (git-fixes). - net: wwan: iosm: fix dma_alloc_coherent incompatible pointer type (git-fixes). - net: wwan: iosm: fix kernel test robot reported error (git-fixes). - nfc/nci: fix race with opening and closing (git-fixes). - nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() (git-fixes). - nfc: nxp-nci: Fix potential memory leak in nxp_nci_send() (git-fixes). - nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() (git-fixes). - nfc: st-nci: fix incorrect sizing calculations in EVT_TRANSACTION (git-fixes). - nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION (git-fixes). - nfc: st-nci: fix memory leaks in EVT_TRANSACTION (git-fixes). - nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() (git-fixes). - nilfs2: fix deadlock in nilfs_count_free_blocks() (git-fixes). - nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty (git-fixes). - nilfs2: fix use-after-free bug of ns_writer on remount (git-fixes). - nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure (git-fixes). - panic, kexec: make __crash_kexec() NMI safe (git-fixes). - parport_pc: Avoid FIFO port location truncation (git-fixes). - phy: ralink: mt7621-pci: add sentinel to quirks table (git-fixes). - phy: stm32: fix an error code in probe(git-fixes). - pinctrl: devicetree: fix null pointer dereferencing in pinctrl_dt_to_map (git-fixes). - pinctrl: intel: Save and restore pins in 'direct IRQ' mode (git-fixes). - pinctrl: rockchip: list all pins in a possible mux route for PX30 (git-fixes). - pinctrl: single: Fix potential division by zero (git-fixes). - platform/surface: aggregator: Do not check for repeated unsequenced packets (git-fixes). - platform/x86/intel/pmt: Sapphire Rapids PMT errata fix (jsc#PED-2684 bsc#1205683). - platform/x86/intel: hid: add quirk to support Surface Go 3 (git-fixes). - platform/x86/intel: pmc: Do not unconditionally attach Intel PMC when virtualized (git-fixes). - platform/x86: acer-wmi: Enable SW_TABLET_MODE on Switch V 10 (SW5-017) (git-fixes). - platform/x86: asus-wmi: add missing pci_dev_put() in asus_wmi_set_xusb2pr() (git-fixes). - platform/x86: hp-wmi: Ignore Smart Experience App event (git-fixes). - platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi (git-fixes). - platform/x86: ideapad-laptop: Disable touchpad_switch (git-fixes). - platform/x86: touchscreen_dmi: Add info for the RCA Cambio W101 v2 2-in-1 (git-fixes). - powerpc/64: Fix build failure with allyesconfig in book3s_64_entry.S (bsc#1194869). - powerpc/boot: Explicitly disable usage of SPE instructions (bsc#1156395). - powerpc/kvm: Fix kvm_use_magic_page (bsc#1156395). - powerpc/pseries/vas: Declare pseries_vas_fault_thread_fn() as static (bsc#1194869). - proc: avoid integer type confusion in get_proc_long (git-fixes). - proc: proc_skip_spaces() shouldn't think it is working on C strings (git-fixes). - rbd: fix possible memory leak in rbd_sysfs_init() (git-fixes). - regulator: core: fix UAF in destroy_regulator() (git-fixes). - regulator: core: fix kobject release warning and memory leak in regulator_register() (git-fixes). - regulator: twl6030: re-add TWL6032_SUBCLASS (git-fixes). - ring-buffer: Include dropped pages in counting dirty patches (git-fixes). - ring_buffer: Do not deactivate non-existant pages (git-fixes). - s390/futex: addmissing EX_TABLE entry to __futex_atomic_op() (bsc#1205427 LTC#200502). - s390/pci: add missing EX_TABLE entries to __pcistg_mio_inuser()/__pcilg_mio_inuser() (bsc#1205427 LTC#200502). - s390/uaccess: add missing EX_TABLE entries to __clear_user(), copy_in_user_mvcos(), copy_in_user_mvc(), clear_user_xc() and __strnlen_user() (bsc#1205428 LTC#200501). - s390: fix nospec table alignments (git-fixes). - sched: Clear ttwu_pending after enqueue_task() (git fixes (sched/core)). - sched: Disable sched domain debugfs creation on ppc64 unless sched_verbose is specified (bnc#1205653). - scripts/faddr2line: Fix regression in name resolution on ppc64le (git-fixes). - scsi: ibmvfc: Avoid path failures during live migration (bsc#1065729). - scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024 (bsc#1156395). - scsi: megaraid_sas: Correct value passed to scsi_device_lookup() (git-fixes). - scsi: mpt3sas: Fix return value check of dma_get_required_mask() (git-fixes). - scsi: qedf: Populate sysfs attributes for vport (git-fixes). - scsi: scsi_transport_sas: Fix error handling in sas_phy_add() (git-fixes). - scsi: storvsc: Drop DID_TARGET_FAILURE use (git-fixes). - scsi: storvsc: Fix handling of srb_status and capacity change events (git-fixes). - scsi: storvsc: Fix typo in comment (git-fixes). - scsi: storvsc: Remove WQ_MEM_RECLAIM from storvsc_error_wq (git-fixes). - scsi: storvsc: remove an extraneous 'to' in a comment (git-fixes). - scsi: zfcp: Fix double free of FSF request when qdio send fails (git-fixes). - selftests/intel_pstate: fix build for ARCH=x86_64 (git-fixes). - selftests: mptcp: fix mibit vs mbit mix up (git-fixes). - selftests: mptcp: make sendfile selftest work (git-fixes). - selftests: mptcp: more stable simult_flows tests (git-fixes). - selftests: rtnetlink: correct xfrm policy rule in kci_test_ipsec_offload (git-fixes). - serial: 8250: 8250_omap: Avoid RS485 RTS glitch on -> set_termios() (git-fixes). - serial: 8250: Fall back to non-DMA Rx if IIR_RDI occurs (git-fixes). - serial: 8250: Flush DMA Rx on RLSI(git-fixes). - serial: 8250: omap: Fix unpaired pm_runtime_put_sync() in omap8250_remove() (git-fixes). - serial: 8250: omap: Flush PM QOS work on remove (git-fixes). - serial: 8250_lpss: Configure DMA also w/o DMA filter (git-fixes). - serial: 8250_omap: remove wait loop from Errata i202 workaround (git-fixes). - serial: imx: Add missing .thaw_noirq hook (git-fixes). - siox: fix possible memory leak in siox_device_add() (git-fixes). - slimbus: stream: correct presence rate frequencies (git-fixes). - smb2: small refactor in smb2_check_message() (bsc#1193629). - smb3: Move the flush out of smb2_copychunk_range() into its callers (bsc#1193629). - smb3: add dynamic trace points for tree disconnect (bsc#1193629). - smb3: add trace point for SMB2_set_eof (bsc#1193629). - smb3: allow deferred close timeout to be configurable (bsc#1193629). - smb3: check xattr value length earlier (bsc#1193629). - smb3: clarify multichannel warning (bsc#1193629). - smb3: do not log confusing message when server returns no network interfaces (bsc#1193629). - smb3: fix empty netname context on secondary channels (bsc#1193629). - smb3: fix oops in calculating shash_setkey (bsc#1193629). - smb3: fix temporary data corruption in collapse range (bsc#1193629). - smb3: fix temporary data corruption in insert range (bsc#1193629). - smb3: improve SMB3 change notification support (bsc#1193629). - smb3: interface count displayed incorrectly (bsc#1193629). - smb3: missing inode locks in punch hole (bsc#1193629). - smb3: missing inode locks in zero range (bsc#1193629). - smb3: must initialize two ACL struct fields to zero (bsc#1193629). - smb3: remove unneeded null check in cifs_readdir (bsc#1193629). - smb3: rename encryption/decryption TFMs (bsc#1193629). - smb3: use filemap_write_and_wait_range instead of filemap_write_and_wait (bsc#1193629). - smb3: use netname when available on secondary channels (bsc#1193629). - smb3: workaround negprot bug in some Samba servers (bsc#1193629). - soc: imx8m: Enable OCOTP clock before reading the register(git-fixes). - soundwire: intel: Initialize clock stop timeout (bsc#1205507). - soundwire: qcom: check for outanding writes before doing a read (git-fixes). - soundwire: qcom: reinit broadcast completion (git-fixes). - speakup: fix a segfault caused by switching consoles (git-fixes). - spi: dw-dma: decrease reference count in dw_spi_dma_init_mfld() (git-fixes). - spi: spi-imx: Fix spi_bus_clk if requested clock is higher than input clock (git-fixes). - spi: stm32: Print summary 'callbacks suppressed' message (git-fixes). - spi: stm32: fix stm32_spi_prepare_mbr() that halves spi clk for every run (git-fixes). - spi: tegra210-quad: Fix duplicate resource error (git-fixes). - thunderbolt: Add DP OUT resource when DP tunnel is discovered (git-fixes). - tools: hv: Remove an extraneous 'the' (git-fixes). - tools: hv: kvp: remove unnecessary (void*) conversions (git-fixes). - tools: iio: iio_generic_buffer: Fix read size (git-fixes). - tracing/ring-buffer: Have polling block on watermark (git-fixes). - tracing: Fix memory leak in test_gen_synth_cmd() and test_empty_synth_event() (git-fixes). - tracing: Fix memory leak in tracing_read_pipe() (git-fixes). - tracing: Fix wild-memory-access in register_synth_event() (git-fixes). - tracing: kprobe: Fix memory leak in test_gen_kprobe/kretprobe_cmd() (git-fixes). - tracing: kprobe: Fix potential null-ptr-deref on trace_array in kprobe_event_gen_test_exit() (git-fixes). - tracing: kprobe: Fix potential null-ptr-deref on trace_event_file in kprobe_event_gen_test_exit() (git-fixes). - tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send (git-fixes). - tty: serial: fsl_lpuart: do not break the on-going transfer when global reset (git-fixes). - usb: add NO_LPM quirk for Realforce 87U Keyboard (git-fixes). - usb: cdns3: host: fix endless superspeed hub port reset (git-fixes). - usb: cdnsp: Fix issue with Clear Feature Halt Endpoint (git-fixes). - usb: cdnsp: fix issue with ZLP - added TD_SIZE = 1 (git-fixes). - usb: chipidea: fix deadlock in ci_otg_del_timer(git-fixes). - usb: dwc3: exynos: Fix remove() function (git-fixes). - usb: dwc3: gadget: Clear ep descriptor last (git-fixes). - usb: dwc3: gadget: Return -ESHUTDOWN on ep disable (git-fixes). - usb: dwc3: gadget: conditionally remove requests (git-fixes). - usb: smsc: use eth_hw_addr_set() (git-fixes). - usb: typec: mux: Enter safe mode only when pins need to be reconfigured (git-fixes). - usb: xhci-mtk: check boundary before check tt (git-fixes). - usb: xhci-mtk: update fs bus bandwidth by bw_budget_table (git-fixes). - usbnet: smsc95xx: Do not reset PHY behind PHY driver's back (git-fixes). - v3 of 'PCI: hv: Only reuse existing IRTE allocation for Multi-MSI' - video/fbdev/stifb: Implement the stifb_fillrect() function (git-fixes). - virtio-blk: Use blk_validate_block_size() to validate block size (git-fixes). - vmxnet3: correctly report encapsulated LRO packet (git-fixes). - vmxnet3: use correct intrConf reference when using extended queues (git-fixes). - wifi: airo: do not assign -1 to unsigned char (git-fixes). - wifi: ath11k: Fix QCN9074 firmware boot on x86 (git-fixes). - wifi: ath11k: avoid deadlock during regulatory update in ath11k_regd_update() (git-fixes). - wifi: cfg80211: do not allow multi-BSSID in S1G (git-fixes). - wifi: cfg80211: fix buffer overflow in elem comparison (git-fixes). - wifi: cfg80211: fix memory leak in query_regdb_file() (git-fixes). - wifi: cfg80211: silence a sparse RCU warning (git-fixes). - wifi: mac80211: Fix ack frame idr leak when mesh has no route (git-fixes). - wifi: mac80211: fix memory free error when registering wiphy fail (git-fixes). - wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support (git-fixes). - wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration (git-fixes). - wifi: wext: use flex array destination for memcpy() (git-fixes). - wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_CHANNEL_LIST attribute (git-fixes). - wifi: wilc1000: validate length of IEEE80211_P2P_ATTR_OPER_CHANNEL attribute (git-fixes). - wifi: wilc1000:validate number of channels (git-fixes). - wifi: wilc1000: validate pairwise and authentication suite offsets (git-fixes). - x86/Xen: streamline (and fix) PV CPU enumeration (git-fixes). - x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3 (bsc#1206037). - x86/cpu: Restore AMD's DE_CFG MSR after resume (bsc#1205473). - x86/entry: Work around Clang __bdos() bug (git-fixes). - x86/extable: Extend extable functionality (git-fixes). - x86/fpu: Drop fpregs lock before inheriting FPU permissions (bnc#1205282). - x86/futex: Remove .fixup usage (git-fixes). - x86/hyperv: Disable hardlockup detector by default in Hyper-V guests (git-fixes). - x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition (git-fixes). - x86/hyperv: Update 'struct hv_enlightened_vmcs' definition (git-fixes). - x86/hyperv: fix invalid writes to MSRs during root partition kexec (git-fixes). - x86/kexec: Fix double-free of elf header buffer (bsc#1205567). - x86/microcode/AMD: Apply the patch early on every logical thread (bsc#1205264). - x86/uaccess: Implement macros for CMPXCHG on user addresses (git-fixes). - xen/gntdev: Accommodate VMA splitting (git-fixes). - xen/pcpu: fix possible memory leak in register_pcpu() (git-fixes). - xen: delay xen_hvm_init_time_ops() if kdump is boot on vcpu> =32 (git-fixes). - xfs: convert XLOG_FORCED_SHUTDOWN() to xlog_is_shutdown() (git-fixes). - xfs: fix perag reference leak on iteration race with growfs (git-fixes). - xfs: fix xfs_ifree() error handling to not leak perag ref (git-fixes). - xfs: reserve quota for dir expansion when linking/unlinking files (bsc#1205616). - xfs: reserve quota for target dir expansion when renaming files (bsc#1205679). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4597-1 Released: Wed Dec 21 10:13:11 2022 Summary: Security update for curl Type: security Severity: important References: 1206308,1206309,CVE-2022-43551,CVE-2022-43552 This update for curl fixes the following issues: - CVE-2022-43552:HTTP Proxy deny use-after-free (bsc#1206309). - CVE-2022-43551: Fixed HSTS bypass via IDN (bsc#1206308). ----------------------------------------------------------------- Advisory ID: SUSE-feature-2022:4601-1 Released: Wed Dec 21 12:23:59 2022 Summary: Feature update for GNOME 41 Type: feature Severity: moderate References: 1175622,1179584,1188882,1196205,1200581,1203274,1204867,944832 This update for GNOME 41 fixes the following issues: atkmm1_6: - Version update from 2.28.1 to 2.28.3 (jsc#PED-2235): * Meson build: Avoid unnecessary configuration warnings * Meson build: Perl is not required by new versions of mm-common * Meson build: Require meson > = 0.55.0 * Meson build: Specify 'check' option in run_command(). Will be necessary with future versions of Meson. * Require atk > = 2.12.0 Not a new requirement, but previously it was not specified in configure.ac and meson.build * Support building with Visual Studio 2022 eog: - Version update from 41.1 to 41.2 (jsc#PED-2235): * eog-window: use correct type for display_profile * Fix discovery of Evince for multi-page images evince: - Version update 41.3 to 41.4 (jsc#PED-2235): * shell: Fix failures when thumbnail extraction takes too long * Fix build with meson 0.60.0 and newer evolution: - Ensure evolution-devel is forward compatible with evolution-data-server-devel in a same major version (jsc#PED-2235) evolution-data-center: - Version update from 3.42.4 to 3.42.5 (jsc#PED-2235): * Google OAuth out-of-band (oob) flow will be deprecated folks: - Version update 0.15.3 to 0.15.5 (jsc#PED-2235): * vapi: Add missing generic type argument * Fix docs build against newer eds version * Fix build against newer eds version * Remove volatile keyword from tests gcr: - Version update 3.41.0 to 3.41.1 (jsc#PED-2235): * Add G_SPAWN_CLOEXEC_PIPES flag to all the g_spawn commands * Add gi-docgen dependency which is needed by the docs * Fix build with meson 0.60.0 and newer * Fix build without systemd * Several CI fixes geocode-glib: - Version update from 3.26.2 to 3.26.4 (jsc#PED-2235): * Fix to a test data file not being installed, and a bug fix for a bug in the libsoup3 port * Add support for libsoup 3.x gjs: - Version update from 1.70.1 to 1.70.2 (jsc#PED-2235): * Build and compatibility fixes backported from the development branch * Reverse order of running-from-source checks - Require xorg-x11-Xvfb for proper package build (bsc#1203274) glib2: - Version update from 2.70.4 to 2.70.5 (jsc#PED-2235): * Bugs fixed: glgo#GNOME/GLib#2620, glgo#GNOME/GLib!2537, glgo#GNOME/GLib!2555 * Split gtk-docs from -devel package, these are not needed during building projects using glib2 gnome-control-center: - Fix the size of logo icon in About system (bsc#1200581) - Version update from 41.4 to 41.7 (jsc#PED-2235): * Cellular: Remove duplicate line from .desktop * Info: Allow changing 'Device Name' by pressing 'Enter' * Info: Remove trailing space after CPU name * Keyboard: Fix crash resetting all keyboard shortcuts * Keyboard: Fix leaks * Network: Fix saving passwords for non-wifi connections * Network: Fix critical when opening VPN details page * Wacom: Fix leaks gnome-desktop: - Version update from 41.2 to 41.8 (jsc#PED-2235): * Version increase but no actual changes gnome-music: - Version update from 41.0 to 41.1 (jsc#PED-2235): * Ensure the correct album is played * Fix build with meson 0.61.0 and newer * Fix crash on empty selection * Fix incorrect playlist import * Fix time displayed in RTL languages * Improve async queue work * Make random shuffle actually random * Make shuffle random * Speed increase on first startup on larger collections * Time is reversed in RTL gnome-remote-desktop: - Version update from 41.2 to 41.3 (jsc#PED-2235): * Add Icelandic translation gnome-session: - Clear error messages that can be ignored because expected to happen for GDM sessions (bsc#1204867) - Add fix for gnome-session to exit immediately when lost name onbus (bsc#1175622, bsc#1188882) gnome-shell: - Disable offline update suggestion before shutdown/reboot in SLE and openSUSE Leap (bsc#944832) - Version update from 41.4 to 41.9 (jsc#PED-2235): * Allow extension updates with only Extension Manager installed * Allow more intermediate icon sizes in app grid * Disable workspace switching while in search. * Do not create systemd scope for D-Bus activated apps * Fix calendar to correctly align world clocks header in RTL * Fix drag placeholder position in dash in RTL locales * Fix edge case where windows stay dimmed after a modal is closed * Fix feedback when turning on a11y features by keyboard * Fix focus tracking in magnifier on wayland * Fix fractional timezone offsets in world clock * Fix glitches in overview transition * Fix logging in with realmd * Fix memory leak * Fix opening device settings for enterprise WPA networks * Fix programatically set scrollview fade * Fix regression in ibus support * Fix unresponsive top bar in overview when in fullscreen * Handle monitor changes during startup animation * Hide overview after 'Show Details' from app context menu * Improve Belgian on-screen keyboard layout * Improve CSS shadow appearance * Make sure startup animation completes * Misc. bug fixes and cleanups * Only close messages via delete key if they can be closed * Respect IM hint for candidates list in on-screen keyboard gnome-software: - Disable offline update feature in SUSE Linux Enterprise and openSUSE Leap (bsc#944832) - Version update from 41.4 to 41.5 (jsc#PED-2235): * Added several appstream-related fixed * Disable scroll-by-mouse-wheel on featured carousel * Ensure details page shows app provided on command line gnome-terminal: - Version update from 3.42.2 to 3.42.3 (jsc#PED-2235): * Fix build with meson 0.61.0 and newer * window: Use a normal menu for the popup menu gnome-user-docs: - Version update from 41.1 to 41.5 (jsc#PED-2235): * Added missing icon fornetwork-wired-symbolic gspell: - Version update from 1.8.4 to 1.10.0 (jsc#PED-2235): * Build: distribute more files in tarballs * Documentation improvements gtkmm3: - Version update from 3.24.5 to 3.24.6 (jsc#PED-2235): * Build with Meson: MSVC build: Support Visual Studio 2022 * Check if Perl is required for building documentation * Don't use deprecated python3.path() and execute (..., gui_app...) * GTK: TreeValueProxy: Declare copy constructor = default, avoiding warnings from the claing++ compiler * Object::_release_c_instance(): Unref orphan managed widgets * SizeGroup demo: Set active items in the combo boxs, so something is shown * Specify 'check' option in run_command() gtk-vnc: - Version update from 1.3.0 to 1.3.1 (jsc#PED-2235): * Add 'check' arg to meson run_command() * Fix invalid use of subprojects with meson * Support ZRLE encoding for zero size alpha cursors gupnp-av: - Version update from 0.12.11 to 0.14.1 (jsc#PED-2235): * Add utility function to format GDateTime to the iso variant DIDL expects * Allow to be used as a subproject * Drop autotools * Fix stripping @refID * Fix unsetting subtitleFileType * Make Feature derivable again * Obsolete code removal. * Port to modern GObject * Remove hand-written ref-counting, use RcBox/AtomicRcBox instead. * Switch to meson build system, following upstream - Rename libgupnp-av-1_0-2 subpackage to libgupnp-av-1_0-3, correcting the package name to match the provided library - Conflict with the wrongly provided libgupnp-av-1_0-2 gvfs: - Version update from 1.48.1 to 1.48.2 (jsc#PED-2235): * sftp: Adapt on new OpenSSH password prompts * smb: Rework anonymous handling to avoid EINVAL * smb: Ignore EINVAL for kerberos/ccache login libgsf: - Version update from 1.14.48 to 1.14.50 (jsc#PED-2235): * Fix error handling problem when writing ole files * Fix problems with non-western text in OLE properties * Use g_date_time_new_from_iso8601 and g_date_time_format_iso8601 when available libmediaart: -Version update from 1.9.5 to 1.9.6 (jsc#PED-2235): * build: Add introspection/vapi/tests options * build: Use library() to optionally build a static library libnma: - Version update from 1.8.32 to 1.8.40 (jsc#PED-2235): * Ad-Hoc networks now default to using WPA2 instead of WEP * Add possibility of building libnma-gtk4 library with Gtk4 support * Do not allow setting empty 802.1x domain for EAP TLS * Fixed keyboard accelerator for certificate chooser * Fixed libnma-gtk4 version of mobile-wizard * Include OWE wireless security option * The GtkBuilder files for Gtk4 are now included in the release tarball * WEP is no longer provided as an option for connecting to hidden networks due to its deprecated status - New sub-packages libnma-gtk4-0, typelib-1_0-NMA4-1_0 and libnma-gtk4-devel - Split out documentation files in own docs sub-package libnotify: - Version update from 0.7.10 to 0.7.12 (jsc#PED-2235): * Delete unused notifynotification.xml * Fix potential build errors with old glib version we require * docs/notify-send: Add --transient option to manpage * notification: Bookend calling NotifyActionCallback with temporary reference * notification: Include sender-pid hint by default if not provided * notify-send: Add debug message about server not supporting persistence * notify-send: Add explicit option to create transient notifications * notify-send: Add support for boolean hints * notify-send: Move server capabilities check to a separate function * notify-send: Support passing any hint value, by parsing variant strings libpeas: - Version update from 1.30.0 to 1.32.0 (jsc#PED-2235): * Icon licenses have been corrected * Parallel build system operation fixes * Use gi-docgen for documentation * Various build warnings squashed * Various GIR data that should not have been exported was removed - Stop packaging the demo files/sub-package librsvg: - Version update from 2.52.6 to 2.52.9 (jsc#PED-2235): * Catch circular references when rendering patterns * Fixregressions when computing element geometries * Fix regression outputting all text as paths libsecret: - Version update from 0.20.4 to 0.20.5 (jsc#PED-2235): * Add bash-completion for secret-tool * Add locking capabilities to secret tool * Add support for TPM2 based secret storage * Create default collection after DBus.Error.UnknownObject * Detect local storage in snaps in the same way as flatpaks * Drop autotools-based build * GI annotation and documentation fixes * Port documentation to gi-docgen * Use G_GNUC_NULL_TERMINATED where appropriate collection, methods, prompt: Port to GTask * secret-file-backend: Avoid closing the same file descriptor twice mutter: - Version update from 41.5 to 41.9 (jsc#PED-2235): * Fix '--replace option' * Fix missing root window properties after XWayland start * Fix night light without GAMMA_LUT property * KMS: Survive missing GAMMA_LUT property * wayland: Fix rotation transform * Misc. bug fixes nautilus: - Version update from 41.2 to 41.5(jsc#PED-2235): * Drag-and-drop bugfixes * HighContrast style fixes orca: - Version update from 41.1 to 41.3 (jsc#PED-2235): * Add more event-flood detection and handling for improved performance * Fix bug causing accessing preferences to fail for Esperanto * Web: Fix bug causing widgets descending from off-screen label elements to be skipped over * Web: Fix presentation of the FluentUI react dialog (and any other dialog which has an ARIA document-role descendant) * WebKitGtk: Fail gracefully when structural navigation commands are used in WebKitGtk 2.36.x python-cairo: - Add python3-cairo to SUSE Linux Enterprise Micro 5.3 as it is now required by python3-gobject-cairo python-gobject: - Add dependency on python-cairo to python-gobject-cairo: The introspection wrapper needs pycairo (bsc#1179584) - Version update from 3.42.0 to 3.42.2 (jsc#PED-2235): * Add a workaround for a PyPy 3.9+ bug when threads are used * Do not error out for unknown scopes * Prompt an error instead ofcrashing when marshaling unsupported fundamental types in some cases * Fix a crash/refcounting error in case marshaling a hash table fails * Fix crashes when marshaling zero terminated arrays for certain item types * Implement DynamicImporter.find_spec() to silence deprecation warning * Make the test suite pass again with PyPy * Some test/CI fixes * gtk overrides: Do not override Treeview.enable_model_drag_xx for GTK4 * gtk overrides: restore Gtk.ListStore.insert_with_valuesv with newer GTK4 * interface: Fix leak when overriding GInterfaceInfo * setup.py: look up pycairo headers without importing the module trackers-python: - Allow system calls used by gstreamer (bsc#1196205) - Version update from 3.2.2 to 3.2.1 (jsc#PED-2235): * Backport seccomp rules for rseq and mbind syscalls vala: - Version update from 0.54.6 to 0.54.8 (jsc#PED-2235): * Add missing TraverseVisitor.visit_data_type() * Add support for 'copy_/free_function' metadata for compact classes * Catch and throw possible inner error of lock statements * Clear SemanticAnalyzer.current_{symbol,source_file} when not needed anymore * Don't count instance-parameter when checking for backwards closure reference * Fix a few binding errors * Free empty stack list for code contexts * Handle duplicated and unnamed symbols. * Improve UI parsing and handling of nested objects and properties * Make sure to drop our 'trap' jump target in case of an error * Move dynamic property errors to semantic analyzer pass * Require lvalue access of delegate target/destroy 'fields' * Show source location when reporting deprecations * Transform assignment of an array element as needed * manual: Update from wiki.gnome.org * parser: Improve handling of nullable VarType in with-statement * parser: Reduce the source reference of main block method to its beginning xdg-desktop-portal-gnome: - Version update from 0.54.6 to 0.54.8 (jsc#PED-2235): * Properly bind property in Lockdownportal ----------------------------------------------------------------- Advisory ID: SUSE-RU-2022:4618-1 Released: Fri Dec 23 13:02:31 2022 Summary: Recommended update for catatonit Type: recommended Severity: moderate References: This update for catatonit fixes the following issues: Update to catatonit v0.1.7: - This release adds the ability for catatonit to be used as the only process in a pause container, by passing the -P flag (in this mode no subprocess is spawned and thus no signal forwarding is done). Update to catatonit v0.1.6: - which fixes a few bugs -- mainly ones related to socket activation or features somewhat adjacent to socket activation (such as passing file descriptors). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4628-1 Released: Wed Dec 28 09:23:13 2022 Summary: Security update for sqlite3 Type: security Severity: moderate References: 1206337,CVE-2022-46908 This update for sqlite3 fixes the following issues: - CVE-2022-46908: Properly implement the azProhibitedFunctions protection mechanism, when relying on --safe for execution of an untrusted CLI script (bsc#1206337). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4629-1 Released: Wed Dec 28 09:24:07 2022 Summary: Security update for systemd Type: security Severity: important References: 1200723,1205000,CVE-2022-4415 This update for systemd fixes the following issues: - CVE-2022-4415: Fixed systemd-coredump that did not respect the fs.suid_dumpable kernel setting (bsc#1205000). Bug fixes: - Support by-path devlink for multipath nvme block devices (bsc#1200723). ----------------------------------------------------------------- Advisory ID: SUSE-SU-2022:4631-1 Released: Wed Dec 28 09:29:15 2022 Summary: Security update for vim Type: security Severity: important References: 1204779,1205797,1206028,1206071,1206072,1206075,1206077,CVE-2022-3491,CVE-2022-3520,CVE-2022-3591,CVE-2022-3705,CVE-2022-4141,CVE-2022-4292,CVE-2022-4293 This update for vim fixes the following issues: Updated to version 9.0.1040: - CVE-2022-3491: vim: Heap-based Buffer Overflow prior to 9.0.0742 (bsc#1206028). - CVE-2022-3520: vim: Heap-based Buffer Overflow (bsc#1206071). - CVE-2022-3591: vim: Use After Free (bsc#1206072). - CVE-2022-4292: vim: Use After Free in GitHub repository vim/vim prior to 9.0.0882 (bsc#1206075). - CVE-2022-4293: vim: Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804 (bsc#1206077). - CVE-2022-4141: vim: heap-buffer-overflow in alloc.c 246:11 (bsc#1205797). - CVE-2022-3705: vim: use after free in function qf_update_buffer of the file quickfix.c (bsc#1204779). ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:25-1 Released: Thu Jan 5 09:51:41 2023 Summary: Recommended update for timezone Type: recommended Severity: moderate References: 1177460 This update for timezone fixes the following issues: Version update from 2022f to 2022g (bsc#1177460): - In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga. - Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time. - Changes for pre-1996 northern Canada - Update to past DST transition in Colombia (1993), Singapore (1981) - 'timegm' is now supported by default ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:37-1 Released: Fri Jan 615:35:49 2023 Summary: Security update for ca-certificates-mozilla Type: security Severity: important References: 1206212,1206622 This update for ca-certificates-mozilla fixes the following issues: - Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622) Removed CAs: - Global Chambersign Root - EC-ACC - Network Solutions Certificate Authority - Staat der Nederlanden EV Root CA - SwissSign Platinum CA - G2 Added CAs: - DIGITALSIGN GLOBAL ROOT ECDSA CA - DIGITALSIGN GLOBAL ROOT RSA CA - Security Communication ECC RootCA1 - Security Communication RootCA3 Changed trust: - TrustCor certificates only trusted up to Nov 30 (bsc#1206212) - Removed CAs (bsc#1206212) as most code does not handle 'valid before nov 30 2022' and it is not clear how many certs were issued for SSL middleware by TrustCor: - TrustCor RootCert CA-1 - TrustCor RootCert CA-2 - TrustCor ECA-1 ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:41-1 Released: Mon Jan 9 10:23:07 2023 Summary: Recommended update for kdump Type: recommended Severity: important References: 1144337,1191410,1204000,1204743 This update for kdump fixes the following issues: - Make the kdump-save.service reboot after kdump-save is finished (bsc#1204000) - Fix renaming of qeth interfaces (bsc#1204743, bsc#1144337) - Rebuild initrd image after migration on ppc64 architecture (bsc#1191410) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:45-1 Released: Mon Jan 9 10:32:26 2023 Summary: Recommended update for libxml2 Type: recommended Severity: moderate References: 1204585 This update for libxml2 fixes the following issues: - Add W3C conformance tests to the testsuite (bsc#1204585): * Added file xmlts20080827.tar.gz ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:48-1 Released: Mon Jan 9 10:37:54 2023 Summary: Recommended update for libtirpc Type: recommended Severity: moderate References: 1199467 This update for libtirpc fixes the following issues: - Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:50-1 Released: Mon Jan 9 10:42:21 2023 Summary: Recommended update for shadow Type: recommended Severity: moderate References: 1205502 This update for shadow fixes the following issues: - Fix issue with user id field that cannot be interpreted (bsc#1205502) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:51-1 Released: Mon Jan 9 10:42:58 2023 Summary: Recommended update for suse-module-tools Type: recommended Severity: moderate References: 1195391,1200107,1203092,1204423 This update for suse-module-tools fixes the following issues: - 80-hotplug-cpu-mem.rules: Restrict udev rule for Hotplug physical CPU to x86_64 architecture (bsc#1204423) - driver-check.sh, unblacklist: Convert `egrep` to `grep -E` (bsc#1203092) - driver-check.sh: Avoid false positive error messages (bsc#1200107) - kernel-scriptlets: Don't pass flags to weak-modules2 (bsc#1195391) ----------------------------------------------------------------- Advisory ID: SUSE-RU-2023:52-1 Released: Mon Jan 9 10:43:57 2023 Summary: Recommended update for xfsprogs Type: recommended Severity: moderate References: 1205266,1205272,1205284,1205377 This update for xfsprogs fixes the following issues: - mkfs: don't trample the gid set in the protofile (bsc#1205266) - mkfs: prevent corruption of passed-in suboption string values (bsc#1205377) - mkfs: terminate getsubopt arrays properly (bsc#1205284) - xfs_repair: ignore empty xattr leaf blocks (bsc#1205272) ----------------------------------------------------------------- Advisory ID: SUSE-SU-2023:56-1 Released: Mon Jan 9 11:13:43 2023 Summary: Security update for libksba Type: security Severity: moderate References: 1206579,CVE-2022-47629 This update for libksba fixes the following issues: - CVE-2022-47629: Fixed an integer overflow vulnerability in the CRL signature parser (bsc#1206579). The following package changes have been done: - ca-certificates-mozilla-2.60-150200.27.1 updated - catatonit-0.1.7-150300.10.3.1 updated - curl-7.79.1-150400.5.12.1 updated - kdump-1.0.2+git18.g615d6ab-150400.3.8.1 updated - kernel-default-5.14.21-150400.24.38.1 updated - libcurl4-7.79.1-150400.5.12.1 updated - libglib-2_0-0-2.70.5-150400.3.3.1 updated - libksba8-1.3.5-150000.4.6.1 updated - libsqlite3-0-3.39.3-150000.3.20.1 updated - libsystemd0-249.12-150400.8.16.1 updated - libtirpc-netconfig-1.2.6-150300.3.17.1 updated - libtirpc3-1.2.6-150300.3.17.1 updated - libudev1-249.12-150400.8.16.1 updated - libxml2-2-2.9.14-150400.5.13.1 updated - login_defs-4.8.1-150400.10.3.1 updated - shadow-4.8.1-150400.10.3.1 updated - suse-module-tools-15.4.15-150400.3.5.1 updated - systemd-sysvinit-249.12-150400.8.16.1 updated - systemd-249.12-150400.8.16.1 updated - timezone-2022g-150000.75.18.1 updated - udev-249.12-150400.8.16.1 updated - vim-data-common-9.0.1040-150000.5.31.1 updated - vim-9.0.1040-150000.5.31.1 updated - xfsprogs-5.13.0-150400.3.3.1 updated . The SUSE Container Image Security Update provides essential patches addressing vulnerabilities, reinforcing overall system security.. Container Update,SUSE,Security Advisory,Kernel Fix,Security Update. . LinuxSecurity.com Team

Calendar%202 Jan 24, 2023 SuSE
98

Red Hat OpenShift 4.9.6 Important Update: Security Flaws Fixed

Red Hat OpenShift Virtualization release 4.9.6 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Virtualization 4.9.6 Images security and bug fix update Advisory ID: RHSA-2022:6681-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2022:6681 Issue date: 2022-09-22 CVE Names: CVE-2022-0494 CVE-2022-1271 CVE-2022-1353 CVE-2022-1798 CVE-2022-2526 CVE-2022-29154 ==================================================================== 1. Summary: Red Hat OpenShift Virtualization release 4.9.6 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: This advisory contains the following OpenShift Virtualization 4.9.6images: RHEL-8-CNV-4.9 =============cnv-must-gather-container-v4.9.6-7 kubevirt-template-validator-container-v4.9.6-6 kubevirt-ssp-operator-container-v4.9.6-5 virt-cdi-uploadserver-container-v4.9.6-4 virt-cdi-cloner-container-v4.9.6-4 virt-cdi-importer-container-v4.9.6-4 virt-cdi-uploadproxy-container-v4.9.6-4 virt-cdi-apiserver-container-v4.9.6-4 virt-cdi-controller-container-v4.9.6-4 virt-cdi-operator-container-v4.9.6-4 hostpath-provisioner-container-v4.9.6-3 hyperconverged-cluster-webhook-container-v4.9.6-3 hyperconverged-cluster-operator-container-v4.9.6-3 node-maintenance-operator-container-v4.9.6-4 kubevirt-vmware-container-v4.9.6-3 kubevirt-v2v-conversion-container-v4.9.6-3 ovs-cni-plugin-container-v4.9.6-3 cnv-containernetworking-plugins-container-v4.9.6-3 bridge-marker-container-v4.9.6-4 ovs-cni-marker-container-v4.9.6-3 kubemacpool-container-v4.9.6-4 kubernetes-nmstate-handler-container-v4.9.6-5 cluster-network-addons-operator-container-v4.9.6-5 virt-controller-container-v4.9.6-9 virt-handler-container-v4.9.6-9 virt-api-container-v4.9.6-9 virt-operator-container-v4.9.6-9 virt-artifacts-server-container-v4.9.6-9 virt-launcher-container-v4.9.6-9 libguestfs-tools-container-v4.9.6-9 virtio-win-container-v4.9.6-3 hostpath-provisioner-operator-container-v4.9.6-3 vm-import-operator-container-v4.9.6-3 vm-import-controller-container-v4.9.6-3 vm-import-virtv2v-container-v4.9.6-3 hco-bundle-registry-container-v4.9.6-51 Security Fix(es): * kubeVirt: Arbitrary file read on the host from KubeVirt VMs (CVE-2022-1798) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2092269 - We cant migrate to newer target node and than return to the source node when using host-modelcpu 2097313 - RHEL9 templates missing UEFI params 2101174 - [4.9.z]VM restore PVC uses exact source PVC request size 2110783 - 4.8 to 4.9 upgrade path blocked due to bug in NMState pods 2117872 - CVE-2022-1798 kubeVirt: Arbitrary file read on the host from KubeVirt VMs 2118317 - KubeVirtComponentExceedsRequestedMemory Prometheus Rule is Failing to Evaluate 5. References: https://access.redhat.com/security/cve/CVE-2022-0494 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1353 https://access.redhat.com/security/cve/CVE-2022-1798 https://access.redhat.com/security/cve/CVE-2022-2526 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYyxZo9zjgjWX9erEAQjo2A/+NnlergXU1yY0jWMExEZNIE8AH8I6hJWV XzvEuM30apynfJM52XQ4S9bhSftrYwBXNjBnIR8mEb4c9Lio+r9wl75dLl5sX6do xxcRjBlqRYCK/s4+NRJHqSMo6rjoarHSUOGNlO0KpSRp3LW58AWWdOl39FAtMk5k Xqw1DJEimnn/wiyMBFeqxbNAsmELD3/PttmsezxUfV2B4/PNVkgelnAd9WluNllo FkE8sF2zhdRRzpaqYMsHKpsZVltlKDdRsGYSjJawlfa3F/WyLU/7aoRoW9hDwmt4 /5f5vynkfmknzgETfs4Gu0GJP3fMZCNJzFDH1mRxmR//XrcZdEcxsO2GIjyGaFj4 oStL9bJR4sv8xd8/9jRQ6qBZZPFeC3FRURTJ6jGmbsBcxjk/e+IXEoLbdzYbWljB 0DCEYXV+82nimw5lUTar5EfdpliaYKpZ7fl0mIb1kWq14DB6Hzhtk572iY8hwsrc OApYEqXxZ6ma+hkfvtedtGeEKhrTu/LBeZO7UF3Jxa/qrW/4HY9x5g5FT7lH8PXN VAG7yOyCrKtRbnSk9FG++sikQMEJXq/2VmCRxlTkWqHvpdcce8LqOrJ83ki20HPc g49Ybn+YmjDHckDnhZ+sO/3P2rmzduzDw7DTZ2T7FjHlMO+0F5EhGZOj5qoM0piV 3FbAxpQJNuw=dWBS -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Discover essential enhancements in OpenShift Virtualization 4.9.6 that focus on remedial security measures and essential bug resolutions highlighted in this advisory.. OpenShift, Virtualization, Image Update, Red Hat Security. . LinuxSecurity.com Team

Calendar%202 Sep 22, 2022 Red Hat
98

Red Hat OpenShift Virtualization 4.11.0 Important: Image Security Fixes

Red Hat OpenShift Virtualization release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Virtualization 4.11.0 Images security and bug fix update Advisory ID: RHSA-2022:6526-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2022:6526 Issue date: 2022-09-14 CVE Names: CVE-2018-25032 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-19603 CVE-2019-20838 CVE-2020-13435 CVE-2020-14155 CVE-2020-17541 CVE-2020-24370 CVE-2020-35492 CVE-2021-3580 CVE-2021-3634 CVE-2021-3737 CVE-2021-4115 CVE-2021-4189 CVE-2021-20231 CVE-2021-20232 CVE-2021-23177 CVE-2021-25219 CVE-2021-31535 CVE-2021-31566 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-38185 CVE-2021-38561 CVE-2021-40528 CVE-2021-43527 CVE-2021-44716 CVE-2021-44717 CVE-2022-0778 CVE-2022-1271 CVE-2022-1292 CVE-2022-1621 CVE-2022-1629 CVE-2022-1798 CVE-2022-2068 CVE-2022-2097 CVE-2022-21698 CVE-2022-22576 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24407 CVE-2022-24675 CVE-2022-24921 CVE-2022-25313 CVE-2022-25314 CVE-2022-27191 CVE-2022-27774 CVE-2022-27776 CVE-2022-27782 CVE-2022-28327 CVE-2022-29824 ==================================================================== 1. Summary: Red Hat OpenShift Virtualization release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization4.11.0 images: RHEL-8-CNV-4.11 ==============hostpath-provisioner-container-v4.11.0-21 kubevirt-tekton-tasks-operator-container-v4.11.0-29 kubevirt-template-validator-container-v4.11.0-17 bridge-marker-container-v4.11.0-26 hostpath-csi-driver-container-v4.11.0-21 cluster-network-addons-operator-container-v4.11.0-26 ovs-cni-marker-container-v4.11.0-26 virtio-win-container-v4.11.0-16 ovs-cni-plugin-container-v4.11.0-26 kubemacpool-container-v4.11.0-26 hostpath-provisioner-operator-container-v4.11.0-24 cnv-containernetworking-plugins-container-v4.11.0-26 kubevirt-ssp-operator-container-v4.11.0-54 virt-cdi-uploadserver-container-v4.11.0-59 virt-cdi-cloner-container-v4.11.0-59 virt-cdi-operator-container-v4.11.0-59 virt-cdi-importer-container-v4.11.0-59 virt-cdi-uploadproxy-container-v4.11.0-59 virt-cdi-controller-container-v4.11.0-59 virt-cdi-apiserver-container-v4.11.0-59 kubevirt-tekton-tasks-modify-vm-template-container-v4.11.0-7 kubevirt-tekton-tasks-create-vm-from-template-container-v4.11.0-7 kubevirt-tekton-tasks-copy-template-container-v4.11.0-7 checkup-framework-container-v4.11.0-67 kubevirt-tekton-tasks-cleanup-vm-container-v4.11.0-7 kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.11.0-7 kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.11.0-7 kubevirt-tekton-tasks-disk-virt-customize-container-v4.11.0-7 vm-network-latency-checkup-container-v4.11.0-67 kubevirt-tekton-tasks-create-datavolume-container-v4.11.0-7 hyperconverged-cluster-webhook-container-v4.11.0-95 cnv-must-gather-container-v4.11.0-62 hyperconverged-cluster-operator-container-v4.11.0-95 kubevirt-console-plugin-container-v4.11.0-83 virt-controller-container-v4.11.0-105 virt-handler-container-v4.11.0-105 virt-operator-container-v4.11.0-105 virt-launcher-container-v4.11.0-105 virt-artifacts-server-container-v4.11.0-105 virt-api-container-v4.11.0-105 libguestfs-tools-container-v4.11.0-105 hco-bundle-registry-container-v4.11.0-587 Security Fix(es): * golang: net/http: limit growth of header canonicalization cache (CVE-2021-44716) *kubeVirt: Arbitrary file read on the host from KubeVirt VMs (CVE-2022-1798) * golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561) * golang: syscall: don't close fd 0 on ForkExec error (CVE-2021-44717) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) * golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString (CVE-2022-23772) * golang: cmd/go: misinterpretation of branch names can lead to incorrect access control (CVE-2022-23773) * golang: crypto/elliptic: IsOnCurve returns true for invalid field elements (CVE-2022-23806) * golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675) * golang: regexp: stack exhaustion via a deeply nested expression (CVE-2022-24921) * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191) * golang: crypto/elliptic: panic caused by oversized scalar (CVE-2022-28327) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1937609 - VM cannot be restarted 1945593 - Live migration should be blocked for VMs with host devices 1968514 - [RFE] Add cancel migration action to virtctl 1993109 - CNV MacOS Client not signed 1994604 - [RFE] - Add a feature to virtctl to print out a message if virtctl is a different version than the server side 2001385 - no "name" label in virt-operator pod 2009793 - KBase to clarify nested support status is missing 2010318 - with sysprep config data as cfgmap volume and as cdrom disk a windows10 VMI fails to LiveMigrate 2025276 - No permissions when trying to clone to a different namespace (as Kubeadmin) 2025401 - [TEST ONLY] [CNV+OCS/ODF] Virtualization poison pillimplemenation 2026357 - Migration in sequence can be reported as failed even when it succeeded 2029349 - cluster-network-addons-operator does not serve metrics through HTTPS 2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache 2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error 2031857 - Add annotation for URL to download the image 2033077 - KubeVirtComponentExceedsRequestedMemory Prometheus Rule is Failing to Evaluate 2035344 - kubemacpool-mac-controller-manager not ready 2036676 - NoReadyVirtController and NoReadyVirtOperator are never triggered 2039976 - Pod stuck in "Terminating" state when removing VM with kernel boot and container disks 2040766 - A crashed Windows VM cannot be restarted with virtctl or the UI 2041467 - [SSP] Support custom DataImportCron creating in custom namespaces 2042402 - LiveMigration with postcopy misbehave when failure occurs2042809 - sysprep disk requires autounattend.xml if an unattend.xml exists 2045086 - KubeVirtComponentExceedsRequestedMemory Prometheus Rule is Failing to Evaluate 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2047186 - When entering to a RH supported template, it changes the project (namespace) to ?OpenShift? 2051899 - 4.11.0 containers2052094 - [rhel9-cnv] VM fails to start, virt-handler error msg: Couldn't configure ip nat rules 2052466 - Event does not include reason for inability to live migrate 2052689 - Overhead Memory consumption calculations are incorrect 2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements 2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString 2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control 2056467 - virt-template-validator pods getting scheduled on the same node 2057157 - [4.10.0] HPP-CSI-PVC fails to bind PVC when node fqdn is long 2057310 -qemu-guest-agent does not report information due to selinux denials 2058149 - cluster-network-addons-operator deployment's MULTUS_IMAGE is pointing to brew image 2058925 - Must-gather: for vms with longer name, gather_vms_details fails to collect qemu, dump xml logs 2059121 - [CNV-4.11-rhel9] virt-handler pod CrashLoopBackOff state 2060485 - virtualMachine with duplicate interfaces name causes MACs to be rejected by Kubemacpool 2060585 - [SNO] Failed to find the virt-controller leader pod 2061208 - Cannot delete network Interface if VM has multiqueue for networking enabled. 2061723 - Prevent new DataImportCron to manage DataSource if multiple DataImportCron pointing to same DataSource 2063540 - [CNV-4.11] Authorization Failed When Cloning Source Namespace 2063792 - No DataImportCron for CentOS 7 2064034 - On an upgraded cluster NetworkAddonsConfig seems to be reconciling in a loop 2064702 - CVE-2022-27191 golang: crash in a golang.org/x/crypto/ssh server 2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression 2064936 - Migration of vm from VMware reports pvc not large enough 2065014 - Feature Highlights in CNV 4.10 contains links to 4.7 2065019 - "Running VMs per template" in the new overview tab counts VMs that are not running 2066768 - [CNV-4.11-HCO] User Cannot List Resource "namespaces" in API group 2067246 - [CNV]: Unable to ssh to Virtual Machine post changing Flavor tiny to custom 2069287 - Two annotations for VM Template provider name 2069388 - [CNV-4.11] kubemacpool-mac-controller - TLS handshake error 2070366 - VM Snapshot Restore hangs indefinitely when backed by a snapshotclass 2070864 - non-privileged user cannot see catalog tiles 2071488 - "Migrate Node to Node" is confusing. 2071549 - [rhel-9] unable to create a non-root virt-launcher based VM 2071611 - Metrics documentation generators are missing metrics/recording rules 2071921 - Kubevirt RPM is not being built 2073669 - [rhel-9] VM fails to start 2073679 - [rhel-8] VM fails to start: missing virt-launcher-monitordownstream 2073982 - [CNV-4.11-RHEL9] 'virtctl' binary fails with 'rc1' with 'virtctl version' command 2074337 - VM created from registry cannot be started 2075200 - VLAN filtering cannot be configured with Intel X710 2075409 - [CNV-4.11-rhel9] hco-operator and hco-webhook pods CrashLoopBackOff 2076292 - Upgrade from 4.10.1-> 4.11 using nightly channel, is not completing with error "could not complete the upgrade process. KubeVirt is not with the expected version. Check KubeVirt observed version in the status field of its CR" 2076379 - must-gather: ruletables and qemu logs collected as a part of gather_vm_details scripts are zero bytes file 2076790 - Alert SSPDown is constantly in Firing state 2076908 - clicking on a template in the Running VMs per Template card leads to 404 2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode 2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar 2078700 - Windows template boot source should be blank 2078703 - [RFE] Please hide the user defined password when customizing cloud-init 2078709 - VM conditions column have wrong key/values 2078728 - Common template rootDisk is not named correctly 2079366 - rootdisk is not able to edit 2079674 - Configuring preferred node affinity in the console results in wrong yaml and unschedulable VM 2079783 - Actions are broken in topology view 2080132 - virt-launcher logs live migration in nanoseconds if the migration is stuck 2080155 - [RFE] Provide the progress of VM migration in the source virt launcher pod 2080547 - Metrics kubevirt_hco_out_of_band_modifications_count, does not reflect correct modification count when label is added to priorityclass/kubevirt-cluster-critical in a loop 2080833 - Missing cloud init script editor in the scripts tab 2080835 - SSH key is set using cloud init script instead of new api 2081182 - VM SSH command generated by UI points at api VIP 2081202 - cloud-init for Windows VM generated with corrupted "undefined" section 2081409 - when viewing a common templatedetails page, user need to see the message "can't edit common template" on all tabs 2081671 - SSH service created outside the UI is not discoverable 2081831 - [RFE] Improve disk hotplug UX 2082008 - LiveMigration fails due to loss of connection to destination host 2082164 - Migration progress timeout expects absolute progress 2082912 - [CNV-4.11] HCO Being Unable to Reconcile State 2083093 - VM overview tab is crashed 2083097 - ?Mount Windows drivers disk? should not show when the template is not ?windows? 2083100 - Something keeps loading in the ?node selector? modal 2083101 - ?Restore default settings? never become available while editing CPU/Memory 2083135 - VM fails to schedule with vTPM in spec 2083256 - SSP Reconcile logging improvement when CR resources are changed 2083595 - [RFE] Disable VM descheduler if the VM is not live migratable 2084102 - [e2e] Many elements are lacking proper selector like 'data-test-id' or 'data-test' 2084122 - [4.11]Clone from filesystem to block on storage api with the same size fails 2084418 - ?Invalid SSH public key format? appears when drag ssh key file to ?Authorized SSH Key? field 2084431 - User credentials for ssh is not in correct format 2084476 - The Virtual Machine Authorized SSH Key is not shown in the scripts tab. 2084532 - Console is crashed while detaching disk 2084610 - Newly added Kubevirt-plugin pod is missing resources.requests values (cpu/memory) 2085320 - Tolerations rules is not adding correctly 2085322 - Not able to stop/restart VM if the VM is staying in "Starting" 2086272 - [dark mode] Titles in Overview tab not visible enough in dark mode 2086278 - Cloud init script edit add " hostname=' " when is should not be added 2086281 - [dark mode] Helper text in Scripts tab not visible enough on dark mode 2086286 - [dark mode] The contrast of the Labels and edit labels not look good in the dark mode 2086293 - [dark mode] Titles in Parameters tab not visible enough in dark mode 2086294 - [dark mode] Can't see the number inside the donut chart in VMs per templatecard 2086303 - non-priv user can't create VM when namespace is not selected 2086479 - some modals use ?Save? and some modals use ?Submit? 2086486 - cluster overview getting started card include old information 2086488 - Cannot cancel vm migration if the migration pod is not schedulable in the backend 2086769 - Missing vm.kubevirt.io/template.namespace label when creating VM with the wizard 2086803 - When clonnig a template we need to update vm labels and annotaions to match new template 2086825 - VM restore PVC uses exact source PVC request size 2086849 - Create from YAML example is not runnable 2087188 - When VM is stopped - adding disk failed to show 2087189 - When VM is stopped - adding disk failed to show 2087232 - When chosing a vm or template while in all-namespace, and returning to list, namespace is changed 2087546 - "Quick Starts" is missing in Getting started card 2087547 - Activity and Status card are missing in Virtualization Overview 2087559 - template in "VMs per template" should take user to vm list page 2087566 - Remove the ?auto upload? label from template in the catalog if the auto-upload boot source not exists 2087570 - Page title should be ?VirtualMachines? and not ?Virtual Machines? 2087577 - "VMs per template" load time is a bit long 2087578 - Terminology "VM" should be "Virtual Machine" in all places 2087582 - Remove VMI and MTV from the navigation 2087583 - [RFE] Show more info about boot source in template list 2087584 - Template provider should not be mandatory 2087587 - Improve the descriptive text in the kebab menu of template 2087589 - Red icons shows in storage disk source selection without a good reason 2087590 - [REF] "Upload a new file to a PVC" should not open the form in a new tab 2087593 - "Boot method" is not a good name in overview tab 2087603 - Align details card for single VM overview with the design doc 2087616 - align the utilization card of single VM overview with the design 2087701 - [RFE] Missing a link to VMI from running VM details page 2087717 - Message whenediting template boot source is wrong 2088034 - Virtualization Overview crashes when a VirtualMachine has no labels 2088355 - disk modal shows all storage classes as default 2088361 - Attached disk keeps in loading status when add disk to a power off VM by non-privileged user 2088379 - Create VM from catalog does not respect the storageclass of the template's boot source 2088407 - Missing create button in the template list 2088471 - [HPP] hostpath-provisioner-csi does not comply with restricted security context 2088472 - Golden Images import cron jobs are not getting updated on upgrade to 4.11 2088477 - [4.11.z] VMSnapshot restore fails to provision volume with size mismatch error 2088849 - "dataimportcrontemplate.kubevirt.io/enable" field does not do any validation 2089078 - ConsolePlugin kubevirt-plugin is not getting reconciled by hco 2089271 - Virtualization appears twice in sidebar 2089327 - add network modal crash when no networks available 2089376 - Virtual Machine Template without dataVolumeTemplates gets blank page 2089477 - [RFE] Allow upload source when adding VM disk 2089700 - Drive column in Disks card of Overview page has duplicated values 2089745 - When removing all disks from customize wizard app crashes 2089789 - Add windows drivers disk is missing when template is not windows 2089825 - Top consumers card on Virtualization Overview page should keep display parameters as set by user 2089836 - Card titles on single VM Overview page does not have hyperlinks to relevant pages 2089840 - Cant create snapshot if VM is without disks 2089877 - Utilization card on single VM overview - timespan menu lacks 5min option 2089932 - Top consumers card on single VM overview - View by resource dropdown menu needs an update 2089942 - Utilization card on single VM overview - trend charts at the bottom should be linked to proper metrics 2089954 - Details card on single VM overview - VNC console has grey padding 2089963 - Details card on single VM overview - Operating system info is not available 2089967 - NetworkInterfaces card on single VM overview - name tooltip lacks info 2089970 - Network Interfaces card on single VM overview - IP tooltip 2089972 - Disks card on single VM overview -typo 2089979 - Single VM Details - CPU|Memory edit icon misplaced 2089982 - Single VM Details - SSH modal has redundant VM name 2090035 - Alert card is missing in single VM overview 2090036 - OS should be "Operating system" and host should be "hostname" in single vm overview 2090037 - Add template link in single vm overview details card 2090038 - The update field under the version in overview should be consistent with the operator page 2090042 - Move the edit button close to the text for "boot order" and "ssh access" 2090043 - "No resource selected" in vm boot order 2090046 - Hardware devices section In the VM details and Template details should be aligned with catalog page 2090048 - "Boot mode" should be editable while VM is running 2090054 - Services ?kubernetes" and "openshift" should not be listing in vm details 2090055 - Add link to vm template in vm details page 2090056 - "Something went wrong" shows on VM "Environment" tab 2090057 - "?" icon is too big in environment and disk tab 2090059 - Failed to add configmap in environment tab due to validate error 2090064 - Miss "remote desktop" in console dropdown list for windows VM 2090066 - [RFE] Improve guest login credentials 2090068 - Make the "name" and "Source" column wider in vm disk tab 2090131 - Key's value in "add affinity rule" modal is too small 2090350 - memory leak in virt-launcher process 2091003 - SSH service is not deleted along the VM 2091058 - After VM gets deleted, the user is redirected to a page with a different namespace 2091309 - While disabling a golden image via HCO, user should not be required to enter the whole spec. 2091406 - wrong template namespace label when creating a vm with wizard 2091754 - Scheduling and scripts tab should be editable while the VM is running 2091755 - Change bottom "Save" to "Apply" on cloud-init script form 2091756 - The root disk ofcloned template should be editable 2091758 - "OS" should be "Operating system" in template filter 2091760 - The provider should be empty if it's not set during cloning 2091761 - Miss "Edit labels" and "Edit annotations" in template kebab button 2091762 - Move notification above the tabs in template details page 2091764 - Clone a template should lead to the template details 2091765 - "Edit bootsource" is keeping in load in template actions dropdown 2091766 - "Are you sure you want to leave this page?" pops up when click the "Templates" link 2091853 - On Snapshot tab of single VM "Restore" button should move to the kebab actions together with the Delete 2091863 - BootSource edit modal should list affected templates 2091868 - Catalog list view has two columns named "BootSource" 2091889 - Devices should be editable for customize template 2091897 - username is missing in the generated ssh command 2091904 - VM is not started if adding "Authorized SSH Key" during vm creation 2091911 - virt-launcher pod remains as NonRoot after LiveMigrating VM from NonRoot to Root 2091940 - SSH is not enabled in vm details after restart the VM 2091945 - delete a template should lead to templates list 2091946 - Add disk modal shows wrong units 2091982 - Got a lot of "Reconciler error" in cdi-deployment log after adding custom DataImportCron to hco 2092048 - When Boot from CD is checked in customized VM creation - Disk source should be Blank 2092052 - Virtualization should be omitted in Calatog breadcrumbs 2092071 - Getting started card in Virtualization overview can not be hidden. 2092079 - Error message stays even when problematic field is dismissed 2092158 - PrometheusRule kubevirt-hyperconverged-prometheus-rule is not getting reconciled by HCO 2092228 - Ensure Machine Type for new VMs is 8.6 2092230 - [RFE] Add indication/mark to deprecated template 2092306 - VM is stucking with WaitingForVolumeBinding if creating via "Boot from CD" 2092337 - os is empty in VM details page 2092359 - [e2e] data-test-id includes all pvc name 2092654 -[RFE] No obvious way to delete the ssh key from the VM 2092662 - No url example for rhel and windows template 2092663 - no hyperlink for URL example in disk source "url" 2092664 - no hyperlink to the cdi uploadproxy URL 2092781 - Details card should be removed for non admins. 2092783 - Top consumers' card should be removed for non admins. 2092787 - Operators links should be removed from Getting started card 2092789 - "Learn more about Operators" link should lead to the Red Hat documentation 2092951 - ?Edit BootSource? action should have more explicit information when disabled 2093282 - Remove links to 'all-namespaces/' for non-privileged user 2093691 - Creation flow drawer left padding is broken 2093713 - Required fields in creation flow should be highlighted if empty 2093715 - Optional parameters section in creation flow is missing bottom padding 2093716 - CPU|Memory modal button should say "Restore template settings? 2093772 - Add a service in environment it reminds a pending change in boot order 2093773 - Console crashed if adding a service without serial number 2093866 - Cannot create vm from the template `vm-template-example` 2093867 - OS for template 'vm-template-example' should matching the version of the image 2094202 - Cloud-init username field should have hint 2094207 - Cloud-init password field should have auto-generate option 2094208 - SSH key input is missing validation 2094217 - YAML view should reflect shanges in SSH form 2094222 - "?" icon should be placed after red asterisk in required fields 2094323 - Workload profile should be editable in template details page 2094405 - adding resource on enviornment isnt showing on disks list when vm is running 2094440 - Utilization pie charts figures are not based on current data 2094451 - PVC selection in VM creation flow does not work for non-priv user 2094453 - CD Source selection in VM creation flow is missing Upload option 2094465 - Typo in Source tooltip 2094471 - Node selector modal for non-privileged user 2094481 - Tolerations modal fornon-privileged user 2094486 - Add affinity rule modal 2094491 - Affinity rules modal button 2094495 - Descheduler modal has same text in two lines 2094646 - [e2e] Elements on scheduling tab are missing proper data-test-id 2094665 - Dedicated Resources modal for non-privileged user 2094678 - Secrets and ConfigMaps can't be added to Windows VM 2094727 - Creation flow should have VM info in header row 2094807 - hardware devices dropdown has group title even with no devices in cluster 2094813 - Cloudinit password is seen in wizard 2094848 - Details card on Overview page - 'View details' link is missing 2095125 - OS is empty in the clone modal 2095129 - "undefined" appears in rootdisk line in clone modal 2095224 - affinity modal for non-privileged users2095529 - VM migration cancelation in kebab action should have shorter name 2095530 - Column sizes in VM list view 2095532 - Node column in VM list view is visible to non-privileged user 2095537 - Utilization card information should display pie charts as current data and sparkline charts as overtime 2095570 - Details tab of VM should not have Node info for non-privileged user 2095573 - Disks created as environment or scripts should have proper label 2095953 - VNC console controls layout 2095955 - VNC console tabs 2096166 - Template "vm-template-example" is binding with namespace "default" 2096206 - Inconsistent capitalization in Template Actions 2096208 - Templates in the catalog list is not sorted 2096263 - Incorrectly displaying units for Disks size or Memory field in various places 2096333 - virtualization overview, related operators title is not aligned 2096492 - Cannot create vm from a cloned template if its boot source is edited 2096502 - "Restore template settings" should be removed from template CPU editor 2096510 - VM can be created without any disk 2096511 - Template shows "no Boot Source" and label "Source available" at the same time 2096620 - in templates list, edit boot reference kebab action opens a modal with different title 2096781 - Remove boot sourceprovider while edit boot source reference 2096801 - vnc thumbnail in virtual machine overview should be active on page load 2096845 - Windows template's scripts tab is crashed 2097328 - virtctl guestfs shouldn't required uid = 0 2097370 - missing titles for optional parameters in wizard customization page 2097465 - Count is not updating for 'prometheusrule' component when metrics kubevirt_hco_out_of_band_modifications_count executed 2097586 - AccessMode should stay on ReadWriteOnce while editing a disk with storage class HPP 2098134 - "Workload profile" column is not showing completely in template list 2098135 - Workload is not showing correct in catalog after change the template's workload 2098282 - Javascript error when changing boot source of custom template to be an uploaded file 2099443 - No "Quick create virtualmachine" button for template 'vm-template-example' 2099533 - ConsoleQuickStart for HCO CR's VM is missing 2099535 - The cdi-uploadproxy certificate url should be opened in a new tab 2099539 - No storage option for upload while editing a disk 2099566 - Cloudinit should be replaced by cloud-init in all places 2099608 - "DynamicB" shows in vm-example disk size 2099633 - Doc links needs to be updated 2099639 - Remove user line from the ssh command section 2099802 - Details card link shouldn't be hard-coded 2100054 - Windows VM with WSL2 guest fails to migrate 2100284 - Virtualization overview is crashed 2100415 - HCO is taking too much time for reconciling kubevirt-plugin deployment 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 2101164 - [dark mode] Number of alerts in Alerts card not visible enough in dark mode 2101192 - AccessMode should stay on ReadWriteOnce while editing a disk with storage class HPP 2101430 - Using CLOUD_USER_PASSWORD in Templates parameters breaks VM review page 2101454 - Cannot add PVC boot source to template in 'Edit Boot Source Reference' view as a non-priv user 2101485 - Cloudinit should be replaced by cloud-init in allplaces 2101628 - non-priv user cannot load dataSource while edit template's rootdisk 2101954 - [4.11]Smart clone and csi clone leaves tmp unbound PVC and ObjectTransfer 2102076 - Using CLOUD_USER_PASSWORD in Templates parameters breaks VM review page 2102116 - [e2e] elements on Template Scheduling tab are missing proper data-test-id 2102117 - [e2e] elements on VM Scripts tab are missing proper data-test-id 2102122 - non-priv user cannot load dataSource while edit template's rootdisk 2102124 - Cannot add PVC boot source to template in 'Edit Boot Source Reference' view as a non-priv user 2102125 - vm clone modal is displaying DV size instead of PVC size 2102127 - Cannot add NIC to VM template as non-priv user 2102129 - All templates are labeling "source available" in template list page 2102131 - The number of hardware devices is not correct in vm overview tab 2102135 - [dark mode] Number of alerts in Alerts card not visible enough in dark mode 2102143 - vm clone modal is displaying DV size instead of PVC size 2102256 - Add button moved to right 2102448 - VM disk is deleted by uncheck "Delete disks (1x)" on delete modal 2102543 - Add button moved to right 2102544 - VM disk is deleted by uncheck "Delete disks (1x)" on delete modal 2102545 - VM filter has two "Other" checkboxes which are triggered together 2104617 - Storage status report "OpenShift Data Foundation is not available" even the operator is installed 2106175 - All pages are crashed after visit Virtualization -> Overview 2106258 - All pages are crashed after visit Virtualization -> Overview 2110178 - [Docs] Text repetition in Virtual Disk Hot plug instructions 2111359 - kubevirt plugin console is crashed after creating a vm with 2 nics 2111562 - kubevirt plugin console crashed after visit vmi page 2117872 - CVE-2022-1798 kubeVirt: Arbitrary file read on the host from KubeVirt VMs 5.References: https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-17541 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2020-35492 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3634 https://access.redhat.com/security/cve/CVE-2021-3737 https://access.redhat.com/security/cve/CVE-2021-4115 https://access.redhat.com/security/cve/CVE-2021-4189 https://access.redhat.com/security/cve/CVE-2021-20231 https://access.redhat.com/security/cve/CVE-2021-20232 https://access.redhat.com/security/cve/CVE-2021-23177 https://access.redhat.com/security/cve/CVE-2021-25219 https://access.redhat.com/security/cve/CVE-2021-31535 https://access.redhat.com/security/cve/CVE-2021-31566 https://access.redhat.com/security/cve/CVE-2021-36084 https://access.redhat.com/security/cve/CVE-2021-36085 https://access.redhat.com/security/cve/CVE-2021-36086 https://access.redhat.com/security/cve/CVE-2021-36087 https://access.redhat.com/security/cve/CVE-2021-38185 https://access.redhat.com/security/cve/CVE-2021-38561 https://access.redhat.com/security/cve/CVE-2021-40528 https://access.redhat.com/security/cve/CVE-2021-43527 https://access.redhat.com/security/cve/CVE-2021-44716 https://access.redhat.com/security/cve/CVE-2021-44717 https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1621 https://access.redhat.com/security/cve/CVE-2022-1629 https://access.redhat.com/security/cve/CVE-2022-1798 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-22576 https://access.redhat.com/security/cve/CVE-2022-23772 https://access.redhat.com/security/cve/CVE-2022-23773 https://access.redhat.com/security/cve/CVE-2022-23806 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-24675 https://access.redhat.com/security/cve/CVE-2022-24921 https://access.redhat.com/security/cve/CVE-2022-25313 https://access.redhat.com/security/cve/CVE-2022-25314 https://access.redhat.com/security/cve/CVE-2022-27191 https://access.redhat.com/security/cve/CVE-2022-27774 https://access.redhat.com/security/cve/CVE-2022-27776 https://access.redhat.com/security/cve/CVE-2022-27782 https://access.redhat.com/security/cve/CVE-2022-28327 https://access.redhat.com/security/cve/CVE-2022-29824 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYyJ8IdzjgjWX9erEAQh2Dw/+M+tknCYULLILonF1TEVyD12Yyo+Pabbt a4YQUX2aFlmhOOaVBRXwDMrIPJi/Mi52+Kh05PE4/q2RndH/UbY/SfmtV70UTgiO gb7r+w86fTMHc8h60G9rYfmuVvqgL1HWg7HImJHxtB5DHFcbwtUmB3/nJ5O2oiGn oQdcr2KWA0UjVqv13VffBdkYRbTREJdF/7+2eJDKvFjNiKZYxNw4tBYxgEGcasU/ W61U+E8VU9uRHwtQOUvsOM8ga+3m/qyV8eov4BjmoEUUJYJeqI7hDhn8/GBtMJgb zKL1F3+PgEVyxoZsIKT3YJTLKJd1JLdIEe05fInlcoDSnNU3WZQhNKDZzusW4Mkg B9mwZAhicKGlUNzpt3qp9clq9j/fH1IjS7PetaEBcpr9xeH8VglDLHmNqoMoNmO8 S74c2v3tl6/VnqsYo+jrLLQHbfwrbxCNi1ROpSzr2CD5E9wcyrRS9IBacZKEMYe1 810o/o7T64G9+7xy/5IkPb4lEb3fKC5huBhwZKTjJJQtl6ojLSLXECFR8+1wQTTi LD0EAKjZhVtaMDJVRCo4jL2e2cdfGHJkeIYRzcqo6EmuFzVZYUrPsqyXzERQ6+r9 ayXDJs6y+3BakK/TZi8H3jkE23POT8OqEOR34bGrcaW1BvAEG0GejXh4qEJmzhlg Jpmb+NWHfF0=56HM -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Ubuntu has unveiled crucial patches for Kubernetes 1.24.0, focusing on fixing vulnerabilities and boosting efficiency.. Openshift Virtualization, Security Update, Red Hat Security. . LinuxSecurity.com Team

Calendar%202 Sep 14, 2022 Red Hat
98

Red Hat OpenShift 4.10.1 RHSA-2022-4668 Moderate Impact Image Updates

Red Hat OpenShift Virtualization release 4.10.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Virtualization 4.10.1 Images security and bug fix update Advisory ID: RHSA-2022:4668-01 Product: cnv Advisory URL: https://access.redhat.com/errata/RHSA-2022:4668 Issue date: 2022-05-18 CVE Names: CVE-2021-36221 CVE-2021-41190 CVE-2022-0778 CVE-2022-21698 CVE-2022-24407 CVE-2022-25235 CVE-2022-25236 CVE-2022-25315 ==================================================================== 1. Summary: Red Hat OpenShift Virtualization release 4.10.1 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains the following OpenShift Virtualization4.10.1 images: RHEL-8-CNV-4.10 ============= virtio-win-container-v4.10.1-4 hostpath-provisioner-operator-container-v4.10.1-6 bridge-marker-container-v4.10.1-12 cnv-containernetworking-plugins-container-v4.10.1-12 ovs-cni-plugin-container-v4.10.1-12 kubemacpool-container-v4.10.1-12 ovs-cni-marker-container-v4.10.1-12 kubernetes-nmstate-handler-container-v4.10.1-12 cluster-network-addons-operator-container-v4.10.1-12 cnv-must-gather-container-v4.10.1-15 hyperconverged-cluster-webhook-container-v4.10.1-19 hyperconverged-cluster-operator-container-v4.10.1-19 kubevirt-ssp-operator-container-v4.10.1-10 virt-cdi-apiserver-container-v4.10.1-16 virt-cdi-controller-container-v4.10.1-16 hostpath-provisioner-container-v4.10.1-5 virt-cdi-uploadserver-container-v4.10.1-16 node-maintenance-operator-container-v4.10.1-4 virt-cdi-operator-container-v4.10.1-16 virt-cdi-uploadproxy-container-v4.10.1-16 hostpath-csi-driver-container-v4.10.1-5 virt-cdi-cloner-container-v4.10.1-16 kubevirt-template-validator-container-v4.10.1-4 virt-cdi-importer-container-v4.10.1-16 virt-api-container-v4.10.1-8 virt-handler-container-v4.10.1-8 virt-controller-container-v4.10.1-8 virt-launcher-container-v4.10.1-8 virt-artifacts-server-container-v4.10.1-8 libguestfs-tools-container-v4.10.1-8 virt-operator-container-v4.10.1-8 hco-bundle-registry-container-v4.10.1-99 Security Fix(es): * golang: net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) * opencontainers: OCI manifest and index parsing confusion (CVE-2021-41190) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, referto: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 2000478 - Using deprecated 1.25 API calls 2022742 - NNCP creation fails when node of a cluster is unavailable 2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion 2028619 - policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+ 2029359 - NodeNetworkConfigurationPolicy refreshes all the conditions even if the policy has not gone to that state 2032837 - Add/remove label to priority class are not reconciled properly left HCO in Unknown status. 2033385 - Bug in kubernetes labels that are attached to the CNV logs 2038814 - [CNV-4.10-rhel9] hyperconverged-cluster-cli-download pod CrashLoopBackOff state 2039019 - Fix Top consumers dashboard 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2046686 - Importer pod keeps in retarting when dataimportcron has a reference to invalid image sha 2049990 - must-gather: must-gather is logging errors about upstream only namespaces 2053390 - No DataImportCron for CentOS 7 2054778 - PVC created with filesystem volume mode in some cases, instead of block volume mode 2054782 - DataImportCron status does not show failure when failing to create dataSource 2055304 - [4.10.z] nmstate interprets interface names as float64 and subsequently crashes on state update 2055950 - cnv installation should set empty node selector for openshift-cnv namespace 2056421 - non-privileged user cannot add disk as it cannot update resource "virtualmachines/addvolume" 2056464 - nmstate-webhook pods getting scheduled on the same node 2056619 - [4.10.z] kubemacpool-mac-controller-manager not ready 2057142 - CDI aggregate roles missing some types 2057148 - Cross namespace smart clone may get stuck in NamespaceTransferInProgress phase 2057613 - nmpolicy capture - race condition when appying teardown nncp; nncefails 2059185 - must-gather: Must-gather gather_vms_details is not working when used with a list of vms 2059613 - Must-gather: for vms with longer name, gather_vms_details fails to collect qemu, dump xml logs 2062227 - sriovLiveMigration should not be enabled on sno clusters2062321 - when update attempt of hco.spec with storage classes failed, csv git stuck in installing state 2063991 - On upgraded cluster, "v2v-vmware" is present under hco.status.relatedObject 2065308 - CNV disables LiveMigration FG, but leaves LiveMigration workloadUpdateStrategy enabled 2065743 - 4.10.1 containers2065755 - 4.10.1 rpms 2066086 - DataImportCrons do not automatically recover from unconfigured default storage class 2066712 - [4.10.z] Migration of vm from VMware reports pvc not large enough 2069055 - [4.10.z] On an upgraded cluster NetworkAddonsConfig seems to be reconciling in a loop 2070050 - [4.10.1] Custom guest PCI address and boot order parameters are not respected in a list of multiple SR-IOV NICs 2073880 - Cannot create VM on SNO cluster as live migration feature is not enabled 2077920 - Migration in sequence can be reported as failed even when it succeeded 2078878 - SSP: Common templates fix to pick right templates 5. References: https://access.redhat.com/security/cve/CVE-2021-36221 https://access.redhat.com/security/cve/CVE-2021-41190 https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-24407 https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/cve/CVE-2022-25236 https://access.redhat.com/security/cve/CVE-2022-25315 https://access.redhat.com/security/updates/classification#moderate 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYoW21tzjgjWX9erEAQhJaQ//eC90f4YkDr1fEmvc2oOj1W7eeE39cAlc CIMm/CPqIYmYfi74156QMjPCa9qmNf91dFUDd6xJ0UHP3pSVHDB2W31Rr5XrHvYD MrpJCrzio296LlfkQW0bkUkgtZ7X46aO+o5q+7LxQRq+s5CqcBR7i2EiCcJiu1+N PTSE8JH5zPggwjKSFFrcNPqU8Ovo3ujrv5IHvSmMG8/236BHQZJUMSB71BWbNiXm ntXEbnjpH7YwKzE71wSkKxf2P5FvhWdWEbJmOuzG/rqGYBru7nlJlkOQO5pL+7g3 5vslmQ0+FOUVq1y/Iv65yD8WfB0TYkocoe/n4xqPKKzyP9zTDgaFHtbmE0o7Lv9M fGyF0AJ+Mg9R3aet255gD1FIyklWX2YcNPKfoHrq5xYrFfJatPL9IZZyxTcMdRKn lhC9YGDKlu8JLxUGY2Gj3a1diKjm9BOhOvmqsCZPVRS4jJiYdrKl+Pa4md2KNdIq N9R+tuRufLvsa5LlPN6ebdrJFoxYII5uiZDB0pxdum+dzCrix1gKMWRgw0NU0AiI ZyrqF0cPKbbLFgJgo4TnjilCCbJbH1bA8a2kB4YzLJnVs75pDGlSLVDqeq/gXyrq 1mjcjvQI7xLwBDC8dA1wUhmGwFzfbdGpm7xUwV12womdSUI/8w58mm/hrsIO0bii NbLaT0l7Qwc=lG+M -----END PGP SIGNATURE----- -- RHSA-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. . Red Hat OpenShift Virtualization 4.10.1 Images have been made available, addressing several bugs and enhancements that present a moderate security concern.. Red Hat, OpenShift, Image Updates, Security Advisory, Container Security. . LinuxSecurity.com Team

Calendar%202 May 18, 2022 Red Hat
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is application sandboxing truly safe?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/155-is-application-sandboxing-truly-safe?task=poll.vote&format=json
155
radio
0
[{"id":500,"title":"Malware still escapes container walls.","votes":0,"type":"x","order":1,"pct":0,"resources":[]},{"id":501,"title":"Supply chains corrupt trusted packages.","votes":0,"type":"x","order":2,"pct":0,"resources":[]},{"id":502,"title":"Convenience consistently compromises strict security.","votes":1,"type":"x","order":3,"pct":100,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200