Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 0 articles for you...
219
security advisorydenial of serviceimportantRocky Linux 10 RLSA-2026-10221 GoLang Immediate Service Interruption Alert
Important: golang security update. {"type": "TYPE_SECURITY", "shortCode": "RL", "name": "RLSA-2026:10217", "synopsis": "Important: golang security update", "severity": "SEVERITY_IMPORTANT", "topic": "An update is available for golang.\nThis update affects Rocky Linux 10.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list", "description": "The golang packages provide the Go programming language compiler.\n\nSecurity Fix(es):\n\n* golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root (CVE-2026-32282)\n\n* crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages (CVE-2026-32283)\n\n* crypto/x509: crypto/tls: golang: Go: Denial of Service vulnerability in certificate chain building (CVE-2026-32280)\n\n* golang: cmd/compile: no-op interface conversion bypasses overlap checking (CVE-2026-27144)\n\n* cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names (CVE-2026-27140)\n\n* golang: cmd/compile: possible memory corruption after bound check elimination (CVE-2026-27143)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "solution": null, "affectedProducts": ["Rocky Linux 10"], "fixes": [{"ticket": "2456338", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2456338", "description": ""}, {"ticket": "2456341", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2456341", "description": ""}, {"ticket": "2456336", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2456336", "description": ""}, {"ticket": "2456339", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2456339", "description": ""}, {"ticket": "2456340", "sourceBy": "Red Hat", "sourceLink":"https://bugzilla.redhat.com/show_bug.cgi?id=2456340", "description": ""}, {"ticket": "2456342", "sourceBy": "Red Hat", "sourceLink": "https://bugzilla.redhat.com/show_bug.cgi?id=2456342", "description": ""}], "cves": [{"name": "CVE-2026-27140", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27140", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "cvss3BaseScore": "9.0", "cwe": "CWE-641"}, {"name": "CVE-2026-27143", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27143", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3BaseScore": "8.1", "cwe": "CWE-733"}, {"name": "CVE-2026-27144", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-27144", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "cvss3BaseScore": "8.1", "cwe": "CWE-440"}, {"name": "CVE-2026-32280", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32280", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-770"}, {"name": "CVE-2026-32282", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32282", "cvss3ScoringVector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "cvss3BaseScore": "7.8", "cwe": "CWE-367"}, {"name": "CVE-2026-32283", "sourceBy": "MITRE", "sourceLink": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32283", "cvss3ScoringVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "cvss3BaseScore": "7.5", "cwe": "CWE-764"}], "references": [], "publishedAt": "2026-05-06T12:05:16.751656Z", "rpms": {"Rocky Linux 10": {"nvras": ["golang-race-0:1.25.9-3.el10_1.s390x.rpm", "go-toolset-0:1.25.9-3.el10_1.aarch64.rpm", "golang-race-0:1.25.9-3.el10_1.ppc64le.rpm", "golang-race-0:1.25.9-3.el10_1.aarch64.rpm", "go-toolset-0:1.25.9-3.el10_1.x86_64.rpm", "golang-src-0:1.25.9-3.el10_1.noarch.rpm","golang-0:1.25.9-3.el10_1.src.rpm", "golang-docs-0:1.25.9-3.el10_1.noarch.rpm", "golang-0:1.25.9-3.el10_1.x86_64.rpm", "golang-misc-0:1.25.9-3.el10_1.noarch.rpm", "go-toolset-0:1.25.9-3.el10_1.ppc64le.rpm", "golang-tests-0:1.25.9-3.el10_1.noarch.rpm", "golang-bin-0:1.25.9-3.el10_1.x86_64.rpm", "golang-bin-0:1.25.9-3.el10_1.s390x.rpm", "golang-0:1.25.9-3.el10_1.s390x.rpm", "golang-bin-0:1.25.9-3.el10_1.ppc64le.rpm", "golang-0:1.25.9-3.el10_1.aarch64.rpm", "golang-0:1.25.9-3.el10_1.ppc64le.rpm", "golang-race-0:1.25.9-3.el10_1.x86_64.rpm", "go-toolset-0:1.25.9-3.el10_1.s390x.rpm", "golang-bin-0:1.25.9-3.el10_1.aarch64.rpm"]}}, "rebootSuggested": false, "buildReferences": []}. Golang security update for Rocky Linux addressing significant vulnerabilities. Immediate update recommended for system safety.. Rocky Linux Updates,golang security,system vulnerabilities,security enhancement,admin guidelines. . Severity: Important. LinuxSecurity.com Team
May 06, 2026
•Important
Rocky Linux
100
security advisoryDoSpatchSUSE: 2022:3576-1 Important Icinga Security Fix for DoS
An update that fixes two vulnerabilities is now available. . SUSE Security Update: Security update for icinga ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:3576-1 Rating: important References: #1014637 #1156309 Cross-References: CVE-2016-9566 CVE-2019-3698 CVSS scores: CVE-2016-9566 (NVD) : 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2016-9566 (SUSE): 7.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVE-2019-3698 (NVD) : 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2019-3698 (SUSE): 4.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L Affected Products: SUSE Manager Tools 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This update for icinga fixes the following issues: - CVE-2016-9566: Fixed root privilege escalation (bsc#1014637). - CVE-2019-3698: Fixed symbolic link vulnerability that can cause DoS or potentially escalate privileges (bsc#1156309). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Manager Tools 12: zypper in -t patch SUSE-SLE-Manager-Tools-12-2022-3576=1 Package List: - SUSE Manager Tools 12 (aarch64 ppc64le s390x x86_64): icinga-1.13.3-12.6.1 icinga-debuginfo-1.13.3-12.6.1 icinga-debugsource-1.13.3-12.6.1 icinga-devel-1.13.3-12.6.1 icinga-doc-1.13.3-12.6.1 icinga-idoutils-1.13.3-12.6.1 icinga-idoutils-mysql-1.13.3-12.6.1 icinga-idoutils-oracle-1.13.3-12.6.1 icinga-idoutils-pgsql-1.13.3-12.6.1 icinga-plugins-downtimes-1.13.3-12.6.1 icinga-plugins-eventhandlers-1.13.3-12.6.1 icinga-www-1.13.3-12.6.1 icinga-www-config-1.13.3-12.6.1 monitoring-tools-1.13.3-12.6.1 References: https://www.suse.com/security/cve/CVE-2016-9566.html https://www.suse.com/security/cve/CVE-2019-3698.html https://bugzilla.suse.com/1014637 https://bugzilla.suse.com/1156309 . SUSE has issued a security update for icinga, tackling vulnerabilities linked to unauthorized root access and denial of service risks, along with crucial implementation advice. SUSE Manager Tools, Icinga Update, Security Fix, DoS Attack, Root Privilege Escalation. . Severity: Important. LinuxSecurity.com Team
Oct 13, 2022
•Important
SuSE
100
security advisorysecurity issuepatchSUSE: 2022:2803-1 Important: Kernel Security with Root Privilege Escalation
An update that solves 5 vulnerabilities, contains 7 features and has 16 fixes is now available. . SUSE Security Update: Security update for the Linux Kernel ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:2803-1 Rating: important References: #1190256 #1190497 #1199291 #1199356 #1199665 #1201258 #1201323 #1201391 #1201458 #1201592 #1201593 #1201595 #1201596 #1201635 #1201651 #1201691 #1201705 #1201726 #1201846 #1201930 #1202094 SLE-21132 SLE-24569 SLE-24570 SLE-24571 SLE-24578 SLE-24635 SLE-24682 Cross-References: CVE-2021-33655 CVE-2022-21505 CVE-2022-2585 CVE-2022-26373 CVE-2022-29581 CVSS scores: CVE-2021-33655 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33655 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-21505 (SUSE): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2022-2585 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-26373 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVE-2022-29581 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2022-29581 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Availability 15-SP4 SUSE Linux Enterprise High Performance Computing SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Basesystem 15-SP4 SUSE Linux Enterprise Module for Development Tools 15-SP4 SUSE Linux Enterprise Module for Legacy Software 15-SP4 SUSE Linux Enterprise Module for LivePatching 15-SP4 SUSE Linux Enterprise Server SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP Applications SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Linux Enterprise Workstation Extension 15-SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that solves 5 vulnerabilities, contains 7 features and has 16 fixes is now available. Description: The SUSE Linux Enterprise 15 SP4 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: - CVE-2021-33655: Fixed out of bounds write with ioctl FBIOPUT_VSCREENINFO (bnc#1201635). - CVE-2022-2585: Fixed use-after-free in POSIX CPU timer (bnc#1202094). - CVE-2022-21505: Fixed kexec lockdown bypass with IMA policy (bsc#1201458). - CVE-2022-26373: Fixed CPU info leak via post-barrier RSB predictions (bsc#1201726). - CVE-2022-29581: Fixed improper update of Reference Count in net/sched that could cause root privilege escalation (bnc#1199665). The following non-security bugs were fixed: - ACPI: CPPC: Only probe for _CPC if CPPC v2 is acked (git-fixes). - ACPI: video: Fix acpi_video_handles_brightness_key_presses() (git-fixes). - ALSA: hda - Add fixup for Dell Latitidue E5430 (git-fixes). - ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model (git-fixes). - ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop (git-fixes). - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc221 (git-fixes). - ALSA: hda/realtek - Fix headset mic problem for a HP machine with alc671 (git-fixes). - ALSA: hda/realtek: Add quirk for Clevo L140PU(git-fixes). - ALSA: hda/realtek: Fix headset mic for Acer SF313-51 (git-fixes). - ALSA: hda/realtek: fix mute/micmute LEDs for HP machines (git-fixes). - ALSA: usb-audio: Add quirk for Fiero SC-01 (fw v1.0.0) (git-fixes). - ALSA: usb-audio: Add quirk for Fiero SC-01 (git-fixes). - ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices (git-fixes). - ALSA: usb-audio: Workarounds for Behringer UMC 204/404 HD (git-fixes). - ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle (git-fixes). - ARM: 9210/1: Mark the FDT_FIXED sections as shareable (git-fixes). - ARM: 9213/1: Print message about disabled Spectre workarounds only once (git-fixes). - ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction (git-fixes). - ARM: dts: at91: sama5d2: Fix typo in i2s1 node (git-fixes). - ARM: dts: imx6qdl-ts7970: Fix ngpio typo and count (git-fixes). - ARM: dts: stm32: use the correct clock source for CEC on stm32mp151 (git-fixes). - ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero (git-fixes). - ASoC: Intel: Skylake: Correct the handling of fmt_config flexible array (git-fixes). - ASoC: Intel: Skylake: Correct the ssp rate discovery in skl_get_ssp_clks() (git-fixes). - ASoC: Intel: bytcr_wm5102: Fix GPIO related probe-ordering problem (git-fixes). - ASoC: Intel: sof_sdw: handle errors on card registration (git-fixes). - ASoC: Realtek/Maxim SoundWire codecs: disable pm_runtime on remove (git-fixes). - ASoC: Remove unused hw_write_t type (git-fixes). - ASoC: SOF: Intel: hda-loader: Clarify the cl_dsp_init() flow (git-fixes). - ASoC: codecs: rt700/rt711/rt711-sdca: initialize workqueues in probe (git-fixes). - ASoC: codecs: rt700/rt711/rt711-sdca: resume bus/codec in .set_jack_detect (git-fixes). - ASoC: cs47l15: Fix event generation for low power mux control (git-fixes). - ASoC: dapm: Initialise kcontrol data for mux/demux controls(git-fixes). - ASoC: madera: Fix event generation for OUT1 demux (git-fixes). - ASoC: madera: Fix event generation for rate controls (git-fixes). - ASoC: ops: Fix off by one in range control validation (git-fixes). - ASoC: rt5682: Avoid the unexpected IRQ event during going to suspend (git-fixes). - ASoC: rt5682: Fix deadlock on resume (git-fixes). - ASoC: rt5682: Re-detect the combo jack after resuming (git-fixes). - ASoC: rt5682: fix an incorrect NULL check on list iterator (git-fixes). - ASoC: rt5682: move clk related code to rt5682_i2c_probe (git-fixes). - ASoC: rt7*-sdw: harden jack_detect_handler (git-fixes). - ASoC: rt711-sdca-sdw: fix calibrate mutex initialization (git-fixes). - ASoC: rt711-sdca: Add endianness flag in snd_soc_component_driver (git-fixes). - ASoC: rt711-sdca: fix kernel NULL pointer dereference when IO error (git-fixes). - ASoC: rt711: Add endianness flag in snd_soc_component_driver (git-fixes). - ASoC: rt711: fix calibrate mutex initialization (git-fixes). - ASoC: sgtl5000: Fix noise on shutdown/remove (git-fixes). - ASoC: tas2764: Add post reset delays (git-fixes). - ASoC: tas2764: Correct playback volume range (git-fixes). - ASoC: tas2764: Fix amp gain register offset & default (git-fixes). - ASoC: tas2764: Fix and extend FSYNC polarity handling (git-fixes). - ASoC: wcd938x: Fix event generation for some controls (git-fixes). - ASoC: wm5110: Fix DRE control (git-fixes). - Bluetooth: btusb: Add the new support IDs for WCN6855 (git-fixxes). - Input: cpcap-pwrbutton - handle errors from platform_get_irq() (git-fixes). - Input: i8042 - Apply probe defer to more ASUS ZenBook models (bsc#1190256). - NFC: nxp-nci: do not print header length mismatch on i2c error (git-fixes). - VMCI: Add support for ARM64 (bsc#1199291, jsc#SLE-24635). - VMCI: Check exclusive_vectors when freeing interrupt 1 (bsc#1199291, jsc#SLE-24635). - VMCI: Fix some error handling paths invmci_guest_probe_device() (bsc#1199291, jsc#SLE-24635). - VMCI: Release notification_bitmap in error path (bsc#1199291, jsc#SLE-24635). - VMCI: dma dg: add MMIO access to registers (bsc#1199291, jsc#SLE-24635). - VMCI: dma dg: add support for DMA datagrams receive (bsc#1199291, jsc#SLE-24635). - VMCI: dma dg: add support for DMA datagrams sends (bsc#1199291, jsc#SLE-24635). - VMCI: dma dg: allocate send and receive buffers for DMA datagrams (bsc#1199291, jsc#SLE-24635). - VMCI: dma dg: detect DMA datagram capability (bsc#1199291, jsc#SLE-24635). - VMCI: dma dg: register dummy IRQ handlers for DMA datagrams (bsc#1199291, jsc#SLE-24635). - VMCI: dma dg: set OS page size (bsc#1199291, jsc#SLE-24635). - VMCI: dma dg: whitespace formatting change for vmci register defines (bsc#1199291, jsc#SLE-24635). - arm64: Add HWCAP for self-synchronising virtual counter (git-fixes) - arm64: Add cavium_erratum_23154_cpus missing sentinel (jsc#SLE-24682). - arm64: cpufeature: add HWCAP for FEAT_AFP (git-fixes) - arm64: dts: broadcom: bcm4908: Fix cpu node for smp boot (git-fixes). - arm64: dts: broadcom: bcm4908: Fix timer node for BCM4906 SoC (git-fixes) - arm64: dts: broadcom: bcm4908: Fix timer node for BCM4906 SoC (git-fixes). - arm64: dts: rockchip: Assign RK3399 VDU clock rate (git-fixes). - arm64: mm: Do not invalidate FROM_DEVICE buffers at start of DMA transfer (git-fixes) - batman-adv: Use netif_rx() (git-fixes). - bcmgenet: add WOL IRQ check (git-fixes). - be2net: Fix buffer overflow in be_get_module_eeprom (bsc#1201323). - blk-mq: add one API for waiting until quiesce is done (bsc#1201651). - blk-mq: fix kabi support concurrent queue quiesce unquiesce (bsc#1201651). - blk-mq: support concurrent queue quiesce/unquiesce (bsc#1201651). - can: bcm: use call_rcu() instead of costly synchronize_rcu() (git-fixes). - can: grcan: grcan_probe(): remove extra of_node_get() (git-fixes). - can:gs_usb: gs_usb_open/close(): fix memory leak (git-fixes). - can: m_can: m_can_chip_config(): actually enable internal timestamping (git-fixes). - can: mcp251xfd: mcp251xfd_regmap_crc_read(): improve workaround handling for mcp2517fd (git-fixes). - can: mcp251xfd: mcp251xfd_regmap_crc_read(): update workaround broken CRC on TBC register (git-fixes). - ceph: fix up non-directory creation in SGID directories (bsc#1201595). - cpufreq: mediatek: Unregister platform device on exit (git-fixes). - cpufreq: mediatek: Use module_init and add module_exit (git-fixes). - cpufreq: pmac32-cpufreq: Fix refcount leak bug (git-fixes). - cpuidle: PSCI: Move the `has_lpi` check to the beginning of the (git-fixes) - crypto: hisilicon/qm - modify the uacce mode check (bsc#1201391). - crypto: octeontx2 - Avoid stack variable overflow (jsc#SLE-24682). - crypto: octeontx2 - CN10K CPT to RNM workaround (jsc#SLE-24682). - crypto: octeontx2 - Use swap() instead of swap_engines() (jsc#SLE-24682). - crypto: octeontx2 - add apis for custom engine groups (jsc#SLE-24682). - crypto: octeontx2 - add synchronization between mailbox accesses (jsc#SLE-24682). - crypto: octeontx2 - fix missing unlock (jsc#SLE-24682). - crypto: octeontx2 - increase CPT HW instruction queue length (jsc#SLE-24682). - crypto: octeontx2 - out of bounds access in otx2_cpt_dl_custom_egrp_delete() (jsc#SLE-24682). - crypto: octeontx2 - parameters for custom engine groups (jsc#SLE-24682). - crypto: octeontx2 - select CONFIG_NET_DEVLINK (jsc#SLE-24682). - crypto: octeontx2 - use swap() to make code cleaner (jsc#SLE-24682). - crypto: qat - fix memory leak in RSA (git-fixes). - crypto: qat - remove dma_free_coherent() for DH (git-fixes). - crypto: qat - remove dma_free_coherent() for RSA (git-fixes). - crypto: qat - set CIPHER capability for DH895XCC (git-fixes). - crypto: qat - set to zero DH parameters before free (git-fixes). - crypto: testmgr - allow ecdsa-nist inFIPS mode (jsc#SLE-21132,bsc#1201258). - device property: Add fwnode_irq_get_byname (jsc#SLE-24569) - dm: do not stop request queue after the dm device is suspended (bsc#1201651). - dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly (git-fixes). - dmaengine: imx-sdma: Allow imx8m for imx7 FW revs (git-fixes). - dmaengine: lgm: Fix an error handling path in intel_ldma_probe() (git-fixes). - dmaengine: pl330: Fix lockdep warning about non-static key (git-fixes). - dmaengine: qcom: bam_dma: fix runtime PM underflow (git-fixes). - dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate (git-fixes). - dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate (git-fixes). - docs: firmware-guide: ACPI: Add named interrupt doc (jsc#SLE-24569) - docs: net: dsa: add more info about the other arguments to get_tag_protocol (git-fixes). - docs: net: dsa: delete port_mdb_dump (git-fixes). - docs: net: dsa: document change_tag_protocol (git-fixes). - docs: net: dsa: document port_fast_age (git-fixes). - docs: net: dsa: document port_setup and port_teardown (git-fixes). - docs: net: dsa: document the shutdown behavior (git-fixes). - docs: net: dsa: document the teardown method (git-fixes). - docs: net: dsa: re-explain what port_fdb_dump actually does (git-fixes). - docs: net: dsa: remove port_vlan_dump (git-fixes). - docs: net: dsa: rename tag_protocol to get_tag_protocol (git-fixes). - docs: net: dsa: update probing documentation (git-fixes). - dpaa2-eth: Initialize mutex used in one step timestamping path (git-fixes). - dpaa2-eth: destroy workqueue at the end of remove function (git-fixes). - dpaa2-eth: unregister the netdev before disconnecting from the PHY (git-fixes). - drbd: fix potential silent data corruption (git-fixes). - drivers: net: smc911x: Check for error irq (git-fixes). - drm/amd/display: Fix by adding FPU protection for dcn30_internal_validate_bw (git-fixes). - drm/amd/display: Only use depth 36 bpp linebuffers on DCN display engines (git-fixes). - drm/amd/display: Set min dcfclk if pipe count is 0 (git-fixes). - drm/amd/vcn: fix an error msg on vcn 3.0 (git-fixes). - drm/amdgpu: To flush tlb for MMHUB of RAVEN series (git-fixes). - drm/i915/dg2: Add Wa_22011100796 (git-fixes). - drm/i915/gt: Serialize GRDOM access between multiple engine resets (git-fixes). - drm/i915/gt: Serialize TLB invalidates with GT resets (git-fixes). - drm/i915/gvt: IS_ERR() vs NULL bug in intel_gvt_update_reg_whitelist() (git-fixes). - drm/i915/selftests: fix a couple IS_ERR() vs NULL tests (git-fixes). - drm/i915/uc: correctly track uc_fw init failure (git-fixes). - drm/i915: Fix a race between vma / object destruction and unbinding (git-fixes). - drm/i915: Require the vm mutex for i915_vma_bind() (git-fixes). - drm/i915: fix a possible refcount leak in intel_dp_add_mst_connector() (git-fixes). - drm/imx/dcss: Add missing of_node_put() in fail path (git-fixes). - drm/mediatek: Detect CMDQ execution timeout (git-fixes). - drm/mediatek: Remove the pointer of struct cmdq_client (git-fixes). - drm/mediatek: Use mailbox rx_callback instead of cmdq_task_cb (git-fixes). - drm/panfrost: Fix shrinker list corruption by madvise IOCTL (git-fixes). - drm/panfrost: Put mapping instead of shmem obj on panfrost_mmu_map_fault_addr() error (git-fixes). - drm/ttm: fix locking in vmap/vunmap TTM GEM helpers (git-fixes). - dt-bindings: dma: allwinner,sun50i-a64-dma: Fix min/max typo (git-fixes). - dt-bindings: gpio: Add Tegra241 support (jsc#SLE-24571) - dt-bindings: soc: qcom: smd-rpm: Add compatible for MSM8953 SoC (git-fixes). - dt-bindings: soc: qcom: smd-rpm: Fix missing MSM8936 compatible (git-fixes). - e1000e: Enable GPT clock before sending message to CSME (git-fixes). - efi/x86: use naked RET on mixed mode call wrapper (git-fixes). -ethernet: Fix error handling in xemaclite_of_probe (git-fixes). - ethtool: Fix get module eeprom fallback (bsc#1201323). - fbcon: Disallow setting font bigger than screen size (git-fixes). - fbcon: Prevent that screen size is smaller than font size (git-fixes). - fbdev: fbmem: Fix logo center image dx issue (git-fixes). - fbmem: Check virtual screen sizes in fb_set_var() (git-fixes). - fjes: Check for error irq (git-fixes). - fsl/fman: Check for null pointer after calling devm_ioremap (git-fixes). - fsl/fman: Fix missing put_device() call in fman_port_probe (git-fixes). - fuse: annotate lock in fuse_reverse_inval_entry() (bsc#1201593). - fuse: make sure reclaim does not write the inode (bsc#1201592). - gpio: gpio-xilinx: Fix integer overflow (git-fixes). - gpio: pca953x: only use single read/write for No AI mode (git-fixes). - gpio: pca953x: use the correct range when do regmap sync (git-fixes). - gpio: pca953x: use the correct register address when regcache sync during init (git-fixes). - gpio: tegra186: Add IRQ per bank for Tegra241 (jsc#SLE-24571) - gpio: tegra186: Add support for Tegra241 (jsc#SLE-24571) - gve: Recording rx queue before sending to napi (git-fixes). - hwmon: (occ) Prevent power cap command overwriting poll response (git-fixes). - hwmon: (occ) Remove sequence numbering and checksum calculation (git-fixes). - hwrng: cavium - fix NULL but dereferenced coccicheck error (jsc#SLE-24682). - i2c: cadence: Change large transfer count reset logic to be unconditional (git-fixes). - i2c: cadence: Unregister the clk notifier in error path (git-fixes). - i2c: mlxcpld: Fix register setting for 400KHz frequency (git-fixes). - i2c: piix4: Fix a memory leak in the EFCH MMIO support (git-fixes). - i2c: smbus: Check for parent device before dereference (git-fixes). - i2c: smbus: Use device_*() functions instead of of_*() (jsc#SLE-24569) - i2c: tegra: Add SMBus block read function (jsc#SLE-24569) - i2c:tegra: Add the ACPI support (jsc#SLE-24569) - i2c: tegra: use i2c_timings for bus clock freq (jsc#SLE-24569) - ice: Avoid RTNL lock when re-creating auxiliary device (git-fixes). - ice: Fix error with handling of bonding MTU (git-fixes). - ice: Fix race condition during interface enslave (git-fixes). - ice: stop disabling VFs due to PF error responses (git-fixes). - ida: do not use BUG_ON() for debugging (git-fixes). - ima: Fix a potential integer overflow in ima_appraise_measurement (git-fixes). - ima: Fix potential memory leak in ima_init_crypto() (git-fixes). - ima: force signature verification when CONFIG_KEXEC_SIG is configured (git-fixes). - irqchip/gic-v3: Workaround Marvell erratum 38545 when reading IAR (jsc#SLE-24682). - irqchip: or1k-pic: Undefine mask_ack for level triggered hardware (git-fixes). - ixgbevf: Require large buffers for build_skb on 82599VF (git-fixes). - kABI workaround for phy_device changes (git-fixes). - kABI workaround for rtsx_usb (git-fixes). - kABI workaround for snd-soc-rt5682-* (git-fixes). - kABI: fix adding field to scsi_device (git-fixes). - kABI: fix adding field to ufs_hba (git-fixes). - kABI: i2c: smbus: restore of_ alert variant (jsc#SLE-24569). kABI fix for "i2c: smbus: Use device_*() functions instead of of_*()" - kabi/severities: add intel ice - kabi/severities: add stmmac network driver local symbols - kabi/severities: ignore dropped symbol rt5682_headset_detect - kasan: fix tag for large allocations when using CONFIG_SLAB (git fixes (mm/kasan)). - kernel-obs-build: include qemu_fw_cfg (boo#1201705) - kvm: emulate: do not adjust size of fastop and setcc subroutines (bsc#1201930). - kvm: emulate: Fix SETcc emulation function offsets with SLS (bsc#1201930). - libceph: fix potential use-after-free on linger ping and resends (bsc#1201596). - md: bcache: check the return value of kzalloc() in detached_dev_do_request() (git-fixes). - memcg:page_alloc: skip bulk allocator for __GFP_ACCOUNT (git fixes (mm/pgalloc)). - memregion: Fix memregion_free() fallback definition (git-fixes). - misc: rtsx_usb: fix use of dma mapped buffer for usb bulk transfer (git-fixes). - misc: rtsx_usb: set return value in rsp_buf alloc err path (git-fixes). - misc: rtsx_usb: use separate command and response buffers (git-fixes). - mm/large system hash: avoid possible NULL deref in alloc_large_system_hash (git fixes (mm/pgalloc)). - mm/secretmem: avoid letting secretmem_users drop to zero (git fixes (mm/secretmem)). - mm/vmalloc: fix numa spreading for large hash tables (git fixes (mm/vmalloc)). - mm/vmalloc: make sure to dump unpurged areas in /proc/vmallocinfo (git fixes (mm/vmalloc)). - mm/vmalloc: repair warn_alloc()s in __vmalloc_area_node() (git fixes (mm/vmalloc)). - mm: do not try to NUMA-migrate COW pages that have other uses (git fixes (mm/numa)). - mm: swap: get rid of livelock in swapin readahead (git fixes (mm/swap)). - mt76: mt7921: get rid of mt7921_mac_set_beacon_filter (git-fixes). - natsemi: xtensa: fix section mismatch warnings (git-fixes). - nbd: fix possible overflow on 'first_minor' in nbd_dev_add() (git-fixes). - net/fsl: xgmac_mdio: Add workaround for erratum A-009885 (git-fixes). - net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module (git-fixes). - net/qla3xxx: fix an error code in ql_adapter_up() (git-fixes). - net: ag71xx: Fix a potential double free in error handling paths (git-fixes). - net: altera: set a couple error code in probe() (git-fixes). - net: amd-xgbe: Fix skb data length underflow (git-fixes). - net: amd-xgbe: disable interrupts during pci removal (git-fixes). - net: amd-xgbe: ensure to reset the tx_timer_active flag (git-fixes). - net: annotate data-races on txq-> xmit_lock_owner (git-fixes). - net: axienet: Fix TX ring slot available check (git-fixes). - net: axienet: Wait for PhyRstCmplt aftercore reset (git-fixes). - net: axienet: add missing memory barriers (git-fixes). - net: axienet: fix for TX busy handling (git-fixes). - net: axienet: fix number of TX ring slots for available check (git-fixes). - net: axienet: increase default TX ring size to 128 (git-fixes). - net: axienet: increase reset timeout (git-fixes). - net: axienet: limit minimum TX ring size (git-fixes). - net: bcm4908: Handle dma_set_coherent_mask error codes (git-fixes). - net: bcmgenet: Do not claim WOL when its not available (git-fixes). - net: bcmgenet: skip invalid partial checksums (git-fixes). - net: chelsio: cxgb3: check the return value of pci_find_capability() (git-fixes). - net: cpsw: Properly initialise struct page_pool_params (git-fixes). - net: cpsw: avoid alignment faults by taking NET_IP_ALIGN into account (git-fixes). - net: dsa: ar9331: register the mdiobus under devres (git-fixes). - net: dsa: bcm_sf2: do not use devres for mdiobus (git-fixes). - net: dsa: felix: do not use devres for mdiobus (git-fixes). - net: dsa: lan9303: add VLAN IDs to master device (git-fixes). - net: dsa: lan9303: fix reset on probe (git-fixes). - net: dsa: lantiq_gswip: do not use devres for mdiobus (git-fixes). - net: dsa: mt7530: fix incorrect test in mt753x_phylink_validate() (git-fixes). - net: dsa: mt7530: fix kernel bug in mdiobus_free() when unbinding (git-fixes). - net: dsa: mt7530: make NET_DSA_MT7530 select MEDIATEK_GE_PHY (git-fixes). - net: dsa: mv88e6xxx: do not use devres for mdiobus (git-fixes). - net: dsa: mv88e6xxx: fix use-after-free in mv88e6xxx_mdios_unregister (git-fixes). - net: dsa: mv88e6xxx: flush switchdev FDB workqueue before removing VLAN (git-fixes). - net: ethernet: lpc_eth: Handle error for clk_enable (git-fixes). - net: ethernet: mtk_eth_soc: fix error checking in mtk_mac_config() (git-fixes). - net: ethernet: mtk_eth_soc: fix return values and refactor MDIO ops (git-fixes). -net: ethernet: ti: cpts: Handle error for clk_enable (git-fixes). - net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() (git-fixes). - net: ieee802154: ca8210: Fix lifs/sifs periods (git-fixes). - net: ieee802154: ca8210: Stop leaking skb's (git-fixes). - net: ieee802154: hwsim: Ensure proper channel selection at probe time (git-fixes). - net: ieee802154: mcr20a: Fix lifs/sifs periods (git-fixes). - net: ipa: add an interconnect dependency (git-fixes). - net: ipa: fix atomic update in ipa_endpoint_replenish() (git-fixes). - net: ipa: prevent concurrent replenish (git-fixes). - net: ipa: use a bitmap for endpoint replenish_enabled (git-fixes). - net: ks8851: Check for error irq (git-fixes). - net: lantiq_xrx200: fix statistics of received bytes (git-fixes). - net: ll_temac: check the return value of devm_kmalloc() (git-fixes). - net: macb: Fix lost RX packet wakeup race in NAPI receive (git-fixes). - net: macsec: Fix offload support for NETDEV_UNREGISTER event (git-fixes). - net: macsec: Verify that send_sci is on when setting Tx sci explicitly (git-fixes). - net: marvell: mvpp2: Fix the computation of shared CPUs (git-fixes). - net: marvell: prestera: Add missing of_node_put() in prestera_switch_set_base_mac_addr (git-fixes). - net: marvell: prestera: fix incorrect return of port_find (git-fixes). - net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE (git-fixes). - net: mscc: ocelot: fix backwards compatibility with single-chain tc-flower offload (git-fixes). - net: mscc: ocelot: fix mutex lock error during ethtool stats read (git-fixes). - net: mscc: ocelot: fix using match before it is set (git-fixes). - net: mv643xx_eth: process retval from of_get_mac_address (git-fixes). - net: mvpp2: fix XDP rx queues registering (git-fixes). - net: phy: Do not trigger state machine while in suspend (git-fixes). - net: phylink: Force link down and retrigger resolve on interface change (git-fixes). - net: phylink: Force retrigger in case of latched link-fail indicator (git-fixes). - net: rose: fix UAF bug caused by rose_t0timer_expiry (git-fixes). - net: sfp: fix high power modules without diagnostic monitoring (git-fixes). - net: sfp: ignore disabled SFP node (git-fixes). - net: sparx5: Fix add vlan when invalid operation (git-fixes). - net: sparx5: Fix get_stat64 crash in tcpdump (git-fixes). - net: stmmac: Add platform level debug register dump feature (git-fixes). - net: stmmac: Avoid DMA_CHAN_CONTROL write if no Split Header support (git-fixes). - net: stmmac: configure PTP clock source prior to PTP initialization (git-fixes). - net: stmmac: dump gmac4 DMA registers correctly (git-fixes). - net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup (git-fixes). - net: stmmac: dwmac-visconti: Fix bit definitions for ETHER_CLK_SEL (git-fixes). - net: stmmac: dwmac-visconti: Fix clock configuration for RMII mode (git-fixes). - net: stmmac: dwmac-visconti: Fix value of ETHER_CLK_SEL_FREQ_SEL_2P5M (git-fixes). - net: stmmac: dwmac-visconti: No change to ETHER_CLOCK_SEL for unexpected speed request (git-fixes). - net: stmmac: ensure PTP time register reads are consistent (git-fixes). - net: stmmac: fix return value of __setup handler (git-fixes). - net: stmmac: fix tc flower deletion for VLAN priority Rx steering (git-fixes). - net: stmmac: properly handle with runtime pm in stmmac_dvr_remove() (git-fixes). - net: stmmac: ptp: fix potentially overflowing expression (git-fixes). - net: stmmac: retain PTP clock time during SIOCSHWTSTAMP ioctls (git-fixes). - net: stmmac: skip only stmmac_ptp_register when resume from suspend (git-fixes). - net: sxgbe: fix return value of __setup handler (git-fixes). - net: systemport: Add global locking for descriptor lifecycle (git-fixes). - net: usb: qmi_wwan: add Telit 0x1060 composition (git-fixes). - net: usb: qmi_wwan: addTelit 0x1070 composition (git-fixes). - netdevsim: do not overwrite read only ethtool parms (git-fixes). - nfp: Fix memory leak in nfp_cpp_area_cache_add() (git-fixes). - nvme: add APIs for stopping/starting admin queue (bsc#1201651). - nvme: apply nvme API to quiesce/unquiesce admin queue (bsc#1201651). - nvme: loop: clear NVME_CTRL_ADMIN_Q_STOPPED after admin queue is reallocated (bsc#1201651). - nvme: paring quiesce/unquiesce (bsc#1201651). - nvme: prepare for pairing quiescing and unquiescing (bsc#1201651). - nvme: wait until quiesce is done (bsc#1201651). - octeontx2-af: Do not fixup all VF action entries (git-fixes). - octeontx2-af: Fix a memleak bug in rvu_mbox_init() (git-fixes). - octeontx2-af: cn10k: Do not enable RPM loopback for LPC interfaces (git-fixes). - octeontx2-pf: Forward error codes to VF (git-fixes). - page_alloc: fix invalid watemark check on a negative value (git fixes (mm/pgalloc)). - perf/amd/ibs: Add support for L3 miss filtering (jsc#SLE-24578). - perf/amd/ibs: Advertise zen4_ibs_extensions as pmu capability attribute (jsc#SLE-24578). - perf/amd/ibs: Cascade pmu init functions' return value (jsc#SLE-24578). - perf/amd/ibs: Use -> is_visible callback for dynamic attributes (jsc#SLE-24578). - pinctrl: aspeed: Fix potential NULL dereference in aspeed_pinmux_set_mux() (git-fixes). - pinctrl: sunxi: a83t: Fix NAND function name for some pins (git-fixes). - pinctrl: sunxi: sunxi_pconf_set: use correct offset (git-fixes). - platform/x86: hp-wmi: Ignore Sanitization Mode event (git-fixes). - posix_cpu_timers: fix race between exit_itimers() and /proc/pid/timers (git-fixes). - power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe (git-fixes). - powerpc/mobility: wait for memory transfer to complete (bsc#1201846 ltc#198761). - powerpc/pseries/mobility: set NMI watchdog factor during an LPM (bsc#1201846 ltc#198761). - powerpc/watchdog: introduce a NMIwatchdog's factor (bsc#1201846 ltc#198761). - ppp: ensure minimum packet size in ppp_write() (git-fixes). - qede: validate non LSO skb length (git-fixes). - r8152: fix a WOL issue (git-fixes). - r8169: fix accessing unset transport header (git-fixes). - random: document add_hwgenerator_randomness() with other input functions (git-fixes). - random: fix typo in comments (git-fixes). - raw: Fix a data-race around sysctl_raw_l3mdev_accept (git-fixes). - reset: Fix devm bulk optional exclusive control getter (git-fixes). - rocker: fix a sleeping in atomic bug (git-fixes). - rpm/modules.fips: add ecdsa_generic (jsc#SLE-21132,bsc#1201258). - sched/core: Do not requeue task on CPU excluded from cpus_mask (bnc#1199356). - scsi: avoid to quiesce sdev-> request_queue two times (bsc#1201651). - scsi: core: sd: Add silence_suspend flag to suppress some PM messages (git-fixes). - scsi: iscsi: Exclude zero from the endpoint ID range (git-fixes). - scsi: lpfc: Fix mailbox command failure during driver initialization (git-fixes). - scsi: make sure that request queue queiesce and unquiesce balanced (bsc#1201651). - scsi: scsi_debug: Do not call kcalloc() if size arg is zero (git-fixes). - scsi: scsi_debug: Fix type in min_t to avoid stack OOB (git-fixes). - scsi: scsi_debug: Fix zone transition to full condition (git-fixes). - scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() (git-fixes). - scsi: sd: Fix potential NULL pointer dereference (git-fixes). - scsi: sd: Fix sd_do_mode_sense() buffer length handling (git-fixes). - scsi: ufs: Fix a deadlock in the error handler (git-fixes). - scsi: ufs: Fix runtime PM messages never-ending cycle (git-fixes). - scsi: ufs: Remove dead code (git-fixes). - scsi: ufs: core: scsi_get_lba() error fix (git-fixes). - serial: 8250: Fix PM usage_count for console handover (git-fixes). - serial: 8250: fix return error code inserial8250_request_std_resource() (git-fixes). - serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle (git-fixes). - serial: sc16is7xx: Clear RS485 bits in the shutdown (git-fixes). - serial: stm32: Clear prev values before setting RTS delays (git-fixes). - soc: ixp4xx/npe: Fix unused match warning (git-fixes). - spi: Add Tegra234 QUAD SPI compatible (jsc#SLE-24570) - spi: amd: Limit max transfer and message size (git-fixes). - spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers (git-fixes). - spi: tegra210-quad: add acpi support (jsc#SLE-24570) - spi: tegra210-quad: add new chips to compatible (jsc#SLE-24570) - spi: tegra210-quad: combined sequence mode (jsc#SLE-24570) - spi: tegra210-quad: use device_reset method (jsc#SLE-24570) - spi: tegra210-quad: use devm call for cdata memory (jsc#SLE-24570) - supported.conf: mark marvell octeontx2 crypto driver as supported (jsc#SLE-24682) Mark rvu_cptpf.ko and rvu_cptvf.ko as supported. - supported.conf: rvu_mbox as supported (jsc#SLE-24682) - sysctl: Fix data races in proc_dointvec() (git-fixes). - sysctl: Fix data races in proc_dointvec_jiffies() (git-fixes). - sysctl: Fix data races in proc_dointvec_minmax() (git-fixes). - sysctl: Fix data races in proc_douintvec() (git-fixes). - sysctl: Fix data races in proc_douintvec_minmax() (git-fixes). - sysctl: Fix data races in proc_doulongvec_minmax() (git-fixes). - sysctl: Fix data-races in proc_dointvec_ms_jiffies() (git-fixes). - sysctl: Fix data-races in proc_dou8vec_minmax() (git-fixes). - tee: fix put order in teedev_close_context() (git-fixes). - tty: serial: samsung_tty: set dma burst_size to 1 (git-fixes). - tun: fix bonding active backup with arp monitoring (git-fixes). - usb: dwc3: gadget: Fix event pending check (git-fixes). - usb: serial: ftdi_sio: add Belimo device ids (git-fixes). - usb: typec: add missing uevent when partner support PD (git-fixes). - usbnet: fix memoryleak in error case (git-fixes). - veth: Do not record rx queue hint in veth_xmit (git-fixes). - veth: ensure skb entering GRO are not cloned (git-fixes). - video: of_display_timing.h: include errno.h (git-fixes). - virtio_mmio: Add missing PM calls to freeze/restore (git-fixes). - virtio_mmio: Restore guest page size on resume (git-fixes). - vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit (git-fixes). - vt: fix memory overlapping when deleting chars in the buffer (git-fixes). - watchdog: export lockup_detector_reconfigure (bsc#1201846 ltc#198761). - wifi: mac80211: fix queue selection for mesh/OCB interfaces (git-fixes). - wifi: mac80211_hwsim: set virtio device ready in probe() (git-fixes). - x86/bugs: Remove apostrophe typo (bsc#1190497). Special Instructions and Notes: Please reboot the system after installing this update. Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-2803=1 - SUSE Linux Enterprise Workstation Extension 15-SP4: zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-2803=1 - SUSE Linux Enterprise Module for Live Patching 15-SP4: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP4-2022-2803=1 Please note that this is the initial kernel livepatch without fixes itself, this livepatch package is later updated by seperate standalone livepatch updates. - SUSE Linux Enterprise Module for Legacy Software 15-SP4: zypper in -t patch SUSE-SLE-Module-Legacy-15-SP4-2022-2803=1 - SUSE Linux Enterprise Module for Development Tools 15-SP4: zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-2803=1 - SUSE Linux Enterprise Module for Basesystem 15-SP4: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-2803=1 - SUSE Linux Enterprise High Availability 15-SP4: zypper in -t patch SUSE-SLE-Product-HA-15-SP4-2022-2803=1 Package List: - openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.14.21-150400.24.18.1 cluster-md-kmp-default-debuginfo-5.14.21-150400.24.18.1 dlm-kmp-default-5.14.21-150400.24.18.1 dlm-kmp-default-debuginfo-5.14.21-150400.24.18.1 gfs2-kmp-default-5.14.21-150400.24.18.1 gfs2-kmp-default-debuginfo-5.14.21-150400.24.18.1 kernel-default-5.14.21-150400.24.18.1 kernel-default-base-5.14.21-150400.24.18.1.150400.24.5.4 kernel-default-base-rebuild-5.14.21-150400.24.18.1.150400.24.5.4 kernel-default-debuginfo-5.14.21-150400.24.18.1 kernel-default-debugsource-5.14.21-150400.24.18.1 kernel-default-devel-5.14.21-150400.24.18.1 kernel-default-devel-debuginfo-5.14.21-150400.24.18.1 kernel-default-extra-5.14.21-150400.24.18.1 kernel-default-extra-debuginfo-5.14.21-150400.24.18.1 kernel-default-livepatch-5.14.21-150400.24.18.1 kernel-default-livepatch-devel-5.14.21-150400.24.18.1 kernel-default-optional-5.14.21-150400.24.18.1 kernel-default-optional-debuginfo-5.14.21-150400.24.18.1 kernel-obs-build-5.14.21-150400.24.18.1 kernel-obs-build-debugsource-5.14.21-150400.24.18.1 kernel-obs-qa-5.14.21-150400.24.18.1 kernel-syms-5.14.21-150400.24.18.1 kselftests-kmp-default-5.14.21-150400.24.18.1 kselftests-kmp-default-debuginfo-5.14.21-150400.24.18.1 ocfs2-kmp-default-5.14.21-150400.24.18.1 ocfs2-kmp-default-debuginfo-5.14.21-150400.24.18.1 reiserfs-kmp-default-5.14.21-150400.24.18.1 reiserfs-kmp-default-debuginfo-5.14.21-150400.24.18.1 - openSUSE Leap 15.4 (aarch64 ppc64le x86_64): kernel-kvmsmall-5.14.21-150400.24.18.1 kernel-kvmsmall-debuginfo-5.14.21-150400.24.18.1 kernel-kvmsmall-debugsource-5.14.21-150400.24.18.1 kernel-kvmsmall-devel-5.14.21-150400.24.18.1 kernel-kvmsmall-devel-debuginfo-5.14.21-150400.24.18.1 kernel-kvmsmall-livepatch-devel-5.14.21-150400.24.18.1 - openSUSE Leap 15.4 (ppc64le x86_64): kernel-debug-5.14.21-150400.24.18.1 kernel-debug-debuginfo-5.14.21-150400.24.18.1 kernel-debug-debugsource-5.14.21-150400.24.18.1 kernel-debug-devel-5.14.21-150400.24.18.1 kernel-debug-devel-debuginfo-5.14.21-150400.24.18.1 kernel-debug-livepatch-devel-5.14.21-150400.24.18.1 - openSUSE Leap 15.4 (aarch64): cluster-md-kmp-64kb-5.14.21-150400.24.18.1 cluster-md-kmp-64kb-debuginfo-5.14.21-150400.24.18.1 dlm-kmp-64kb-5.14.21-150400.24.18.1 dlm-kmp-64kb-debuginfo-5.14.21-150400.24.18.1 dtb-allwinner-5.14.21-150400.24.18.1 dtb-altera-5.14.21-150400.24.18.1 dtb-amazon-5.14.21-150400.24.18.1 dtb-amd-5.14.21-150400.24.18.1 dtb-amlogic-5.14.21-150400.24.18.1 dtb-apm-5.14.21-150400.24.18.1 dtb-apple-5.14.21-150400.24.18.1 dtb-arm-5.14.21-150400.24.18.1 dtb-broadcom-5.14.21-150400.24.18.1 dtb-cavium-5.14.21-150400.24.18.1 dtb-exynos-5.14.21-150400.24.18.1 dtb-freescale-5.14.21-150400.24.18.1 dtb-hisilicon-5.14.21-150400.24.18.1 dtb-lg-5.14.21-150400.24.18.1 dtb-marvell-5.14.21-150400.24.18.1 dtb-mediatek-5.14.21-150400.24.18.1 dtb-nvidia-5.14.21-150400.24.18.1 dtb-qcom-5.14.21-150400.24.18.1 dtb-renesas-5.14.21-150400.24.18.1 dtb-rockchip-5.14.21-150400.24.18.1 dtb-socionext-5.14.21-150400.24.18.1 dtb-sprd-5.14.21-150400.24.18.1 dtb-xilinx-5.14.21-150400.24.18.1 gfs2-kmp-64kb-5.14.21-150400.24.18.1 gfs2-kmp-64kb-debuginfo-5.14.21-150400.24.18.1 kernel-64kb-5.14.21-150400.24.18.1 kernel-64kb-debuginfo-5.14.21-150400.24.18.1 kernel-64kb-debugsource-5.14.21-150400.24.18.1 kernel-64kb-devel-5.14.21-150400.24.18.1 kernel-64kb-devel-debuginfo-5.14.21-150400.24.18.1 kernel-64kb-extra-5.14.21-150400.24.18.1 kernel-64kb-extra-debuginfo-5.14.21-150400.24.18.1 kernel-64kb-livepatch-devel-5.14.21-150400.24.18.1 kernel-64kb-optional-5.14.21-150400.24.18.1 kernel-64kb-optional-debuginfo-5.14.21-150400.24.18.1 kselftests-kmp-64kb-5.14.21-150400.24.18.1 kselftests-kmp-64kb-debuginfo-5.14.21-150400.24.18.1 ocfs2-kmp-64kb-5.14.21-150400.24.18.1 ocfs2-kmp-64kb-debuginfo-5.14.21-150400.24.18.1 reiserfs-kmp-64kb-5.14.21-150400.24.18.1 reiserfs-kmp-64kb-debuginfo-5.14.21-150400.24.18.1 - openSUSE Leap 15.4 (noarch): kernel-devel-5.14.21-150400.24.18.1 kernel-docs-5.14.21-150400.24.18.1 kernel-docs-html-5.14.21-150400.24.18.1 kernel-macros-5.14.21-150400.24.18.1 kernel-source-5.14.21-150400.24.18.1 kernel-source-vanilla-5.14.21-150400.24.18.1 - openSUSE Leap 15.4 (s390x): kernel-zfcpdump-5.14.21-150400.24.18.1 kernel-zfcpdump-debuginfo-5.14.21-150400.24.18.1 kernel-zfcpdump-debugsource-5.14.21-150400.24.18.1 - SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64): kernel-default-debuginfo-5.14.21-150400.24.18.1 kernel-default-debugsource-5.14.21-150400.24.18.1 kernel-default-extra-5.14.21-150400.24.18.1 kernel-default-extra-debuginfo-5.14.21-150400.24.18.1 - SUSE Linux Enterprise Module for Live Patching 15-SP4 (ppc64le s390x x86_64): kernel-default-debuginfo-5.14.21-150400.24.18.1 kernel-default-debugsource-5.14.21-150400.24.18.1 kernel-default-livepatch-5.14.21-150400.24.18.1 kernel-default-livepatch-devel-5.14.21-150400.24.18.1 kernel-livepatch-5_14_21-150400_24_18-default-1-150400.9.5.2 kernel-livepatch-5_14_21-150400_24_18-default-debuginfo-1-150400.9.5.2 kernel-livepatch-SLE15-SP4_Update_2-debugsource-1-150400.9.5.2 - SUSE Linux Enterprise Module for Legacy Software 15-SP4 (aarch64 ppc64le s390x x86_64): kernel-default-debuginfo-5.14.21-150400.24.18.1 kernel-default-debugsource-5.14.21-150400.24.18.1 reiserfs-kmp-default-5.14.21-150400.24.18.1 reiserfs-kmp-default-debuginfo-5.14.21-150400.24.18.1 - SUSE Linux Enterprise Module for Development Tools 15-SP4 (aarch64 ppc64le s390x x86_64): kernel-obs-build-5.14.21-150400.24.18.1 kernel-obs-build-debugsource-5.14.21-150400.24.18.1 kernel-syms-5.14.21-150400.24.18.1 - SUSE Linux Enterprise Module for Development Tools 15-SP4 (noarch): kernel-docs-5.14.21-150400.24.18.1 kernel-source-5.14.21-150400.24.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64 ppc64le s390x x86_64): kernel-default-5.14.21-150400.24.18.1 kernel-default-base-5.14.21-150400.24.18.1.150400.24.5.4 kernel-default-debuginfo-5.14.21-150400.24.18.1 kernel-default-debugsource-5.14.21-150400.24.18.1 kernel-default-devel-5.14.21-150400.24.18.1 kernel-default-devel-debuginfo-5.14.21-150400.24.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP4 (aarch64): kernel-64kb-5.14.21-150400.24.18.1 kernel-64kb-debuginfo-5.14.21-150400.24.18.1 kernel-64kb-debugsource-5.14.21-150400.24.18.1 kernel-64kb-devel-5.14.21-150400.24.18.1 kernel-64kb-devel-debuginfo-5.14.21-150400.24.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP4 (noarch): kernel-devel-5.14.21-150400.24.18.1 kernel-macros-5.14.21-150400.24.18.1 - SUSE Linux Enterprise Module for Basesystem 15-SP4 (s390x): kernel-zfcpdump-5.14.21-150400.24.18.1 kernel-zfcpdump-debuginfo-5.14.21-150400.24.18.1 kernel-zfcpdump-debugsource-5.14.21-150400.24.18.1 - SUSE Linux Enterprise High Availability 15-SP4 (aarch64 ppc64le s390x x86_64): cluster-md-kmp-default-5.14.21-150400.24.18.1 cluster-md-kmp-default-debuginfo-5.14.21-150400.24.18.1 dlm-kmp-default-5.14.21-150400.24.18.1 dlm-kmp-default-debuginfo-5.14.21-150400.24.18.1 gfs2-kmp-default-5.14.21-150400.24.18.1 gfs2-kmp-default-debuginfo-5.14.21-150400.24.18.1 kernel-default-debuginfo-5.14.21-150400.24.18.1 kernel-default-debugsource-5.14.21-150400.24.18.1 ocfs2-kmp-default-5.14.21-150400.24.18.1 ocfs2-kmp-default-debuginfo-5.14.21-150400.24.18.1 References: https://www.suse.com/security/cve/CVE-2021-33655.html https://www.suse.com/security/cve/CVE-2022-21505.html https://www.suse.com/security/cve/CVE-2022-2585.html https://www.suse.com/security/cve/CVE-2022-26373.html https://www.suse.com/security/cve/CVE-2022-29581.html https://bugzilla.suse.com/1190256 https://bugzilla.suse.com/1190497 https://bugzilla.suse.com/1199291 https://bugzilla.suse.com/1199356 https://bugzilla.suse.com/1199665 https://bugzilla.suse.com/1201258 https://bugzilla.suse.com/1201323 https://bugzilla.suse.com/1201391 https://bugzilla.suse.com/1201458 https://bugzilla.suse.com/1201592 https://bugzilla.suse.com/1201593 https://bugzilla.suse.com/1201595 https://bugzilla.suse.com/1201596 https://bugzilla.suse.com/1201635 https://bugzilla.suse.com/1201651 https://bugzilla.suse.com/1201691 https://bugzilla.suse.com/1201705 https://bugzilla.suse.com/1201726 https://bugzilla.suse.com/1201846 https://bugzilla.suse.com/1201930 https://bugzilla.suse.com/1202094 . Important notification for SUSE Linux Kernel resolving 5 vulnerabilities and implementing 16 corrections. Restart required post-installation.. SUSE Linux,kernel security,update issues,patch details,security fixes. . Severity: Important. LinuxSecurity.com Team
Aug 12, 2022
•Important
SuSE
100
security advisorylocal privilege escalationkernel patchSUSE: 2021:2538-1 Important: Linux Kernel Patch Addresses Three Issues
An update that fixes three vulnerabilities is now available. . SUSE Security Update: Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:2538-1 Rating: important References: #1187052 #1188117 #1188257 Cross-References: CVE-2020-36385 CVE-2021-22555 CVE-2021-33909 CVSS scores: CVE-2020-36385 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-36385 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2021-22555 (NVD) : 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-22555 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2021-33909 (SUSE): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: SUSE Linux Enterprise Server for SAP 12-SP3 SUSE Linux Enterprise Server 12-SP3-LTSS SUSE Linux Enterprise Module for Live Patching 15-SP2 SUSE Linux Enterprise Module for Live Patching 15-SP1 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Live Patching 12-SP5 SUSE Linux Enterprise Live Patching 12-SP4 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for the Linux Kernel 4.4.180-94_135 fixes several issues. The following security issues were fixed: - CVE-2021-33909: Fixed an out-of-bounds write in the filesystem layer that allows to andobtain full root privileges. (bsc#1188062) - CVE-2021-22555: Fixed an heap out-of-bounds write in net/netfilter/x_tables.c that could allow local provilege escalation. (bsc#1188116) - CVE-2020-36385: Fixed a use-after-free vulnerability reached viathe ctx_list in some ucma_migrate_id situations where ucma_close is called. (bnc#1187050) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-2535=1 SUSE-SLE-SAP-12-SP3-2021-2536=1 SUSE-SLE-SAP-12-SP3-2021-2537=1 SUSE-SLE-SAP-12-SP3-2021-2538=1 SUSE-SLE-SAP-12-SP3-2021-2539=1 SUSE-SLE-SAP-12-SP3-2021-2540=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-2535=1 SUSE-SLE-SERVER-12-SP3-2021-2536=1 SUSE-SLE-SERVER-12-SP3-2021-2537=1 SUSE-SLE-SERVER-12-SP3-2021-2538=1 SUSE-SLE-SERVER-12-SP3-2021-2539=1 SUSE-SLE-SERVER-12-SP3-2021-2540=1 - SUSE Linux Enterprise Module for Live Patching 15-SP2: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2021-2488=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2489=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2490=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2491=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2492=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2493=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2494=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2495=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2496=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2497=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2498=1 SUSE-SLE-Module-Live-Patching-15-SP2-2021-2499=1 - SUSE Linux Enterprise Module for Live Patching 15-SP1: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP1-2021-2500=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2501=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2502=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2503=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2504=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2505=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2506=1 SUSE-SLE-Module-Live-Patching-15-SP1-2021-2507=1SUSE-SLE-Module-Live-Patching-15-SP1-2021-2508=1 - SUSE Linux Enterprise Module for Live Patching 15: zypper in -t patch SUSE-SLE-Module-Live-Patching-15-2021-2509=1 SUSE-SLE-Module-Live-Patching-15-2021-2510=1 SUSE-SLE-Module-Live-Patching-15-2021-2511=1 SUSE-SLE-Module-Live-Patching-15-2021-2512=1 SUSE-SLE-Module-Live-Patching-15-2021-2513=1 SUSE-SLE-Module-Live-Patching-15-2021-2514=1 - SUSE Linux Enterprise Live Patching 12-SP5: zypper in -t patch SUSE-SLE-Live-Patching-12-SP5-2021-2515=1 SUSE-SLE-Live-Patching-12-SP5-2021-2516=1 SUSE-SLE-Live-Patching-12-SP5-2021-2517=1 SUSE-SLE-Live-Patching-12-SP5-2021-2518=1 SUSE-SLE-Live-Patching-12-SP5-2021-2519=1 SUSE-SLE-Live-Patching-12-SP5-2021-2520=1 SUSE-SLE-Live-Patching-12-SP5-2021-2521=1 SUSE-SLE-Live-Patching-12-SP5-2021-2522=1 SUSE-SLE-Live-Patching-12-SP5-2021-2523=1 SUSE-SLE-Live-Patching-12-SP5-2021-2524=1 SUSE-SLE-Live-Patching-12-SP5-2021-2525=1 SUSE-SLE-Live-Patching-12-SP5-2021-2526=1 SUSE-SLE-Live-Patching-12-SP5-2021-2527=1 SUSE-SLE-Live-Patching-12-SP5-2021-2528=1 - SUSE Linux Enterprise Live Patching 12-SP4: zypper in -t patch SUSE-SLE-Live-Patching-12-SP4-2021-2529=1 SUSE-SLE-Live-Patching-12-SP4-2021-2530=1 SUSE-SLE-Live-Patching-12-SP4-2021-2531=1 SUSE-SLE-Live-Patching-12-SP4-2021-2532=1 SUSE-SLE-Live-Patching-12-SP4-2021-2533=1 SUSE-SLE-Live-Patching-12-SP4-2021-2534=1 Package List: - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): kgraft-patch-4_4_180-94_127-default-13-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-13-2.2 kgraft-patch-4_4_180-94_130-default-12-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-12-2.2 kgraft-patch-4_4_180-94_135-default-10-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_138-default-8-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_141-default-7-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_144-default-4-2.1 kgraft-patch-4_4_180-94_144-default-debuginfo-4-2.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (ppc64le x86_64): kgraft-patch-4_4_180-94_127-default-13-2.2 kgraft-patch-4_4_180-94_127-default-debuginfo-13-2.2 kgraft-patch-4_4_180-94_130-default-12-2.2 kgraft-patch-4_4_180-94_130-default-debuginfo-12-2.2 kgraft-patch-4_4_180-94_135-default-10-2.2 kgraft-patch-4_4_180-94_135-default-debuginfo-10-2.2 kgraft-patch-4_4_180-94_138-default-8-2.2 kgraft-patch-4_4_180-94_138-default-debuginfo-8-2.2 kgraft-patch-4_4_180-94_141-default-7-2.2 kgraft-patch-4_4_180-94_141-default-debuginfo-7-2.2 kgraft-patch-4_4_180-94_144-default-4-2.1 kgraft-patch-4_4_180-94_144-default-debuginfo-4-2.1 - SUSE Linux Enterprise Module for Live Patching 15-SP2 (ppc64le s390x x86_64): kernel-livepatch-5_3_18-22-default-14-5.2 kernel-livepatch-5_3_18-22-default-debuginfo-14-5.2 kernel-livepatch-5_3_18-24_12-default-12-2.2 kernel-livepatch-5_3_18-24_12-default-debuginfo-12-2.2 kernel-livepatch-5_3_18-24_15-default-12-2.2 kernel-livepatch-5_3_18-24_15-default-debuginfo-12-2.2 kernel-livepatch-5_3_18-24_24-default-12-2.2 kernel-livepatch-5_3_18-24_24-default-debuginfo-12-2.2 kernel-livepatch-5_3_18-24_29-default-10-2.2 kernel-livepatch-5_3_18-24_29-default-debuginfo-10-2.2 kernel-livepatch-5_3_18-24_34-default-10-2.2 kernel-livepatch-5_3_18-24_34-default-debuginfo-10-2.2 kernel-livepatch-5_3_18-24_37-default-10-2.2 kernel-livepatch-5_3_18-24_37-default-debuginfo-10-2.2 kernel-livepatch-5_3_18-24_52-default-7-2.2 kernel-livepatch-5_3_18-24_52-default-debuginfo-7-2.2 kernel-livepatch-5_3_18-24_61-default-4-2.1 kernel-livepatch-5_3_18-24_61-default-debuginfo-4-2.1 kernel-livepatch-5_3_18-24_64-default-4-2.1 kernel-livepatch-5_3_18-24_64-default-debuginfo-4-2.1 kernel-livepatch-5_3_18-24_67-default-2-2.1 kernel-livepatch-5_3_18-24_67-default-debuginfo-2-2.1 kernel-livepatch-5_3_18-24_9-default-13-2.2 kernel-livepatch-5_3_18-24_9-default-debuginfo-13-2.2 kernel-livepatch-SLE15-SP2_Update_0-debugsource-14-5.2 kernel-livepatch-SLE15-SP2_Update_1-debugsource-13-2.2 kernel-livepatch-SLE15-SP2_Update_11-debugsource-7-2.2 kernel-livepatch-SLE15-SP2_Update_12-debugsource-4-2.1 kernel-livepatch-SLE15-SP2_Update_13-debugsource-4-2.1 kernel-livepatch-SLE15-SP2_Update_14-debugsource-2-2.1 kernel-livepatch-SLE15-SP2_Update_2-debugsource-12-2.2 kernel-livepatch-SLE15-SP2_Update_3-debugsource-12-2.2 kernel-livepatch-SLE15-SP2_Update_4-debugsource-12-2.2 kernel-livepatch-SLE15-SP2_Update_5-debugsource-10-2.2 kernel-livepatch-SLE15-SP2_Update_6-debugsource-10-2.2 kernel-livepatch-SLE15-SP2_Update_7-debugsource-10-2.2 - SUSE Linux Enterprise Module for Live Patching 15-SP1 (ppc64le x86_64): kernel-livepatch-4_12_14-197_48-default-13-2.2 kernel-livepatch-4_12_14-197_51-default-13-2.2 kernel-livepatch-4_12_14-197_61-default-11-2.2 kernel-livepatch-4_12_14-197_64-default-10-2.2 kernel-livepatch-4_12_14-197_67-default-10-2.2 kernel-livepatch-4_12_14-197_75-default-9-2.2 kernel-livepatch-4_12_14-197_86-default-7-2.2 kernel-livepatch-4_12_14-197_89-default-4-2.1 kernel-livepatch-4_12_14-197_92-default-3-2.1 - SUSE Linux Enterprise Module for Live Patching 15 (ppc64le x86_64): kernel-livepatch-4_12_14-150_55-default-13-2.2 kernel-livepatch-4_12_14-150_55-default-debuginfo-13-2.2 kernel-livepatch-4_12_14-150_58-default-12-2.2 kernel-livepatch-4_12_14-150_58-default-debuginfo-12-2.2 kernel-livepatch-4_12_14-150_63-default-10-2.2 kernel-livepatch-4_12_14-150_63-default-debuginfo-10-2.2 kernel-livepatch-4_12_14-150_66-default-8-2.2 kernel-livepatch-4_12_14-150_66-default-debuginfo-8-2.2 kernel-livepatch-4_12_14-150_69-default-7-2.2 kernel-livepatch-4_12_14-150_69-default-debuginfo-7-2.2 kernel-livepatch-4_12_14-150_72-default-4-2.1 kernel-livepatch-4_12_14-150_72-default-debuginfo-4-2.1 - SUSE Linux Enterprise Live Patching 12-SP5 (ppc64le s390x x86_64): kgraft-patch-4_12_14-122_29-default-15-2.2 kgraft-patch-4_12_14-122_32-default-15-2.2 kgraft-patch-4_12_14-122_37-default-14-2.2 kgraft-patch-4_12_14-122_41-default-13-2.2 kgraft-patch-4_12_14-122_46-default-11-2.2 kgraft-patch-4_12_14-122_51-default-11-2.2 kgraft-patch-4_12_14-122_54-default-9-2.2 kgraft-patch-4_12_14-122_57-default-9-2.2 kgraft-patch-4_12_14-122_60-default-8-2.2 kgraft-patch-4_12_14-122_63-default-7-2.2 kgraft-patch-4_12_14-122_66-default-5-2.1 kgraft-patch-4_12_14-122_71-default-4-2.1 kgraft-patch-4_12_14-122_74-default-2-2.1 kgraft-patch-4_12_14-122_77-default-2-2.1 - SUSE Linux Enterprise Live Patching 12-SP4 (ppc64le s390x x86_64): kgraft-patch-4_12_14-95_57-default-13-2.2 kgraft-patch-4_12_14-95_60-default-12-2.2 kgraft-patch-4_12_14-95_65-default-9-2.2 kgraft-patch-4_12_14-95_71-default-7-2.2 kgraft-patch-4_12_14-95_74-default-4-2.1 kgraft-patch-4_12_14-95_77-default-3-2.1 References: https://www.suse.com/security/cve/CVE-2020-36385.html https://www.suse.com/security/cve/CVE-2021-22555.html https://www.suse.com/security/cve/CVE-2021-33909.html https://bugzilla.suse.com/1187052 https://bugzilla.suse.com/1188117 https://bugzilla.suse.com/1188257 . Shielding SUSE Linux Kernel: Crucial patch resolves three critical vulnerabilities posing a major risk. Discover more!. SUSE Linux Update, Kernel Security Patch, Threat Mitigation. . Severity: Important. LinuxSecurity.com Team
Jul 27, 2021
•Important
SuSE
91
security advisoryhigh severitygentooGentoo: GLSA-202007-25 High: arpwatch Local Privilege Escalation
A vulnerability was discovered in arpwatch which may allow local attackers to gain root privileges.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202007-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: arpwatch: Root privilege escalation Date: July 27, 2020 Bugs: #602552 ID: 202007-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A vulnerability was discovered in arpwatch which may allow local attackers to gain root privileges. Background ========= The ethernet monitor program; for keeping track of ethernet/ip address pairings. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-analyzer/arpwatch < 2.1.15-r11 > = 2.1.15-r11 Description ========== It was discovered that Gentoo’s arpwatch ebuild made excessive permission operations on its data directories, possibly changing ownership of unintended files. This only affects OpenRC systems, as the flaw was exploitable via the init script. Impact ===== A local attacker could escalate privileges. Workaround ========= There is no known workaround at this time. Resolution ========= All arpwatch users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v "> =net-analyzer/arpwatch-2.1.15-r11" References ========= Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202007-25 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentialityand security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Jul 26, 2020
Gentoo
100
security advisoryaccess controlkernel patchSUSE: 2016:0746-1 Important: Kernel Live Patch Critical Issues
An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available. An update that fixes two vulnerabilities is now available.. SUSE Security Update: Security update for kernel live patch 4 ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:0746-1 Rating: important References: #955837 #962078 Cross-References: CVE-2013-7446 CVE-2016-0728 Affected Products: SUSE Linux Enterprise Live Patching 12 ______________________________________________________________________________ An update that fixes two vulnerabilities is now available. Description: This kernel live patch for Linux Kernel 3.12.39-47.1 fixes two security issues: Fixes: - CVE-2016-0728: A reference leak in keyring handling with join_session_keyring() could lead to local attackers gain root privileges. (bsc#962078). - CVE-2013-7446: Use-after-free vulnerability in net/unix/af_unix.c in the Linux kernel allowed local users to bypass intended AF_UNIX socket permissions or cause a denial of service (panic) via crafted epoll_ctl calls. (bsc#955837) Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Live Patching 12: zypper in -t patch SUSE-SLE-Live-Patching-12-2016-431=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Live Patching 12 (x86_64): kgraft-patch-3_12_39-47-default-5-2.1 kgraft-patch-3_12_39-47-xen-5-2.1 References: https://www.suse.com/security/cve/CVE-2013-7446.html https://www.suse.com/security/cve/CVE-2016-0728.html https://bugzilla.suse.com/955837 https://bugzilla.suse.com/962078 . SUSE Security Update resolves essential vulnerabilities within kernel live patches, reinforcing overall system security and access management..Kernel Live Patching, SUSE Security Advisory, Linux Patch Update. . Severity: Important. LinuxSecurity.com Team
Mar 14, 2016
•Important
SuSE
87
security advisorydebianattackDebian: DSA-3357-1 Moderate: Vzctl Local Root Access Threat
It was discovered that vzctl, a set of control tools for the OpenVZ server virtualisation solution, determined the storage layout of containers based on the presense of an XML file inside the container. An attacker with local root privileges in a simfs-based container . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3357-1
Sep 13, 2015
•Important
Debian
172
security advisorydenial of serviceubuntuUbuntu 10.10 USN-1202-1 Critical: Kernel Flaws Addressed
Multiple kernel flaws have been fixed.. =========================================================================Ubuntu Security Notice USN-1202-1 September 13, 2011 linux-ti-omap4 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 10.10 Summary: Multiple kernel flaws have been fixed. Software Description: - linux-ti-omap4: Linux kernel for OMAP4 Details: Dan Rosenberg discovered that several network ioctls did not clear kernel memory correctly. A local user could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-3296, CVE-2010-3297) Brad Spengler discovered that stack memory for new a process was not correctly calculated. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-3858) Dan Rosenberg discovered that the Linux kernel TIPC implementation contained multiple integer signedness errors. A local attacker could exploit this to gain root privileges. (CVE-2010-3859) Dan Rosenberg discovered that the CAN protocol on 64bit systems did not correctly calculate the size of certain buffers. A local attacker could exploit this to crash the system or possibly execute arbitrary code as the root user. (CVE-2010-3874) Nelson Elhage discovered that the Linux kernel IPv4 implementation did not properly audit certain bytecodes in netlink messages. A local attacker could exploit this to cause the kernel to hang, leading to a denial of service. (CVE-2010-3880) Dan Rosenberg discovered that IPC structures were not correctly initialized on 64bit systems. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4073) Dan Rosenberg discovered that multiple terminal ioctls did not correctly initialize structure memory. A local attacker could exploit this to read portions of kernel stack memory, leading to a loss ofprivacy. (CVE-2010-4075, CVE-2010-4076, CVE-2010-4077) Dan Rosenberg discovered that the RME Hammerfall DSP audio interface driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4080, CVE-2010-4081) Dan Rosenberg discovered that the VIA video driver did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4082) Dan Rosenberg discovered that the semctl syscall did not correctly clear kernel memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2010-4083) James Bottomley discovered that the ICP vortex storage array controller driver did not validate certain sizes. A local attacker on a 64bit system could exploit this to crash the kernel, leading to a denial of service. (CVE-2010-4157) Dan Rosenberg discovered that the Linux kernel L2TP implementation contained multiple integer signedness errors. A local attacker could exploit this to to crash the kernel, or possibly gain root privileges. (CVE-2010-4160) Dan Rosenberg discovered that certain iovec operations did not calculate page counts correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4162) Dan Rosenberg discovered that the SCSI subsystem did not correctly validate iov segments. A local attacker with access to a SCSI device could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2010-4163, CVE-2010-4668) Dave Jones discovered that the mprotect system call did not correctly handle merged VMAs. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4169) Dan Rosenberg discovered that the RDS protocol did not correctly check ioctl arguments. A local attacker could exploit this to crash the system, leading to a denial of service.(CVE-2010-4175) Alan Cox discovered that the HCI UART driver did not correctly check if a write operation was available. If the mmap_min-addr sysctl was changed from the Ubuntu default to a value of 0, a local attacker could exploit this flaw to gain root privileges. (CVE-2010-4242) Brad Spengler discovered that the kernel did not correctly account for userspace memory allocations during exec() calls. A local attacker could exploit this to consume all system memory, leading to a denial of service. (CVE-2010-4243) It was discovered that multithreaded exec did not handle CPU timers correctly. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4248) It was discovered that named pipes did not correctly handle certain fcntl calls. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2010-4256) Dan Rosenburg discovered that the CAN subsystem leaked kernel addresses into the /proc filesystem. A local attacker could use this to increase the chances of a successful memory corruption exploit. (CVE-2010-4565) Dan Carpenter discovered that the Infiniband driver did not correctly handle certain requests. A local user could exploit this to crash the system or potentially gain root privileges. (CVE-2010-4649, CVE-2011-1044) Kees Cook discovered that some ethtool functions did not correctly clear heap memory. A local attacker with CAP_NET_ADMIN privileges could exploit this to read portions of kernel heap memory, leading to a loss of privacy. (CVE-2010-4655) Kees Cook discovered that the IOWarrior USB device driver did not correctly check certain size fields. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2010-4656) Goldwyn Rodrigues discovered that the OCFS2 filesystem did not correctly clear memory when writing certain file holes. A local attacker could exploit this to read uninitialized datafrom the disk, leading to a loss of privacy. (CVE-2011-0463) Dan Carpenter discovered that the TTPCI DVB driver did not check certain values during an ioctl. If the dvb-ttpci module was loaded, a local attacker could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-0521) Jens Kuehnel discovered that the InfiniBand driver contained a race condition. On systems using InfiniBand, a local attacker could send specially crafted requests to crash the system, leading to a denial of service. (CVE-2011-0695) Dan Rosenberg discovered that XFS did not correctly initialize memory. A local attacker could make crafted ioctl calls to leak portions of kernel stack memory, leading to a loss of privacy. (CVE-2011-0711) Rafael Dominguez Vega discovered that the caiaq Native Instruments USB driver did not correctly validate string lengths. A local attacker with physical access could plug in a specially crafted USB device to crash the system or potentially gain root privileges. (CVE-2011-0712) Kees Cook reported that /proc/pid/stat did not correctly filter certain memory locations. A local attacker could determine the memory layout of processes in an attempt to increase the chances of a successful memory corruption exploit. (CVE-2011-0726) Timo Warns discovered that MAC partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system or potentially gain root privileges. (CVE-2011-1010) Timo Warns discovered that LDM partition parsing routines did not correctly calculate block counts. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1012) Matthiew Herrb discovered that the drm modeset interface did not correctly handle a signed comparison. A local attacker could exploit this to crash the system or possibly gain rootprivileges. (CVE-2011-1013) Marek Olšák discovered that the Radeon GPU drivers did not correctly validate certain registers. On systems with specific hardware, a local attacker could exploit this to write to arbitrary video memory. (CVE-2011-1016) Timo Warns discovered that the LDM disk partition handling code did not correctly handle certain values. By inserting a specially crafted disk device, a local attacker could exploit this to gain root privileges. (CVE-2011-1017) Vasiliy Kulikov discovered that the CAP_SYS_MODULE capability was not needed to load kernel modules. A local attacker with the CAP_NET_ADMIN capability could load existing kernel modules, possibly increasing the attack surface available on the system. (CVE-2011-1019) It was discovered that the /proc filesystem did not correctly handle permission changes when programs executed. A local attacker could hold open files to examine details about programs running with higher privileges, potentially increasing the chances of exploiting additional vulnerabilities. (CVE-2011-1020) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly clear memory. A local attacker could exploit this to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1078) Vasiliy Kulikov discovered that the Bluetooth stack did not correctly check that device name strings were NULL terminated. A local attacker could exploit this to crash the system, leading to a denial of service, or leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1079) Vasiliy Kulikov discovered that bridge network filtering did not check that name fields were NULL terminated. A local attacker could exploit this to leak contents of kernel stack memory, leading to a loss of privacy. (CVE-2011-1080) Nelson Elhage discovered that the epoll subsystem did not correctly handle certain structures. A local attacker could create malicious requests that would hang the system, leading to a denial of service.(CVE-2011-1082) Neil Horman discovered that NFSv4 did not correctly handle certain orders of operation with ACL data. A remote attacker with access to an NFSv4 mount could exploit this to crash the system, leading to a denial of service. (CVE-2011-1090) Johan Hovold discovered that the DCCP network stack did not correctly handle certain packet combinations. A remote attacker could send specially crafted network traffic that would crash the system, leading to a denial of service. (CVE-2011-1093) Peter Huewe discovered that the TPM device did not correctly initialize memory. A local attacker could exploit this to read kernel heap memory contents, leading to a loss of privacy. (CVE-2011-1160) Timo Warns discovered that OSF partition parsing routines did not correctly clear memory. A local attacker with physical access could plug in a specially crafted block device to read kernel memory, leading to a loss of privacy. (CVE-2011-1163) Dan Rosenberg discovered that some ALSA drivers did not correctly check the adapter index during ioctl calls. If this driver was loaded, a local attacker could make a specially crafted ioctl call to gain root privileges. (CVE-2011-1169) Vasiliy Kulikov discovered that the netfilter code did not check certain strings copied from userspace. A local attacker with netfilter access could exploit this to read kernel memory or crash the system, leading to a denial of service. (CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-2534) Vasiliy Kulikov discovered that the Acorn Universal Networking driver did not correctly initialize memory. A remote attacker could send specially crafted traffic to read kernel stack memory, leading to a loss of privacy. (CVE-2011-1173) Dan Rosenberg discovered that the IRDA subsystem did not correctly check certain field sizes. If a system was using IRDA, a remote attacker could send specially crafted traffic to crash the system or gain root privileges. (CVE-2011-1180) Julien Tinnes discovered that the kernel didnot correctly validate the signal structure from tkill(). A local attacker could exploit this to send signals to arbitrary threads, possibly bypassing expected restrictions. (CVE-2011-1182) Ryan Sweat discovered that the GRO code did not correctly validate memory. In some configurations on systems using VLANs, a remote attacker could send specially crafted traffic to crash the system, leading to a denial of service. (CVE-2011-1478) Dan Rosenberg discovered that the X.25 Rose network stack did not correctly handle certain fields. If a system was running with Rose enabled, a remote attacker could send specially crafted traffic to gain root privileges. (CVE-2011-1493) Dan Rosenberg discovered that MPT devices did not correctly validate certain values in ioctl calls. If these drivers were loaded, a local attacker could exploit this to read arbitrary kernel memory, leading to a loss of privacy. (CVE-2011-1494, CVE-2011-1495) Timo Warns discovered that the GUID partition parsing routines did not correctly validate certain structures. A local attacker with physical access could plug in a specially crafted block device to crash the system, leading to a denial of service. (CVE-2011-1577) Tavis Ormandy discovered that the pidmap function did not correctly handle large requests. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1593) Oliver Hartkopp and Dave Jones discovered that the CAN network driver did not correctly validate certain socket structures. If this driver was loaded, a local attacker could crash the system, leading to a denial of service. (CVE-2011-1598, CVE-2011-1748) Vasiliy Kulikov discovered that the AGP driver did not check certain ioctl values. A local attacker with access to the video subsystem could exploit this to crash the system, leading to a denial of service, or possibly gain root privileges. (CVE-2011-1745, CVE-2011-2022) Vasiliy Kulikov discovered that the AGP driver did not check the sizeof certain memory allocations. A local attacker with access to the video subsystem could exploit this to run the system out of memory, leading to a denial of service. (CVE-2011-1746) Dan Rosenberg discovered that the DCCP stack did not correctly handle certain packet structures. A remote attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-1770) Vasiliy Kulikov and Dan Rosenberg discovered that ecryptfs did not correctly check the origin of mount points. A local attacker could exploit this to trick the system into unmounting arbitrary mount points, leading to a denial of service. (CVE-2011-1833) Vasiliy Kulikov discovered that taskstats listeners were not correctly handled. A local attacker could expoit this to exhaust memory and CPU resources, leading to a denial of service. (CVE-2011-2484) It was discovered that Bluetooth l2cap and rfcomm did not correctly initialize structures. A local attacker could exploit this to read portions of the kernel stack, leading to a loss of privacy. (CVE-2011-2492) Fernando Gont discovered that the IPv6 stack used predictable fragment identification numbers. A remote attacker could exploit this to exhaust network resources, leading to a denial of service. (CVE-2011-2699) The performance counter subsystem did not correctly handle certain counters. A local attacker could exploit this to crash the system, leading to a denial of service. (CVE-2011-2918) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 10.10: linux-image-2.6.35-903-omap4 2.6.35-903.24 After a standard system update you need to reboot your computer to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-1202-1 CVE-2010-3296, CVE-2010-3297, CVE-2010-3858, CVE-2010-3859, CVE-2010-3874, CVE-2010-3880, CVE-2010-4073, CVE-2010-4075, CVE-2010-4076, CVE-2010-4077, CVE-2010-4080, CVE-2010-4081, CVE-2010-4082,CVE-2010-4083, CVE-2010-4157, CVE-2010-4160, CVE-2010-4162, CVE-2010-4163, CVE-2010-4169, CVE-2010-4175, CVE-2010-4242, CVE-2010-4243, CVE-2010-4248, CVE-2010-4256, CVE-2010-4565, CVE-2010-4649, CVE-2010-4655, CVE-2010-4656, CVE-2010-4668, CVE-2011-0463, CVE-2011-0521, CVE-2011-0695, CVE-2011-0711, CVE-2011-0712, CVE-2011-0726, CVE-2011-1010, CVE-2011-1012, CVE-2011-1013, CVE-2011-1016, CVE-2011-1017, Package Information: https://launchpad.net/ubuntu/+source/linux-ti-omap4/2.6.35-903.24 . Several vulnerabilities addressed in Ubuntu 10.10 impacting the Linux kernel on OMAP4 platforms. Update advised for enhanced security.. Ubuntu Security Notice, Kernel Flaws, Linux kernel OMAP4. . Severity: Critical. LinuxSecurity.com Team
Sep 13, 2011
•Critical
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!