Stay Vigilant with Timely Linux Security Advisories

security advisorykernel patchmemory issue

SUSE: 2024:3767-1 important: Kernel Memory Issues Resolved in Live Patch

* bsc#1225309 * bsc#1225311 * bsc#1225819 * bsc#1227471 * bsc#1227472 . # Security update for the Linux Kernel (Live Patch 44 for SLE 15 SP2) Announcement ID: SUSE-SU-2024:3767-1 Release Date: 2024-10-29T04:33:35Z Rating: important References: * bsc#1225309 * bsc#1225311 * bsc#1225819 * bsc#1227471 * bsc#1227472 Cross-References: * CVE-2021-47598 * CVE-2021-47600 * CVE-2023-52752 * CVE-2024-35862 * CVE-2024-35864 CVSS scores: * CVE-2021-47598 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2021-47598 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2021-47600 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2021-47600 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-52752 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-52752 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-35862 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-35864 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise Live Patching 15-SP2 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 An update that solves five vulnerabilities can now be installed. ## Description: This update for the Linux Kernel 5.3.18-150200_24_175 fixes several issues. The following security issues were fixed: * CVE-2021-47600: dm btree remove: fix use after free in rebalance_children() (bsc#1227472). * CVE-2021-47598: sch_cake: do not call cake_destroy() from cake_init() (bsc#1227471). * CVE-2023-52752: smb: client: fix use-after-free bug in cifs_debug_data_proc_show() (bsc#1225819). * CVE-2024-35862: Fixed potential UAF in smb2_is_network_name_deleted() (bsc#1225311). * CVE-2024-35864: Fixed potential UAF in smb2_is_valid_lease_break() (bsc#1225309). ## PatchInstructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Live Patching 15-SP2 zypper in -t patch SUSE-SLE-Module-Live-Patching-15-SP2-2024-3767=1 ## Package List: * SUSE Linux Enterprise Live Patching 15-SP2 (ppc64le s390x x86_64) * kernel-livepatch-5_3_18-150200_24_175-default-debuginfo-14-150200.2.1 * kernel-livepatch-5_3_18-150200_24_175-default-14-150200.2.1 * kernel-livepatch-SLE15-SP2_Update_44-debugsource-14-150200.2.1 ## References: * https://www.suse.com/security/cve/CVE-2021-47598.html * https://www.suse.com/security/cve/CVE-2021-47600.html * https://www.suse.com/security/cve/CVE-2023-52752.html * https://www.suse.com/security/cve/CVE-2024-35862.html * https://www.suse.com/security/cve/CVE-2024-35864.html * https://bugzilla.suse.com/show_bug.cgi?id=1225309 * https://bugzilla.suse.com/show_bug.cgi?id=1225311 * https://bugzilla.suse.com/show_bug.cgi?id=1225819 * https://bugzilla.suse.com/show_bug.cgi?id=1227471 * https://bugzilla.suse.com/show_bug.cgi?id=1227472 . Crucial patch for SLE 15 SP2's Linux Kernel tackles five significant security vulnerabilities. Discover further details on the resolutions.. SUSE Linux Kernel Patch, Security Fix, Live Patch Update, Kernel Security Advisory. . Severity: Important. LinuxSecurity.com Team

Oct 29, 2024 •Important SuSE

security advisorysoftware updatecode execution

Debian: DSA-5653-1 Critical: gtkwave Code Execution Issues

Claudio Bozzato discovered multiple security issues in gtkwave, a file waveform viewer for VCD (Value Change Dump) files, which may result in the execution of arbitrary code if malformed files are opened. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5653-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Moritz Muehlenhoff April 03, 2024 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gtkwave CVE ID : CVE-2023-32650 CVE-2023-34087 CVE-2023-34436 CVE-2023-35004 CVE-2023-35057 CVE-2023-35128 CVE-2023-35702 CVE-2023-35703 CVE-2023-35704 CVE-2023-35955 CVE-2023-35956 CVE-2023-35957 CVE-2023-35958 CVE-2023-35959 CVE-2023-35960 CVE-2023-35961 CVE-2023-35962 CVE-2023-35963 CVE-2023-35964 CVE-2023-35969 CVE-2023-35970 CVE-2023-35989 CVE-2023-35992 CVE-2023-35994 CVE-2023-35995 CVE-2023-35996 CVE-2023-35997 CVE-2023-36746 CVE-2023-36747 CVE-2023-36861 CVE-2023-36864 CVE-2023-36915 CVE-2023-36916 CVE-2023-37282 CVE-2023-37416 CVE-2023-37417 CVE-2023-37418 CVE-2023-37419 CVE-2023-37420 CVE-2023-37442 CVE-2023-37443 CVE-2023-37444 CVE-2023-37445 CVE-2023-37446 CVE-2023-37447 CVE-2023-37573 CVE-2023-37574 CVE-2023-37575 CVE-2023-37576 CVE-2023-37577 CVE-2023-37578 CVE-2023-37921 CVE-2023-37922 CVE-2023-37923 CVE-2023-38583 CVE-2023-38618 CVE-2023-38619 CVE-2023-38620 CVE-2023-38621 CVE-2023-38622 CVE-2023-38623 CVE-2023-38648 CVE-2023-38649 CVE-2023-38650 CVE-2023-38651 CVE-2023-38652 CVE-2023-38653 CVE-2023-38657 CVE-2023-39234 CVE-2023-39235 CVE-2023-39270CVE-2023-39271 CVE-2023-39272 CVE-2023-39273 CVE-2023-39274 CVE-2023-39275 CVE-2023-39316 CVE-2023-39317 CVE-2023-39413 CVE-2023-39414 CVE-2023-39443 CVE-2023-39444 Claudio Bozzato discovered multiple security issues in gtkwave, a file waveform viewer for VCD (Value Change Dump) files, which may result in the execution of arbitrary code if malformed files are opened. For the oldstable distribution (bullseye), these problems have been fixed in version 3.3.104+really3.3.118-0+deb11u1. For the stable distribution (bookworm), these problems have been fixed in version 3.3.118-0.1~deb12u1. We recommend that you upgrade your gtkwave packages. For the detailed security status of gtkwave please refer to its security tracker page at: https://security-tracker.debian.org/tracker/source-package/gtkwave Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. . Debian Security Advisory DSA-5654-2 addresses critical vulnerabilities in gnome-shell package arising from several privilege escalation issues.. gtkwave security issues, Debian update, software vulnerabilities, code execution risks. . Severity: Critical. LinuxSecurity.com Team

Apr 03, 2024 •Critical Debian

security advisorykernel updatebug fix

SUSE Linux 12 SP5: Critical Kernel Update for Multiple Bugs

* bsc#1108281 * bsc#1109837 * bsc#1179610 * bsc#1202095 * bsc#1211226 . # Security update for the Linux Kernel Announcement ID: SUSE-SU-2024:0113-1 Rating: important References: * bsc#1108281 * bsc#1109837 * bsc#1179610 * bsc#1202095 * bsc#1211226 * bsc#1211439 * bsc#1214479 * bsc#1215237 * bsc#1217036 * bsc#1217250 * bsc#1217801 * bsc#1217936 * bsc#1217946 * bsc#1217947 * bsc#1218057 * bsc#1218184 * bsc#1218253 * bsc#1218258 * bsc#1218362 * bsc#1218559 * bsc#1218622 * jsc#PED-5021 * jsc#PED-5023 Cross-References: * CVE-2020-26555 * CVE-2022-2586 * CVE-2023-51779 * CVE-2023-6121 * CVE-2023-6606 * CVE-2023-6610 * CVE-2023-6931 * CVE-2023-6932 CVSS scores: * CVE-2020-26555 ( SUSE ): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2020-26555 ( NVD ): 5.4 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2022-2586 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2022-2586 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-51779 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-6121 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2023-6121 ( NVD ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N * CVE-2023-6606 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H * CVE-2023-6606 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H * CVE-2023-6610 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H * CVE-2023-6610 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H * CVE-2023-6931 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-6931 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-6932 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-6932 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 An update that solves eightvulnerabilities, contains two features and has 13 security fixes can now be installed. ## Description: The SUSE Linux Enterprise 12 SP5 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: * CVE-2023-6610: Fixed an out of bounds read in the SMB client when printing debug information (bsc#1217946). * CVE-2022-2586: Fixed a use-after-free which can be triggered when a nft table is deleted (bsc#1202095). * CVE-2023-51779: Fixed a use-after-free because of a bt_sock_ioctl race condition in bt_sock_recvmsg (bsc#1218559). * CVE-2020-26555: Fixed Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification 1.0B that may permit an unauthenticated nearby device to spoof the BD_ADDR of the peer device to complete pairing without knowledge of the PIN (bsc#1179610 bsc#1215237). * CVE-2023-6931: Fixed a heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component that could lead to local privilege escalation. (bsc#1218258). * CVE-2023-6606: Fixed an out of bounds read in the SMB client when receiving a malformed length from a server (bsc#1217947). * CVE-2023-6932: Fixed a use-after-free vulnerability in the Linux kernel's ipv4: igmp component that could lead to local privilege escalation (bsc#1218253). * CVE-2023-6121: Fixed an out-of-bounds read vulnerability in the NVMe-oF/TCP subsystem that could lead to information leak (bsc#1217250). The following non-security bugs were fixed: * Fix termination state for idr_for_each_entry_ul() (bsc#1109837). * Input: powermate - fix use-after-free in powermate_config_complete (git- fixes). * KVM: s390/mm: Properly reset no-dat (git-fixes bsc#1218057). * KVM: s390: vsie: fix wrong VIR 37 when MSO is used (git-fixes bsc#1217936). * Limit kernel-source build to architectures for which the kernel binary is built (bsc#1108281). * PCI: Disable ATS for specific Intel IPU E2000 devices (bsc#1218622). * Resolve build warnings from previous series due tomissing commit for Ice Lake freerunning counters perf/x86/intel/uncore: Add box_offsets for free- running counters (jsc#PED-5023 bsc#1211439). * Revert "Limit kernel-source-azure build to architectures for which we build binaries (bsc#1108281)." * bcache: Fix __bch_btree_node_alloc to make the failure behavior consistent (git-fixes). * bcache: Remove unnecessary NULL point check in node allocations (git-fixes). * bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() (git-fixes). * bcache: check return value from btree_node_alloc_replacement() (git-fixes). * bcache: prevent potential division by zero error (git-fixes). * bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce() (git-fixes). * bcache: revert replacing IS_ERR_OR_NULL with IS_ERR (git-fixes). * dm cache policy smq: ensure IO does not prevent cleaner policy progress (git-fixes). * dm cache: add cond_resched() to various workqueue loops (git-fixes). * dm crypt: add cond_resched() to dmcrypt_write() (git-fixes). * dm flakey: do not corrupt the zero page (git-fixes). * dm flakey: fix a crash with invalid table line (git-fixes). * dm flakey: fix logic when corrupting a bio (git-fixes). * dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path (git-fixes). * dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths (git- fixes). * dm stats: check for and propagate alloc_percpu failure (git-fixes). * dm thin: add cond_resched() to various workqueue loops (git-fixes). * dm verity: do not perform FEC for failed readahead IO (git-fixes). * dm verity: fix error handling for check_at_most_once on FEC (git-fixes). * dm verity: skip redundant verity_handle_err() on I/O errors (git-fixes). * dm-integrity: do not modify bio's immutable bio_vec in integrity_metadata() (git-fixes). * dm-verity: align struct dm_verity_fec_io properly (git-fixes). * dm: remove flush_scheduled_work() during local_exit() (git-fixes). * doc/README.SUSE: Add how to update theconfig for module signing (jsc#PED-5021) * doc/README.SUSE: Remove how to build modules using kernel-source (jsc#PED-5021) * doc/README.SUSE: Simplify the list of references (jsc#PED-5021) * gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479). * gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479). * gve: Changes to add new TX queues (bsc#1214479). * gve: Control path for DQO-QPL (bsc#1214479). * gve: Do not fully free QPL pages on prefill errors (bsc#1214479). * gve: Fix gve interrupt names (bsc#1214479). * gve: Fixes for napi_poll when budget is 0 (bsc#1214479). * gve: RX path for DQO-QPL (bsc#1214479). * gve: Set default duplex configuration to full (bsc#1214479). * gve: Tx path for DQO-QPL (bsc#1214479). * gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479). * gve: XDP support GQI-QPL: helper function changes (bsc#1214479). * gve: fix frag_list chaining (bsc#1214479). * gve: trivial spell fix Recive to Receive (bsc#1214479). * gve: unify driver name usage (bsc#1214479). * ip6_gre: proper dev_{hold|put} in ndo_[un]init methods (git-fixes). * ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods (git-fixes). * ip6_vti: proper dev_{hold|put} in ndo_[un]init methods (git-fixes). * ipv6/addrconf: fix a potential refcount underflow for idev (git-fixes). * ipv6: remove extra dev_hold() for fallback tunnels (git-fixes). * md/raid0: add discard support for the 'original' layout (git-fixes). * md/raid1: fix error: ISO C90 forbids mixed declarations (git-fixes). * md/raid1: free the r1bio before waiting for blocked rdev (git-fixes). * md/raid1: hold the barrier until handle_read_error() finishes (git-fixes). * md: do not leave 'MD_RECOVERY_FROZEN' in error path of md_set_readonly() (git-fixes). * md: raid1: fix potential OOB in raid1_remove_disk() (git-fixes). * md: restore 'noio_flag' for the last mddev_resume() (git-fixes). * mkspec: Add multibuild support (JSC-SLE#5501, boo#1211226, bsc#1218184) When MULTIBUILD option in config.sh isenabled generate a _multibuild file listing all spec files. * nbd: Add the maximum limit of allocated index in nbd_dev_add (git-fixes). * nbd: Fix debugfs_create_dir error checking (git-fixes). * net/tg3: fix race condition in tg3_reset_task() (bsc#1217801). * net/tg3: resolve deadlock in tg3_reset_task() during EEH (bsc#1217801). * net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed (git-fixes). * net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode (git-fixes). * net: macb: disable scatter-gather for macb on sama5d3 (git-fixes). * net: stmmac: Move debugfs init/exit to -> probe()/-> remove() (git-fixes). * net: usb: ax88179_178a: fix failed operations during ax88179_reset (git- fixes). * net: usb: qmi_wwan: claim interface 4 for ZTE MF290 (git-fixes). * net: usb: smsc95xx: Fix an error code in smsc95xx_reset() (git-fixes). * net: usb: smsc95xx: Fix uninit-value access in smsc95xx_read_reg (git- fixes). * netfilter: compat: prepare xt_compat_init_offsets to return errors (git- fixes). * netfilter: compat: reject huge allocation requests (git-fixes). * netfilter: ebtables: also count base chain policies (git-fixes). * netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present (git-fixes). * netfilter: ebtables: do not attempt to allocate 0-sized compat array (git- fixes). * netfilter: nf_tables: fix use-after-free when deleting compat expressions (git-fixes). * netfilter: nft_compat: use-after-free when deleting targets (git-fixes). * netfilter: preserve KABI for xt_compat_init_offsets (git-fixes). * nvme: sanitize metadata bounce buffer for reads (git-fixes). * perf/x86/cstate: Add Rocket Lake CPU support (jsc#PED-5023 bsc#1211439). * perf/x86/cstate: Add Tiger Lake CPU support (jsc#PED-5023 bsc#1211439). * perf/x86/cstate: Update C-state counters for Ice Lake (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Add Comet Lake support (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge(jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Add Ice Lake server uncore support (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Add Rocket Lake support (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Add new IMC PCI IDs for KabyLake, AmberLake and WhiskeyLake CPUs (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Add tabs to Uncore IMC PCI IDs (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Add uncore support for Snow Ridge server (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Clean up client IMC (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Factor out __snr_uncore_mmio_init_box (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Factor out box ref/unref functions (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Fix CAS_COUNT_WRITE issue for ICX (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix IIO event constraints for Snowridge (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix Intel ICX IIO event constraints (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix broken read_counter() for SNB IMC PMU (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix integer overflow on 23 bit left shift of a u32 (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix oops when counting IMC uncore events on some TGL (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box() (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Fix the scale of the IMC free-running events (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Split the Ice Lake and TigerLake MSR uncore support (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Support MMIO type uncore blocks (jsc#PED-5023 bsc#1211439). * perf/x86/intel/uncore: Support extra IMC channel on Ice Lake server (jsc#PED-5023 bsc#1211439 (git-fixes)). * perf/x86/intel/uncore: Update Ice Lake uncore units (jsc#PED-5023 bsc#1211439). * perf/x86/intel: Add Icelake desktop CPUID (jsc#PED-5023 bsc#1211439). * perf/x86/intel: Add Rocket Lake CPU support (jsc#PED-5023 bsc#1211439). * perf/x86/intel: Add Tiger Lake CPU support (jsc#PED-5023 bsc#1211439). * perf/x86/intel: Add more Icelake CPUIDs (jsc#PED-5023 bsc#1211439). * perf/x86/intel: Fix Ice Lake event constraint table (jsc#PED-5023 bsc#1211439). * perf/x86/intel: Fix invalid Bit 13 for Icelake MSR_OFFCORE_RSP_x register (jsc#PED-5023 bsc#1211439). * perf/x86/intel: Mark expected switch fall-throughs (jsc#PED-5023 bsc#1211439). * perf/x86/msr: Add Comet Lake CPU support (jsc#PED-5023 bsc#1211439). * perf/x86/msr: Add Rocket Lake CPU support (jsc#PED-5023 bsc#1211439). * perf/x86/msr: Add Tiger Lake CPU support (jsc#PED-5023 bsc#1211439). * perf/x86/msr: Add new CPU model numbers for Ice Lake (jsc#PED-5023 bsc#1211439). * perf/x86/rapl: Add Ice Lake RAPL support (jsc#PED-5023 bsc#1211439). * perf/x86: Add Intel Ice Lake NNPI uncore support (jsc#PED-5023 bsc#1211439). * perf/x86: Add Intel Tiger Lake uncore support (jsc#PED-5023 bsc#1211439). * r8152: Add RTL8152_INACCESSIBLE checks to more loops (git-fixes). * r8152: Add RTL8152_INACCESSIBLE to r8153_aldps_en() (git-fixes). * r8152: Cancel hw_phy_work if we have an error in probe (git-fixes). * r8152: Increase USB control msg timeout to 5000ms as per spec (git-fixes). * r8152: Rename RTL8152_UNPLUG to RTL8152_INACCESSIBLE (git-fixes). * r8152: Run the unload routine if we have errors during probe (git-fixes). * rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails (git- fixes). * ring-buffer: Fix memory leak of free page (git-fixes). * s390/vx: fix save/restore of fpukernel context (git-fixes bsc#1218362). * sit: proper dev_{hold|put} in ndo_[un]init methods (git-fixes). * tcp: fix under-evaluated ssthresh in TCP Vegas (git-fixes). * tracing: Always update snapshot buffer size (git-fixes). * tracing: Disable snapshot buffer when stopping instance tracers (git-fixes). * tracing: Fix a possible race when disabling buffered events (bsc#1217036). * tracing: Fix a warning when allocating buffered events fails (bsc#1217036). * tracing: Fix incomplete locking when disabling buffered events (bsc#1217036). * tracing: Fix warning in trace_buffered_event_disable() (git-fixes, bsc#1217036). * tracing: Stop current tracer when resizing buffer (git-fixes). * tracing: Update snapshot buffer on resize if it is allocated (git-fixes). * tracing: relax trace_event_eval_update() execution with cond_resched() (git- fixes). * usb: config: fix iteration issue in 'usb_get_bos_descriptor()' (git-fixes). * x86/cpu: Add Comet Lake to the Intel CPU models header (jsc#PED-5023 bsc#1211439). * x86/cpu: Add Ice Lake NNPI to Intel family (jsc#PED-5023 bsc#1211439). * x86/cpu: Add Lakefield, Alder Lake and Rocket Lake models to the to Intel CPU family (jsc#PED-5023 bsc#1211439). * x86/cpu: Add Sapphire Rapids CPU model number (jsc#PED-5023 bsc#1211439). * x86/cpu: Add Tiger Lake to Intel family (jsc#PED-5023 bsc#1211439). * xfrm6: fix inet6_dev refcount underflow problem (git-fixes). * xfrm: reuse uncached_list to track xdsts (git-fixes). * xhci: Clear EHB bit only at end of interrupt handler (git-fixes). * xsk: Fix incorrect netdev reference count (git-fixes). ## Special Instructions and Notes: * Please reboot the system after installing this update. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-113=1 * SUSELinux Enterprise High Performance Computing 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-113=1 * SUSE Linux Enterprise Server 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2024-113=1 ## Package List: * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (nosrc x86_64) * kernel-azure-4.12.14-16.163.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64) * kernel-azure-base-4.12.14-16.163.1 * kernel-azure-devel-4.12.14-16.163.1 * kernel-azure-debuginfo-4.12.14-16.163.1 * kernel-azure-base-debuginfo-4.12.14-16.163.1 * kernel-azure-debugsource-4.12.14-16.163.1 * kernel-syms-azure-4.12.14-16.163.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (noarch) * kernel-source-azure-4.12.14-16.163.1 * kernel-devel-azure-4.12.14-16.163.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (nosrc x86_64) * kernel-azure-4.12.14-16.163.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64) * kernel-azure-base-4.12.14-16.163.1 * kernel-azure-devel-4.12.14-16.163.1 * kernel-azure-debuginfo-4.12.14-16.163.1 * kernel-azure-base-debuginfo-4.12.14-16.163.1 * kernel-azure-debugsource-4.12.14-16.163.1 * kernel-syms-azure-4.12.14-16.163.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (noarch) * kernel-source-azure-4.12.14-16.163.1 * kernel-devel-azure-4.12.14-16.163.1 * SUSE Linux Enterprise Server 12 SP5 (nosrc x86_64) * kernel-azure-4.12.14-16.163.1 * SUSE Linux Enterprise Server 12 SP5 (x86_64) * kernel-azure-base-4.12.14-16.163.1 * kernel-azure-devel-4.12.14-16.163.1 * kernel-azure-debuginfo-4.12.14-16.163.1 * kernel-azure-base-debuginfo-4.12.14-16.163.1 * kernel-azure-debugsource-4.12.14-16.163.1 * kernel-syms-azure-4.12.14-16.163.1 * SUSE Linux Enterprise Server 12 SP5 (noarch) * kernel-source-azure-4.12.14-16.163.1 * kernel-devel-azure-4.12.14-16.163.1 ## References: * https://www.suse.com/security/cve/CVE-2020-26555.html * https://www.suse.com/security/cve/CVE-2022-2586.html *https://www.suse.com/security/cve/CVE-2023-51779.html * https://www.suse.com/security/cve/CVE-2023-6121.html * https://www.suse.com/security/cve/CVE-2023-6606.html * https://www.suse.com/security/cve/CVE-2023-6610.html * https://www.suse.com/security/cve/CVE-2023-6931.html * https://www.suse.com/security/cve/CVE-2023-6932.html * https://bugzilla.suse.com/show_bug.cgi?id=1108281 * https://bugzilla.suse.com/show_bug.cgi?id=1109837 * https://bugzilla.suse.com/show_bug.cgi?id=1179610 * https://bugzilla.suse.com/show_bug.cgi?id=1202095 * https://bugzilla.suse.com/show_bug.cgi?id=1211226 * https://bugzilla.suse.com/show_bug.cgi?id=1211439 * https://bugzilla.suse.com/show_bug.cgi?id=1214479 * https://bugzilla.suse.com/show_bug.cgi?id=1215237 * https://bugzilla.suse.com/show_bug.cgi?id=1217036 * https://bugzilla.suse.com/show_bug.cgi?id=1217250 * https://bugzilla.suse.com/show_bug.cgi?id=1217801 * https://bugzilla.suse.com/show_bug.cgi?id=1217936 * https://bugzilla.suse.com/show_bug.cgi?id=1217946 * https://bugzilla.suse.com/show_bug.cgi?id=1217947 * https://bugzilla.suse.com/show_bug.cgi?id=1218057 * https://bugzilla.suse.com/show_bug.cgi?id=1218184 * https://bugzilla.suse.com/show_bug.cgi?id=1218253 * https://bugzilla.suse.com/show_bug.cgi?id=1218258 * https://bugzilla.suse.com/show_bug.cgi?id=1218362 * https://bugzilla.suse.com/show_bug.cgi?id=1218559 * https://bugzilla.suse.com/show_bug.cgi?id=1218622 * * . Essential patches address several weaknesses in the Linux Kernel. It's advised to reboot your system after installation.. SUSE Linux Kernel Update, Security Fixes, Linux Kernel Advisory. . Severity: Important. LinuxSecurity.com Team

Jan 17, 2024 •Important SuSE

security advisorybuffer overflowSUSE

SUSE: 2023:7947-1 critical advisory for six security issues in libqt4

* bsc#1196654 * bsc#1211298 * bsc#1211798 * bsc#1211994 * bsc#1213326 . # Security update for libqt4 Announcement ID: SUSE-SU-2023:4622-1 Rating: important References: * bsc#1196654 * bsc#1211298 * bsc#1211798 * bsc#1211994 * bsc#1213326 * bsc#1214327 Cross-References: * CVE-2021-45930 * CVE-2023-32573 * CVE-2023-32763 * CVE-2023-34410 * CVE-2023-37369 * CVE-2023-38197 CVSS scores: * CVE-2021-45930 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2021-45930 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-32573 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H * CVE-2023-32573 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-32763 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2023-32763 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-34410 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2023-34410 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N * CVE-2023-37369 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-37369 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-38197 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2023-38197 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * SUSE Linux Enterprise High Performance Computing 12 SP5 * SUSE Linux Enterprise Server 12 SP5 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 * SUSE Linux Enterprise Software Development Kit 12 SP5 * SUSE Linux Enterprise Workstation Extension 12 12-SP5 An update that solves six vulnerabilities can now be installed. ## Description: This update for libqt4 fixes the following issues: * CVE-2021-45930: Fix out of-bounds write when parsing path nodes (bsc#1196654). * CVE-2023-32573: Fix missing initialization of QSvgFont unitsPerEm (bsc#1211298). * CVE-2023-32763: Fix potential buffer when rendering aSVG file with an image inside (bsc#1211798). * CVE-2023-34410: Fix missing sync of disablement of loading root certificates in qsslsocketprivate (bsc#1211994). * CVE-2023-37369: Fix buffer overflow in QXmlStreamReader (bsc#1214327). * CVE-2023-38197: Fix infinite loops in QXmlStreamReader (bsc#1213326). ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Workstation Extension 12 12-SP5 zypper in -t patch SUSE-SLE-WE-12-SP5-2023-4622=1 * SUSE Linux Enterprise Software Development Kit 12 SP5 zypper in -t patch SUSE-SLE-SDK-12-SP5-2023-4622=1 * SUSE Linux Enterprise High Performance Computing 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4622=1 * SUSE Linux Enterprise Server 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4622=1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 zypper in -t patch SUSE-SLE-SERVER-12-SP5-2023-4622=1 ## Package List: * SUSE Linux Enterprise Workstation Extension 12 12-SP5 (x86_64) * libqt4-sql-plugins-debugsource-4.8.7-8.19.1 * libqt4-sql-postgresql-4.8.7-8.19.1 * libqt4-sql-postgresql-debuginfo-32bit-4.8.7-8.19.1 * libqt4-sql-unixODBC-4.8.7-8.19.1 * libqt4-sql-unixODBC-debuginfo-4.8.7-8.19.1 * libqt4-sql-unixODBC-debuginfo-32bit-4.8.7-8.19.1 * libqt4-sql-sqlite-32bit-4.8.7-8.19.1 * libqt4-debuginfo-32bit-4.8.7-8.19.1 * libqt4-sql-mysql-32bit-4.8.7-8.19.1 * libqt4-sql-postgresql-32bit-4.8.7-8.19.1 * libqt4-debugsource-4.8.7-8.19.1 * libqt4-sql-unixODBC-32bit-4.8.7-8.19.1 * libqt4-sql-mysql-debuginfo-32bit-4.8.7-8.19.1 * libqt4-sql-sqlite-debuginfo-32bit-4.8.7-8.19.1 * libqt4-sql-postgresql-debuginfo-4.8.7-8.19.1 * SUSE Linux Enterprise Software Development Kit 12 SP5 (aarch64 ppc64le s390x x86_64) * libqt4-sql-plugins-debugsource-4.8.7-8.19.1 *libqt4-sql-postgresql-4.8.7-8.19.1 * libqt4-sql-unixODBC-4.8.7-8.19.1 * libqt4-sql-unixODBC-debuginfo-4.8.7-8.19.1 * libqt4-devel-debuginfo-4.8.7-8.19.1 * libqt4-devel-doc-4.8.7-8.19.1 * libqt4-linguist-4.8.7-8.19.1 * libqt4-devel-doc-debuginfo-4.8.7-8.19.1 * libqt4-private-headers-devel-4.8.7-8.19.1 * libqt4-debugsource-4.8.7-8.19.1 * libqt4-linguist-debuginfo-4.8.7-8.19.1 * libqt4-debuginfo-4.8.7-8.19.1 * libqt4-devel-doc-debugsource-4.8.7-8.19.1 * libqt4-sql-postgresql-debuginfo-4.8.7-8.19.1 * libqt4-devel-4.8.7-8.19.1 * SUSE Linux Enterprise Software Development Kit 12 SP5 (noarch) * libqt4-devel-doc-data-4.8.7-8.19.1 * SUSE Linux Enterprise Software Development Kit 12 SP5 (s390x x86_64) * libqt4-sql-unixODBC-debuginfo-32bit-4.8.7-8.19.1 * libqt4-sql-postgresql-debuginfo-32bit-4.8.7-8.19.1 * libqt4-sql-unixODBC-32bit-4.8.7-8.19.1 * libqt4-sql-postgresql-32bit-4.8.7-8.19.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64) * libqt4-sql-plugins-debugsource-4.8.7-8.19.1 * libqt4-4.8.7-8.19.1 * libqt4-qt3support-debuginfo-4.8.7-8.19.1 * libqt4-sql-mysql-debuginfo-4.8.7-8.19.1 * libqt4-sql-debuginfo-4.8.7-8.19.1 * libqt4-x11-4.8.7-8.19.1 * libqt4-sql-mysql-4.8.7-8.19.1 * qt4-x11-tools-debuginfo-4.8.7-8.19.1 * libqt4-x11-debuginfo-4.8.7-8.19.1 * libqt4-devel-doc-debuginfo-4.8.7-8.19.1 * libqt4-sql-sqlite-debuginfo-4.8.7-8.19.1 * libqt4-debugsource-4.8.7-8.19.1 * libqt4-sql-4.8.7-8.19.1 * libqt4-debuginfo-4.8.7-8.19.1 * libqt4-devel-doc-debugsource-4.8.7-8.19.1 * libqt4-qt3support-4.8.7-8.19.1 * libqt4-sql-sqlite-4.8.7-8.19.1 * qt4-x11-tools-4.8.7-8.19.1 * SUSE Linux Enterprise High Performance Computing 12 SP5 (x86_64) * libqt4-32bit-4.8.7-8.19.1 * libqt4-qt3support-32bit-4.8.7-8.19.1 * libqt4-sql-32bit-4.8.7-8.19.1 * libqt4-x11-debuginfo-32bit-4.8.7-8.19.1 * libqt4-debuginfo-32bit-4.8.7-8.19.1 *libqt4-sql-debuginfo-32bit-4.8.7-8.19.1 * libqt4-qt3support-debuginfo-32bit-4.8.7-8.19.1 * libqt4-x11-32bit-4.8.7-8.19.1 * SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64) * libqt4-sql-plugins-debugsource-4.8.7-8.19.1 * libqt4-4.8.7-8.19.1 * libqt4-qt3support-debuginfo-4.8.7-8.19.1 * libqt4-sql-mysql-debuginfo-4.8.7-8.19.1 * libqt4-sql-debuginfo-4.8.7-8.19.1 * libqt4-x11-4.8.7-8.19.1 * libqt4-sql-mysql-4.8.7-8.19.1 * qt4-x11-tools-debuginfo-4.8.7-8.19.1 * libqt4-x11-debuginfo-4.8.7-8.19.1 * libqt4-devel-doc-debuginfo-4.8.7-8.19.1 * libqt4-sql-sqlite-debuginfo-4.8.7-8.19.1 * libqt4-debugsource-4.8.7-8.19.1 * libqt4-sql-4.8.7-8.19.1 * libqt4-debuginfo-4.8.7-8.19.1 * libqt4-devel-doc-debugsource-4.8.7-8.19.1 * libqt4-qt3support-4.8.7-8.19.1 * libqt4-sql-sqlite-4.8.7-8.19.1 * qt4-x11-tools-4.8.7-8.19.1 * SUSE Linux Enterprise Server 12 SP5 (s390x x86_64) * libqt4-32bit-4.8.7-8.19.1 * libqt4-qt3support-32bit-4.8.7-8.19.1 * libqt4-sql-32bit-4.8.7-8.19.1 * libqt4-x11-debuginfo-32bit-4.8.7-8.19.1 * libqt4-debuginfo-32bit-4.8.7-8.19.1 * libqt4-sql-debuginfo-32bit-4.8.7-8.19.1 * libqt4-qt3support-debuginfo-32bit-4.8.7-8.19.1 * libqt4-x11-32bit-4.8.7-8.19.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64) * libqt4-sql-plugins-debugsource-4.8.7-8.19.1 * libqt4-4.8.7-8.19.1 * libqt4-qt3support-debuginfo-4.8.7-8.19.1 * libqt4-sql-mysql-debuginfo-4.8.7-8.19.1 * libqt4-sql-debuginfo-4.8.7-8.19.1 * libqt4-x11-4.8.7-8.19.1 * libqt4-sql-mysql-4.8.7-8.19.1 * qt4-x11-tools-debuginfo-4.8.7-8.19.1 * libqt4-x11-debuginfo-4.8.7-8.19.1 * libqt4-devel-doc-debuginfo-4.8.7-8.19.1 * libqt4-sql-sqlite-debuginfo-4.8.7-8.19.1 * libqt4-debugsource-4.8.7-8.19.1 * libqt4-sql-4.8.7-8.19.1 * libqt4-debuginfo-4.8.7-8.19.1 * libqt4-devel-doc-debugsource-4.8.7-8.19.1 * libqt4-qt3support-4.8.7-8.19.1 *libqt4-sql-sqlite-4.8.7-8.19.1 * qt4-x11-tools-4.8.7-8.19.1 * SUSE Linux Enterprise Server for SAP Applications 12 SP5 (x86_64) * libqt4-32bit-4.8.7-8.19.1 * libqt4-qt3support-32bit-4.8.7-8.19.1 * libqt4-sql-32bit-4.8.7-8.19.1 * libqt4-x11-debuginfo-32bit-4.8.7-8.19.1 * libqt4-debuginfo-32bit-4.8.7-8.19.1 * libqt4-sql-debuginfo-32bit-4.8.7-8.19.1 * libqt4-qt3support-debuginfo-32bit-4.8.7-8.19.1 * libqt4-x11-32bit-4.8.7-8.19.1 ## References: * https://www.suse.com/security/cve/CVE-2021-45930.html * https://www.suse.com/security/cve/CVE-2023-32573.html * https://www.suse.com/security/cve/CVE-2023-32763.html * https://www.suse.com/security/cve/CVE-2023-34410.html * https://www.suse.com/security/cve/CVE-2023-37369.html * https://www.suse.com/security/cve/CVE-2023-38197.html * https://bugzilla.suse.com/show_bug.cgi?id=1196654 * https://bugzilla.suse.com/show_bug.cgi?id=1211298 * https://bugzilla.suse.com/show_bug.cgi?id=1211798 * https://bugzilla.suse.com/show_bug.cgi?id=1211994 * https://bugzilla.suse.com/show_bug.cgi?id=1213326 * https://bugzilla.suse.com/show_bug.cgi?id=1214327 . Crucial SUSE security notice regarding severe libqt4 problems alongside six identified vulnerabilities. Ensure you implement the latest patches immediately.. SUSE Security Advisory, libqt4 Update, Security Fixes, Important Updates. . Severity: Critical. LinuxSecurity.com Team

Nov 30, 2023 •Critical SuSE

security advisorypatchimportant

openSUSE 15.4 SUSE-SU-2023:4455-1 Important: PostgreSQL13 Security Issues

This update for postgresql13 fixes the following issues: Security issues fixed:. # Security update for postgresql13 Announcement ID: SUSE-SU-2023:4455-1 Rating: important References: * bsc#1216022 * bsc#1216734 * bsc#1216960 * bsc#1216961 * bsc#1216962 Cross-References: * CVE-2023-5868 * CVE-2023-5869 * CVE-2023-5870 CVSS scores: * CVE-2023-5868 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2023-5869 ( SUSE ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5870 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: * Galera for Ericsson 15 SP5 * Legacy Module 15-SP4 * openSUSE Leap 15.4 * openSUSE Leap 15.5 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise Server 15 SP2 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves three vulnerabilities and has two security fixes can now be installed. ## Description: This update for postgresql13 fixes the following issues: Security issues fixed: * CVE-2023-5868: Fix handling of unknown-type arguments in DISTINCT "any" aggregate functions. This error led to a text-type value being interpreted as an unknown-type value (that is, azero-terminated string) at runtime. This could result in disclosure of server memory following the text value. (bsc#1216962) * CVE-2023-5869: Detect integer overflow while computing new array dimensions. When assigning new elements to array subscripts that are outside the current array bounds, an undetected integer overflow could occur in edge cases. Memory stomps that are potentially exploitable for arbitrary code execution are possible, and so is disclosure of server memory. (bsc#1216961) * CVE-2023-5870: Prevent the pg_signal_backend role from signalling background workers and autovacuum processes. The documentation says that pg_signal_backend cannot issue signals to superuser-owned processes. It was able to signal these background processes, though, because they advertise a role OID of zero. Treat that as indicating superuser ownership. The security implications of cancelling one of these process types are fairly small so far as the core code goes (we'll just start another one), but extensions might add background workers that are more vulnerable. Also ensure that the is_superuser parameter is set correctly in such processes. No specific security consequences are known for that oversight, but it might be significant for some extensions. (bsc#1216960) * Updated to 13.13: https://www.postgresql.org/docs/13/release-13-13.html * Overhaul postgresql-README.SUSE and move it from the binary package to the noarch wrapper package. * Change the unix domain socket location from /var/run to /run. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch openSUSE-SLE-15.4-2023-4455=1 * openSUSE Leap 15.5 zypper in -t patch openSUSE-SLE-15.5-2023-4455=1 * Legacy Module 15-SP4 zypper in -t patchSUSE-SLE-Module-Legacy-15-SP4-2023-4455=1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4455=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4455=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4455=1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4455=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4455=1 * Galera for Ericsson 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-ERICSSON-2023-4455=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4455=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4455=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2023-4455=1 ## Package List: * openSUSE Leap 15.4 (aarch64 ppc64le s390x x86_64) * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-llvmjit-devel-13.13-150200.5.50.1 * postgresql13-test-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-llvmjit-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 *postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-llvmjit-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * openSUSE Leap 15.4 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64) * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-llvmjit-devel-13.13-150200.5.50.1 * postgresql13-test-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-llvmjit-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-llvmjit-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * openSUSE Leap 15.5 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * Legacy Module 15-SP4 (aarch64 ppc64le s390x x86_64) * postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-llvmjit-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 *postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-llvmjit-debuginfo-13.13-150200.5.50.1 * postgresql13-llvmjit-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * Legacy Module 15-SP4 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (aarch64 x86_64) * postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64) * postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 *postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (aarch64 ppc64le s390x x86_64) * postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-pltcl-13.13-150200.5.50.1 *postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * Galera for Ericsson 15 SP5 (x86_64) * postgresql13-debugsource-13.13-150200.5.50.1 *postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * Galera for Ericsson 15 SP5 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (ppc64le x86_64) * postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) *postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * postgresql13-docs-13.13-150200.5.50.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * postgresql13-debugsource-13.13-150200.5.50.1 * postgresql13-pltcl-13.13-150200.5.50.1 * postgresql13-server-debuginfo-13.13-150200.5.50.1 * postgresql13-plpython-13.13-150200.5.50.1 * postgresql13-server-13.13-150200.5.50.1 * postgresql13-13.13-150200.5.50.1 * postgresql13-contrib-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-13.13-150200.5.50.1 * postgresql13-plperl-debuginfo-13.13-150200.5.50.1 * postgresql13-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-server-devel-debuginfo-13.13-150200.5.50.1 * postgresql13-pltcl-debuginfo-13.13-150200.5.50.1 * postgresql13-devel-13.13-150200.5.50.1 * postgresql13-plpython-debuginfo-13.13-150200.5.50.1 * postgresql13-plperl-13.13-150200.5.50.1 * postgresql13-contrib-13.13-150200.5.50.1 * SUSE Enterprise Storage 7.1 (noarch) * postgresql13-docs-13.13-150200.5.50.1 ## References: *https://www.suse.com/security/cve/CVE-2023-5868.html * https://www.suse.com/security/cve/CVE-2023-5869.html * https://www.suse.com/security/cve/CVE-2023-5870.html * https://bugzilla.suse.com/show_bug.cgi?id=1216022 * https://bugzilla.suse.com/show_bug.cgi?id=1216734 * https://bugzilla.suse.com/show_bug.cgi?id=1216960 * https://bugzilla.suse.com/show_bug.cgi?id=1216961 * https://bugzilla.suse.com/show_bug.cgi?id=1216962 . This crucial patch for mariadb10 addresses significant flaws and weaknesses in various Ubuntu versions.. Postgresql13 Security Update, openSUSE Advisory, Important Security Patch, Linux Update, SUSE Vulnerability Fix. . Severity: Important. LinuxSecurity.com Team

Nov 16, 2023 •Important OpenSUSE

security advisorymoderatelinux distribution

SUSE: 2023:3563-3 Moderate: icu73_2 Security Flaws Resolved

* bsc#1030253 * bsc#1095425 * bsc#1103893 * bsc#1112183 * bsc#1146907 . # Security update for icu73_2 Announcement ID: SUSE-SU-2023:3563-3 Rating: moderate References: * bsc#1030253 * bsc#1095425 * bsc#1103893 * bsc#1112183 * bsc#1146907 * bsc#1158955 * bsc#1159131 * bsc#1161007 * bsc#1162882 * bsc#1166844 * bsc#1167603 * bsc#1182252 * bsc#1182645 * bsc#1192935 * bsc#1193951 * bsc#354372 * bsc#437293 * bsc#824262 * jsc#PED-4917 * jsc#SLE-11118 Cross-References: * CVE-2020-10531 * CVE-2020-21913 CVSS scores: * CVE-2020-10531 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2020-10531 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2020-21913 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2020-21913 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Affected Products: * Basesystem Module 15-SP4 * Basesystem Module 15-SP5 * openSUSE Leap Micro 5.2 * openSUSE Leap Micro 5.3 * openSUSE Leap Micro 5.4 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise Micro 5.1 * SUSE Linux Enterprise Micro 5.2 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro for Rancher 5.2 * SUSE Linux Enterprise Micro for Rancher 5.3 * SUSE Linux Enterprise Micro for Rancher 5.4 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.2 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.2 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.2 * SUSE Manager Server 4.3 An update that solves two vulnerabilities, contains two features and has 16 securityfixes can now be installed. ## Description: This update for icu73_2 fixes the following issues: * Update to release 73.2 * CLDR extends the support for âshortâ Chinese sort orders to cover some additional, required characters for Level 2. This is carried over into ICU collation. * ICU has a modified character conversion table, mapping some GB18030 characters to Unicode characters that were encoded after GB18030-2005. * fixes builds where UCHAR_TYPE is re-defined such as libqt5-qtwebengine * Update to release 73.1 * Improved Japanese and Korean short-text line breaking * Reduction of C++ memory use in date formatting * Update to release 72.1 * Support for Unicode 15, including new characters, scripts, emoji, and corresponding API constants. * Support for CLDR 42 locale data with various additions and corrections. * Shift to tzdb 2022e. Pre-1970 data for a number of timezones has been removed. * bump library packagename to libicu71 to match the version. * update to 71.1: * updates to CLDR 41 locale data with various additions and corrections. * phrase-based line breaking for Japanese. Existing line breaking methods follow standards and conventions for body text but do not work well for short Japanese text, such as in titles and headings. This new feature is optimized for these use cases. * support for Hindi written in Latin letters (hi_Latn). The CLDR data for this increasingly popular locale has been significantly revised and expanded. Note that based on user expectations, hi_Latn incorporates a large amount of English, and can also be referred to as âHinglishâ. * time zone data updated to version 2022a. Note that pre-1970 data for a number of time zones has been removed, as has been the case in the upstream tzdata release since 2021b. * ICU-21793 Fix ucptrietest golden diff [bsc#1192935] * Update to release 70.1: * Unicode 14 (new characters, scripts, emoji, and API constants) * CLDR 40 (many additions and corrections) * Fixes formeasurement unit formatting * Can now be built with up to C++20 compilers * ICU-21613 Fix undefined behaviour in ComplexUnitsConverter::applyRounder * Update to release 69.1 * CLDR 39 * For Norwegian, "no" is back to being the canonical code, with "nb" treated as equivalent. This aligns handling of Norwegian with other macro language codes. * Binary prefixes in measurement units (KiB, MiB, etc.) * Time zone offsets from local time: New APIs BasicTimeZone::getOffsetFromLocal() (C++) and ucal_getTimeZoneOffsetFromLocal() * Backport ICU-21366 (bsc#1182645) * Update to release 68.2 * Fix memory problem in FormattedStringBuilder * Fix assertion when setKeywordValue w/ long value. * Fix UBSan breakage on 8bit of rbbi * fix int32_t overflow in listFormat * Fix memory handling in MemoryPool::operator=() * Fix memory leak in AliasReplacer * Add back icu.keyring, see https://unicode-org.atlassian.net/browse/ICU-21361 Update to release 68.1: * CLDR 38 * Measurement unit preferences * PluralRules selection for ranges of numbers * Locale ID canonicalization now conforms to the CLDR spec including edge cases * DateIntervalFormat supports output options such as capitalization * Measurement units are normalized in skeleton string output * Time zone data (tzdata) version 2020d * Add the provides for libicu to Make.Net core can install successfully. (bsc#1167603, bsc#1161007) Update to version 67.1: * Unicode 13 (ICU-20893, same as in ICU 66) * Total of 5930 new characters * 4 new scripts * 55 new emoji characters, plus additional new sequences * New CJK extension, first characters in plane 3: U+30000..U+3134A * CLDR 37 * New language at Modern coverage: Nigerian Pidgin * New languages at Basic coverage: Fulah (Adlam), Maithili, Manipuri, Santali, Sindhi (Devanagari), Sundanese * Region containment: EU no longer includes GB * Unicode 13 root collation data and Chinese data for collation and transliteration * DateTimePatternGenerator now obeys the "hc" preference in thelocale identifier (ICU-20442) * Various other improvements for ECMA-402 conformance * Number skeletons have a new "concise" form that can be used in MessageFormat strings (ICU-20418) * Currency formatting options for formal and other currency display name variants (ICU-20854) * ListFormatter: new public API to select the style & type (ICU-12863) * ListFormatter now selects the proper âandâ/âorâ form for Spanish & Hebrew (ICU-21016) * Locale ID canonicalization upgraded to implement the complete CLDR spec (ICU-20834, ICU-20272) * LocaleMatcher: New option to ignore one-way matches (ICU-20936), and other tweaks to the code (ICU-20916, ICU-20917) and data (from CLDR) * acceptLanguage() reimplemented via LocaleMatcher (ICU-20700) * Data build tool: tzdbNames.res moved from the "zone_tree" category to the "zone_supplemental" category (ICU-21073) * Fixed uses of u8"literals" broken by the C++20 introduction of the incompatible char8_t type (ICU-20972), * and added a few API overloads to reduce the need for reinterpret_cast (ICU-20984). * Support for manipulating CLDR 37 unit identifiers in MeasureUnit. * Fix potential integer overflow in UnicodeString:doAppend (bsc#1166844, CVE-2020-10531). Update to version 66.1: * Unicode 13 support * Fix uses of u8"literals" broken by C++20 introduction of incompatible char8_t type. (ICU-20972) * use LocalMemory for cmd to prevent use after free (bsc#1193951 CVE-2020-21913). * Remove /usr/lib(64)/icu/current [bsc#1158955]. Update to release 65.1 (jsc#SLE-11118): * Updated to CLDR 36 locale data with many additions and corrections, and some new measurement units. * The Java LocaleMatcher API is improved, and ported to C++. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Manager Retail Branch Server 4.2 zypper in -t patchSUSE-SLE-Product-SUSE-Manager-Retail-Branch- Server-4.2-2023-3563=1 * SUSE Manager Server 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-3563=1 * SUSE Linux Enterprise Micro 5.1 zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-3563=1 * SUSE Linux Enterprise Micro 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-3563=1 * SUSE Linux Enterprise Micro for Rancher 5.2 zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-3563=1 * openSUSE Leap Micro 5.2 zypper in -t patch SUSE-2023-3563=1 * openSUSE Leap Micro 5.3 zypper in -t patch openSUSE-Leap-Micro-5.3-2023-3563=1 * openSUSE Leap Micro 5.4 zypper in -t patch openSUSE-Leap-Micro-5.4-2023-3563=1 * SUSE Linux Enterprise Micro for Rancher 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-3563=1 * SUSE Linux Enterprise Micro 5.3 zypper in -t patch SUSE-SLE-Micro-5.3-2023-3563=1 * SUSE Linux Enterprise Micro for Rancher 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-3563=1 * SUSE Linux Enterprise Micro 5.4 zypper in -t patch SUSE-SLE-Micro-5.4-2023-3563=1 * Basesystem Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-3563=1 * Basesystem Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP5-2023-3563=1 * SUSE Manager Proxy 4.2 zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-3563=1 ## Package List: * SUSE Manager Retail Branch Server 4.2 (x86_64) * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * libicu73_2-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * libicu73_2-devel-73.2-150000.1.3.1 * libicu73_2-doc-73.2-150000.1.3.1 * SUSE Manager Retail Branch Server 4.2 (noarch) * libicu73_2-ledata-73.2-150000.1.3.1 * SUSE Manager Server 4.2 (ppc64le s390x x86_64) * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * libicu73_2-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * libicu73_2-devel-73.2-150000.1.3.1 * libicu73_2-doc-73.2-150000.1.3.1 * SUSE Manager Server 4.2 (noarch) *libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro 5.1 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro 5.2 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro for Rancher 5.2 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * openSUSE Leap Micro 5.2 (aarch64 ppc64le s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * openSUSE Leap Micro 5.2 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * openSUSE Leap Micro 5.3 (aarch64 ppc64le s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * openSUSE Leap Micro 5.3 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * openSUSE Leap Micro 5.4 (aarch64 ppc64le s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * openSUSE Leap Micro 5.4 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * SUSELinux Enterprise Micro for Rancher 5.3 (aarch64 s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro for Rancher 5.3 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro 5.3 (aarch64 s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro 5.3 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro for Rancher 5.4 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro 5.4 (aarch64 s390x x86_64) * libicu73_2-73.2-150000.1.3.1 * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * SUSE Linux Enterprise Micro 5.4 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * Basesystem Module 15-SP4 (aarch64 ppc64le s390x x86_64) * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * libicu73_2-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * libicu73_2-devel-73.2-150000.1.3.1 * libicu73_2-doc-73.2-150000.1.3.1 * Basesystem Module 15-SP4 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * Basesystem Module 15-SP5 (aarch64 ppc64le s390x x86_64) * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * libicu73_2-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * libicu73_2-devel-73.2-150000.1.3.1 *libicu73_2-doc-73.2-150000.1.3.1 * Basesystem Module 15-SP5 (noarch) * libicu73_2-bedata-73.2-150000.1.3.1 * libicu73_2-ledata-73.2-150000.1.3.1 * SUSE Manager Proxy 4.2 (x86_64) * libicu73_2-debuginfo-73.2-150000.1.3.1 * icu73_2-debuginfo-73.2-150000.1.3.1 * libicu73_2-73.2-150000.1.3.1 * icu73_2-debugsource-73.2-150000.1.3.1 * libicu73_2-devel-73.2-150000.1.3.1 * libicu73_2-doc-73.2-150000.1.3.1 * SUSE Manager Proxy 4.2 (noarch) * libicu73_2-ledata-73.2-150000.1.3.1 ## References: * https://www.suse.com/security/cve/CVE-2020-10531.html * https://www.suse.com/security/cve/CVE-2020-21913.html * https://bugzilla.suse.com/show_bug.cgi?id=1030253 * https://bugzilla.suse.com/show_bug.cgi?id=1095425 * https://bugzilla.suse.com/show_bug.cgi?id=1103893 * https://bugzilla.suse.com/show_bug.cgi?id=1112183 * https://bugzilla.suse.com/show_bug.cgi?id=1146907 * https://bugzilla.suse.com/show_bug.cgi?id=1158955 * https://bugzilla.suse.com/show_bug.cgi?id=1159131 * https://bugzilla.suse.com/show_bug.cgi?id=1161007 * https://bugzilla.suse.com/show_bug.cgi?id=1162882 * https://bugzilla.suse.com/show_bug.cgi?id=1166844 * https://bugzilla.suse.com/show_bug.cgi?id=1167603 * https://bugzilla.suse.com/show_bug.cgi?id=1182252 * https://bugzilla.suse.com/show_bug.cgi?id=1182645 * https://bugzilla.suse.com/show_bug.cgi?id=1192935 * https://bugzilla.suse.com/show_bug.cgi?id=1193951 * https://bugzilla.suse.com/show_bug.cgi?id=354372 * https://bugzilla.suse.com/show_bug.cgi?id=437293 * https://bugzilla.suse.com/show_bug.cgi?id=824262 * * . Crucial patch released for icu73_2. Various citations noted and guidelines presented for SUSE upgrade.. SUSE Linux, Security Update, icu73 Improvements, Package Fixes. . LinuxSecurity.com Team

Oct 30, 2023 SuSE

security advisorydenial of servicekernel update

Mageia 9: MGASA-2023-0295 Moderate: Kernel Security Flaws Update

This kernel update is based on upstream 6.4.16 and fixes or adds mitigations for atleast the following security issues: A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their . MGASA-2023-0295 - Updated kernel packages fix security vulnerabilities Publication date: 22 Oct 2023 URL: https://advisories.mageia.org/MGASA-2023-0295.html Type: security Affected Mageia releases: 9 CVE: CVE-2023-1076, CVE-2023-4155, CVE-2023-4921, CVE-2023-5197, CVE-2023-25775, CVE-2023-42754, CVE-2023-42756 This kernel update is based on upstream 6.4.16 and fixes or adds mitigations for atleast the following security issues: A flaw was found in the Linux Kernel. The tun/tap sockets have their socket UID hardcoded to 0 due to a type confusion in their initialization function. While it will be often correct, as tuntap devices require CAP_NET_ADMIN, it may not always be the case, e.g., a non-root user only having that capability. This would make tun/tap sockets being incorrectly treated in filtering/routing decisions, possibly bypassing network filters. CVE-2023-1076 A flaw was found in KVM AMD Secure Encrypted Virtualization (SEV) in the Linux kernel. A KVM guest using SEV-ES or SEV-SNP with multiple vCPUs can trigger a double fetch race condition vulnerability and invoke the `VMGEXIT` handler recursively. If an attacker manages to call the handler multiple times, they can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages (`CONFIG_VMAP_STACK`). CVE-2023-4155 A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of sch_plug and lack of error checking in agg_dequeue(). We recommend upgrading pastcommit 8fc134fee27f2263988ae38920bc03da416b03d8. CVE-2023-4921 A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Addition and removal of rules from chain bindings within the same transaction causes leads to use-after-free. We recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325. CVE-2023-5197 Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access. CVE-2023-25775 A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack. The socket buffer (skb) was assumed to be associated with a device before calling __ip_options_compile, which is not always the case if the skb is re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN privileges to crash the system. CVE-2023-42754 A flaw was found in the Netfilter subsystem of the Linux kernel. A race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP can lead to a kernel panic due to the invocation of `__ip_set_put` on a wrong `set`. This issue may allow a local user to crash the system. CVE-2023-42756 For other upstream fixes in this update, see the referenced changelogs. References: - https://bugs.mageia.org/show_bug.cgi?id=32296 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.10 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.11 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.12 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.13 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.14 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.15 - https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.4.16 - https://www.cve.org/CVERecord?id=CVE-2023-1076 - https://www.cve.org/CVERecord?id=CVE-2023-4155 - https://www.cve.org/CVERecord?id=CVE-2023-4921 - https://www.cve.org/CVERecord?id=CVE-2023-5197 -https://www.cve.org/CVERecord?id=CVE-2023-25775 - https://www.cve.org/CVERecord?id=CVE-2023-42754 - https://www.cve.org/CVERecord?id=CVE-2023-42756 SRPMS: - 9/core/kernel-6.4.16-3.mga9 - 9/core/kmod-virtualbox-7.0.10-33.mga9 - 9/core/kmod-xtables-addons-3.24-48.mga9 . Kernel package enhancement MDASA-2023-0298 resolves various security flaws for Mageia platforms. Maintain safety.. Mageia Kernel Security, Kernel Update Risks, Privilege Escalation, Security Flaws Discovery. . LinuxSecurity.com Team

Oct 22, 2023 Mageia

security advisorylocal privilege escalationDoS

SUSE: 2023:4057-1 Important: Local Privilege Issues Resolved

* #1202845 * #1213772 * #1213808 * #1214928 * #1214943 . # Security update for the Linux Kernel Announcement ID: SUSE-SU-2023:4057-1 Rating: important References: * #1202845 * #1213772 * #1213808 * #1214928 * #1214943 * #1214944 * #1214950 * #1214951 * #1214954 * #1214957 * #1214986 * #1214988 * #1214992 * #1214993 * #1215322 * #1215523 * #1215877 * #1215894 * #1215895 * #1215896 * #1215911 * #1215915 * #1215916 Cross-References: * CVE-2023-1192 * CVE-2023-1206 * CVE-2023-1859 * CVE-2023-2177 * CVE-2023-37453 * CVE-2023-39192 * CVE-2023-39193 * CVE-2023-39194 * CVE-2023-4155 * CVE-2023-42753 * CVE-2023-42754 * CVE-2023-4389 * CVE-2023-4563 * CVE-2023-4622 * CVE-2023-4623 * CVE-2023-4881 * CVE-2023-4921 * CVE-2023-5345 CVSS scores: * CVE-2023-1192 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1206 ( NVD ): 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-1859 ( SUSE ): 1.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L * CVE-2023-1859 ( NVD ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-2177 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-37453 ( SUSE ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-37453 ( NVD ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-39192 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H * CVE-2023-39192 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L * CVE-2023-39193 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39193 ( NVD ): 5.1 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L * CVE-2023-39194 ( SUSE ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-39194 ( NVD ): 3.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N * CVE-2023-4155 ( SUSE ): 6.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H * CVE-2023-4155 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H * CVE-2023-42753 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-42754 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-42754 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2023-4389 ( SUSE ): 5.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H * CVE-2023-4389 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4563 ( SUSE ): 0.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:N * CVE-2023-4622 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4622 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4623 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4881 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L * CVE-2023-4881 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H * CVE-2023-4921 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-4921 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2023-5345 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Products: * openSUSE Leap 15.4 * Public Cloud Module 15-SP4 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 An update that solves 18 vulnerabilities and has five security fixes can now be installed. ## Description: The SUSE Linux Enterprise 15 SP4 Azure kernel was updated to receive various security and bugfixes. The following security bugs were fixed: * CVE-2023-4563: Fixed an use-after-free flaw in the nftables sub-component. Thisvulnerability could allow a local attacker to crash the system or lead to a kernel information leak problem. (bsc#1214727) * CVE-2023-39194: Fixed a flaw in the processing of state filters which could allow a local attackers to disclose sensitive information. (bsc#1215861) * CVE-2023-39193: Fixed a flaw in the processing of state filters which could allow a local attackers to disclose sensitive information. (bsc#1215860) * CVE-2023-39192: Fixed a flaw in the u32_match_it function which could allow a local attackers to disclose sensitive information. (bsc#1215858) * CVE-2023-42754: Fixed a null pointer dereference in ipv4_link_failure which could lead an authenticated attacker to trigger a DoS. (bsc#1215467) * CVE-2023-5345: fixed an use-after-free vulnerability in the fs/smb/client component which could be exploited to achieve local privilege escalation. (bsc#1215899) * CVE-2023-4155: Fixed a flaw in KVM AMD Secure Encrypted Virtualization (SEV). An attacker can trigger a stack overflow and cause a denial of service or potentially guest-to-host escape in kernel configurations without stack guard pages. (bsc#1214022) * CVE-2023-4389: Fixed a reference counting issue in the Btrfs filesystem that could be exploited in order to leak internal kernel information or crash the system (bsc#1214351). * CVE-2023-42753: Fixed an array indexing vulnerability in the netfilter subsystem. This issue may have allowed a local user to crash the system or potentially escalate their privileges (bsc#1215150). * CVE-2023-1206: Fixed a hash collision flaw in the IPv6 connection lookup table. A user located in the local network or with a high bandwidth connection can increase the CPU usage of the server that accepts IPV6 connections up to 95% (bsc#1212703). * CVE-2023-4921: Fixed a use-after-free vulnerability in the QFQ network scheduler which could be exploited to achieve local privilege escalatio (bsc#1215275). * CVE-2023-37453: Fixedoversight in SuperSpeed initialization (bsc#1213123). * CVE-2023-4622: Fixed a use-after-free vulnerability in the Unix domain sockets component which could be exploited to achieve local privilege escalation (bsc#1215117). * CVE-2023-4623: Fixed a use-after-free issue in the HFSC network scheduler which could be exploited to achieve local privilege escalation (bsc#1215115). * CVE-2023-1859: Fixed a use-after-free flaw in Xen transport for 9pfs which could be exploited to crash the system (bsc#1210169). * CVE-2023-4881: Fixed a out-of-bounds write flaw in the netfilter subsystem that could lead to potential information disclosure or a denial of service (bsc#1215221). * CVE-2023-2177: Fixed a null pointer dereference issue in the sctp network protocol which could allow a user to crash the system (bsc#1210643). * CVE-2023-1192: Fixed use-after-free in cifs_demultiplex_thread() (bsc#1208995). The following non-security bugs were fixed: * ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42 codecs (git- fixes). * ALSA: hda/realtek: Splitting the UX3402 into two separate models (git- fixes). * ARM: pxa: remove use of symbol_get() (git-fixes). * arm64: csum: Fix OoB access in IP checksum code for negative lengths (git- fixes). * arm64: module-plts: inline linux/moduleloader.h (git-fixes) * arm64: module: Use module_init_layout_section() to spot init sections (git- fixes) * arm64: sdei: abort running SDEI handlers during crash (git-fixes) * arm64: tegra: Update AHUB clock parent and rate (git-fixes) * arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git- fixes) * ASoC: imx-audmix: Fix return error with devm_clk_get() (git-fixes). * ASoC: meson: spdifin: start hw on dai probe (git-fixes). * ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol (git-fixes). * ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates (git-fixes). * ata: libata: disallow dev-initiated LPM transitions to unsupportedstates (git-fixes). * ata: pata_falcon: fix IO base selection for Q40 (git-fixes). * ata: pata_ftide010: Add missing MODULE_DESCRIPTION (git-fixes). * ata: sata_gemini: Add missing MODULE_DESCRIPTION (git-fixes). * backlight: gpio_backlight: Drop output GPIO direction check for initial power state (git-fixes). * blk-iocost: fix divide by 0 error in calc_lcoefs() (bsc#1214986). * blk-iocost: use spin_lock_irqsave in adjust_inuse_and_calc_cost (bsc#1214992). * block/mq-deadline: use correct way to throttling write requests (bsc#1214993). * Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition (git-fixes). * bnx2x: new flag for track HW resource allocation (bsc#1202845 bsc#1215322). * bpf: Clear the probe_addr for uprobe (git-fixes). * btrfs: do not hold CPU for too long when defragging a file (bsc#1214988). * drm: gm12u320: Fix the timeout usage for usb_bulk_msg() (git-fixes). * drm/amd/display: fix the white screen issue when > = 64GB DRAM (git-fixes). * drm/amd/display: prevent potential division by zero errors (git-fixes). * drm/display: Do not assume dual mode adaptors support i2c sub-addressing (bsc#1213808). * drm/i915: mark requests for GuC virtual engines to avoid use-after-free (git-fixes). * drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt() (git-fixes). * drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling (git-fixes). * drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() (git-fixes). * ext4: avoid potential data overflow in next_linear_group (bsc#1214951). * ext4: correct inline offset when handling xattrs in inode body (bsc#1214950). * ext4: fix memory leaks in ext4_fname_{setup_filename,prepare_lookup} (bsc#1214954). * ext4: fix wrong unit use in ext4_mb_clear_bb (bsc#1214943). * ext4: fix wrong unit use in ext4_mb_new_blocks (bsc#1214944). * ext4: get block from bh in ext4_free_blocks for fast commit replay (bsc#1214942). * ext4: reflecterror codes from ext4_multi_mount_protect() to its callers (bsc#1214941). * ext4: Remove ext4 locking of moved directory (bsc#1214957). * ext4: set goal start correctly in ext4_mb_normalize_request (bsc#1214940). * fs: do not update freeing inode i_io_list (bsc#1214813). * fs: Establish locking order for unrelated directories (bsc#1214958). * fs: Lock moved directories (bsc#1214959). * fs: lockd: avoid possible wrong NULL parameter (git-fixes). * fs: no need to check source (bsc#1215752). * fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE (bsc#1214813). * fuse: nlookup missing decrement in fuse_direntplus_link (bsc#1215581). * gve: Add AF_XDP zero-copy support for GQI-QPL format (bsc#1214479). * gve: Add XDP DROP and TX support for GQI-QPL format (bsc#1214479). * gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479). * gve: Changes to add new TX queues (bsc#1214479). * gve: Control path for DQO-QPL (bsc#1214479). * gve: fix frag_list chaining (bsc#1214479). * gve: Fix gve interrupt names (bsc#1214479). * gve: RX path for DQO-QPL (bsc#1214479). * gve: trivial spell fix Recive to Receive (bsc#1214479). * gve: Tx path for DQO-QPL (bsc#1214479). * gve: Unify duplicate GQ min pkt desc size constants (bsc#1214479). * gve: use vmalloc_array and vcalloc (bsc#1214479). * gve: XDP support GQI-QPL: helper function changes (bsc#1214479). * hwrng: virtio - add an internal buffer (git-fixes). * hwrng: virtio - always add a pending request (git-fixes). * hwrng: virtio - do not wait on cleanup (git-fixes). * hwrng: virtio - do not waste entropy (git-fixes). * hwrng: virtio - Fix race on data_avail and actual data (git-fixes). * i2c: aspeed: Reset the i2c controller when timeout occurs (git-fixes). * i3c: master: svc: fix probe failure when no i3c device exist (git-fixes). * idr: fix param name in idr_alloc_cyclic() doc (git-fixes). * Input: tca6416-keypad - fix interrupt enable disbalance (git-fixes). * iommu/virtio: Detach domain onendpoint release (git-fixes). * jbd2: check 'jh-> b_transaction' before removing it from checkpoint (bsc#1214953). * jbd2: correct the end of the journal recovery scan range (bsc#1214955). * jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949). * jbd2: fix checkpoint cleanup performance regression (bsc#1214952). * jbd2: Fix wrongly judgement for buffer head removing while doing checkpoint (bsc#1214948). * jbd2: recheck chechpointing non-dirty buffer (bsc#1214945). * jbd2: remove journal_clean_one_cp_list() (bsc#1214947). * jbd2: remove t_checkpoint_io_list (bsc#1214946). * jbd2: restore t_checkpoint_io_list to maintain kABI (bsc#1214946). * kabi/severities: ignore mlx4 internal symbols * kconfig: fix possible buffer overflow (git-fixes). * KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes (git-fixes bsc#1215915). * KVM: s390: interrupt: use READ_ONCE() before cmpxchg() (git-fixes bsc#1215896). * KVM: s390: pv: fix external interruption loop not always detected (git-fixes bsc#1215916). * KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field (git-fixes bsc#1215894). * KVM: s390: vsie: fix the length of APCB bitmap (git-fixes bsc#1215895). * KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler (git-fixes bsc#1215911). * KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git- fixes). * KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes). * KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772). * KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes). * KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues (git-fixes). * KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (bsc#1213772). * KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772). * KVM: x86: synthesize CPUID leaf 0x80000021h if useful (bsc#1213772). * KVM: x86: work around QEMU issue withsynthetic CPUID leaves (git-fixes). * KVM: x86/mmu: Include mmu.h in spte.h (git-fixes). * loop: Fix use-after-free issues (bsc#1214991). * loop: loop_set_status_from_info() check before assignment (bsc#1214990). * mlx4: Avoid resetting MLX4_INTFF_BONDING per driver (bsc#1187236). * mlx4: Connect the ethernet part to the auxiliary bus (bsc#1187236). * mlx4: Connect the infiniband part to the auxiliary bus (bsc#1187236). * mlx4: Delete custom device management logic (bsc#1187236). * mlx4: Get rid of the mlx4_interface.activate callback (bsc#1187236). * mlx4: Get rid of the mlx4_interface.get_dev callback (bsc#1187236). * mlx4: Move the bond work to the core driver (bsc#1187236). * mlx4: Register mlx4 devices to an auxiliary virtual bus (bsc#1187236). * mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236). * mlx4: Replace the mlx4_interface.event callback with a notifier (bsc#1187236). * mlx4: Use 'void *' as the event param of mlx4_dispatch_event() (bsc#1187236). * module: Expose module_init_layout_section() (git-fixes) * net: do not allow gso_size to be set to GSO_BY_FRAGS (git-fixes). * net: mana: Add page pool for RX buffers (bsc#1214040). * net: mana: Configure hwc timeout from hardware (bsc#1214037). * net: phy: micrel: Correct bit assignments for phy_device flags (git-fixes). * net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes). * net/mlx4: Remove many unnecessary NULL values (bsc#1187236). * NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN (git- fixes). * nfs/blocklayout: Use the passed in gfp flags (git-fixes). * NFS/pNFS: Fix assignment of xprtdata.cred (git-fixes). * NFS/pNFS: Report EINVAL errors from connect() to the server (git-fixes). * NFSD: da_addr_body field missing in some GETDEVICEINFO replies (git-fixes). * NFSD: fix change_info in NFSv4 RENAME replies (git-fixes). * NFSD: Fix race to FREE_STATEID and cl_revoked (git-fixes). * NFSv4: Fix dropped lock for racing OPEN and delegation return(git-fixes). * NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes). * NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes). * NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes). * NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info (git-fixes). * ntb: Clean up tx tail index on link down (git-fixes). * ntb: Drop packets when qp link is down (git-fixes). * ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes). * nvme-auth: use chap-> s2 to indicate bidirectional authentication (bsc#1214543). * nvme-tcp: add recovery_delay to sysfs (bsc#1201284). * nvme-tcp: delay error recovery until the next KATO interval (bsc#1201284). * nvme-tcp: Do not terminate commands when in RESETTING (bsc#1201284). * nvme-tcp: make 'err_work' a delayed work (bsc#1201284). * PCI: Free released resource after coalescing (git-fixes). * platform/mellanox: mlxbf-pmc: Fix potential buffer overflows (git-fixes). * platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events (git- fixes). * platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes). * platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors (git-fixes). * platform/x86: intel_scu_ipc: Check status after timeout in busy_loop() (git- fixes). * platform/x86: intel_scu_ipc: Check status upon timeout in ipc_wait_for_interrupt() (git-fixes). * platform/x86: intel_scu_ipc: Do not override scu in intel_scu_ipc_dev_simple_command() (git-fixes). * platform/x86: intel_scu_ipc: Fail IPC send if still busy (git-fixes). * powerpc/fadump: make is_kdump_kernel() return false when fadump is active (bsc#1212639 ltc#202582). * powerpc/iommu: Fix notifiers being shared by PCI and VIO buses (bsc#1065729). * powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051). * powerpc/xics: Remove unnecessary endian conversion (bsc#1065729). * printk: ringbuffer: Fix truncating buffer size min_t cast (bsc#1215875). * pwm: lpc32xx: Remove handling of PWMchannels (git-fixes). * quota: add new helper dquot_active() (bsc#1214998). * quota: factor out dquot_write_dquot() (bsc#1214995). * quota: fix dqput() to follow the guarantees dquot_srcu should provide (bsc#1214963). * quota: fix warning in dqgrab() (bsc#1214962). * quota: Properly disable quotas when add_dquot_ref() fails (bsc#1214961). * quota: rename dquot_active() to inode_quota_active() (bsc#1214997). * s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956 LTC#203788 bsc#1215957). * s390/qeth: Do not call dev_close/dev_open (DOWN/UP) (bsc#1214873 git-fixes). * s390/zcrypt: do not leak memory if dev_set_name() fails (git-fixes bsc#1215148). * scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe() (git-fixes). * scsi: 53c700: Check that command slot is not NULL (git-fixes). * scsi: core: Fix legacy /proc parsing buffer overflow (git-fixes). * scsi: core: Fix possible memory leak if device_add() fails (git-fixes). * scsi: fnic: Replace return codes in fnic_clean_pending_aborts() (git-fixes). * scsi: lpfc: Do not abuse UUID APIs and LPFC_COMPRESS_VMID_SIZE (git-fixes). * scsi: lpfc: Early return after marking final NLP_DROPPED flag in dev_loss_tmo (git-fixes). * scsi: lpfc: Fix the NULL vs IS_ERR() bug for debugfs_create_file() (git- fixes). * scsi: lpfc: Modify when a node should be put in device recovery mode during RSCN (git-fixes). * scsi: lpfc: Prevent use-after-free during rmmod with mapped NVMe rports (git-fixes). * scsi: lpfc: Remove reftag check in DIF paths (git-fixes). * scsi: qedf: Add synchronization between I/O completions and abort (bsc#1210658). * scsi: qedf: Fix firmware halt over suspend and resume (git-fixes). * scsi: qedf: Fix NULL dereference in error handling (git-fixes). * scsi: qedi: Fix firmware halt over suspend and resume (git-fixes). * scsi: qla2xxx: Add logs for SFP temperature monitoring (bsc#1214928). * scsi: qla2xxx: Allow 32-byte CDBs (bsc#1214928). * scsi:qla2xxx: Error code did not return to upper layer (bsc#1214928). * scsi: qla2xxx: Fix firmware resource tracking (bsc#1214928). * scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir() (git- fixes). * scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit() (bsc#1214928). * scsi: qla2xxx: Flush mailbox commands on chip reset (bsc#1214928). * scsi: qla2xxx: Move resource to allow code reuse (bsc#1214928). * scsi: qla2xxx: Remove unsupported ql2xenabledif option (bsc#1214928). * scsi: qla2xxx: Remove unused declarations (bsc#1214928). * scsi: qla2xxx: Remove unused variables in qla24xx_build_scsi_type_6_iocbs() (bsc#1214928). * scsi: qla2xxx: Update version to 10.02.09.100-k (bsc#1214928). * scsi: qla2xxx: Use raw_smp_processor_id() instead of smp_processor_id() (git-fixes). * scsi: scsi_debug: Remove dead code (git-fixes). * scsi: snic: Fix double free in snic_tgt_create() (git-fixes). * scsi: snic: Fix possible memory leak if device_add() fails (git-fixes). * scsi: storvsc: Handle additional SRB status values (git-fixes). * scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes bsc#1215941). * selftests: tracing: Fix to unmount tracefs for recovering environment (git- fixes). * SUNRPC: Mark the cred for revalidation if the server rejects it (git-fixes). * tcpm: Avoid soft reset when partner does not support get_status (git-fixes). * tracing: Fix race issue between cpu buffer write and swap (git-fixes). * tracing: Remove extra space at the end of hwlat_detector/mode (git-fixes). * tracing: Remove unnecessary copying of tr-> current_trace (git-fixes). * uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes). * udf: Fix extension of the last extent in the file (bsc#1214964). * udf: Fix file corruption when appending just after end of preallocated extent (bsc#1214965). * udf: Fix off-by-one error when discarding preallocation (bsc#1214966). * udf: Fix uninitialized array access for some pathnames (bsc#1214967). *uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes). * usb: ehci: add workaround for chipidea PORTSC.PEC bug (git-fixes). * usb: ehci: move new member has_ci_pec_bug into hole (git-fixes). * usb: serial: option: add FOXCONN T99W368/T99W373 product (git-fixes). * usb: serial: option: add Quectel EM05G variant (0x030e) (git-fixes). * usb: typec: tcpci: clear the fault status bit (git-fixes). * usb: typec: tcpci: move tcpci.h to include/linux/usb/ (git-fixes). * vhost_vdpa: fix the crash in unmap a large memory (git-fixes). * vhost-scsi: unbreak any layout for response (git-fixes). * vhost: allow batching hint without size (git-fixes). * vhost: fix hung thread due to erroneous iotlb entries (git-fixes). * vhost: handle error while adding split ranges to iotlb (git-fixes). * virtio_net: add checking sq is full inside xdp xmit (git-fixes). * virtio_net: Fix probe failed when modprobe virtio_net (git-fixes). * virtio_net: reorder some funcs (git-fixes). * virtio_net: separate the logic of checking whether sq is full (git-fixes). * virtio_ring: fix avail_wrap_counter in virtqueue_add_packed (git-fixes). * virtio-mmio: do not break lifecycle of vm_dev (git-fixes). * virtio-net: fix race between set queues and probe (git-fixes). * virtio-net: set queues after driver_ok (git-fixes). * virtio-rng: make device ready before making request (git-fixes). * virtio: acknowledge all features before access (git-fixes). * vmcore: remove dependency with is_kdump_kernel() for exporting vmcore (bsc#1212639 ltc#202582). * watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load (git-fixes). * word-at-a-time: use the same return type for has_zero regardless of endianness (bsc#1065729). * x86/alternative: Fix race in try_get_desc() (git-fixes). * x86/boot/e820: Fix typo in e820.c comment (git-fixes). * x86/bugs: Reset speculation control settings on init (git-fixes). * x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772). * x86/cpu,kvm: Add the Null Selector Clears Base feature (bsc#1213772). * x86/cpu, kvm: Add the SMM_CTL MSR not present feature (bsc#1213772). * x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (bsc#1213772). * x86/cpu: Add Lunar Lake M (git-fixes). * x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes). * x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772). * x86/cpu: Support AMD Automatic IBRS (bsc#1213772). * x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git- fixes). * x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git- fixes). * x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes). * x86/ioapic: Do not return 0 from arch_dynirq_lower_bound() (git-fixes). * x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git- fixes). * x86/mce: Retrieve poison range from hardware (git-fixes). * x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes). * x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes). * x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes). * x86/purgatory: remove PGO flags (git-fixes). * x86/PVH: avoid 32-bit build warning when obtaining VGA console info (git- fixes). * x86/reboot: Disable virtualization in an emergency if SVM is supported (git- fixes). * x86/resctl: fix scheduler confusion with 'current' (git-fixes). * x86/resctrl: Fix task CLOSID/RMID update race (git-fixes). * x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes). * x86/rtc: Remove __init for runtime functions (git-fixes). * x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635). * x86/sgx: Reduce delay and interference of enclave release (git-fixes). * x86/srso: Do not probe microcode in a guest (git-fixes). * x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes). * x86/srso: Fix srso_show_state() side effect (git-fixes). * x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes). * x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes). * xen: remove a confusing comment on auto-translated guest I/O (git-fixes). * xprtrdma: Remap Receive buffers after a reconnect (git-fixes). ## Special Instructions and Notes: * Please reboot the system after installing this update. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.4 zypper in -t patch SUSE-2023-4057=1 openSUSE-SLE-15.4-2023-4057=1 * Public Cloud Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP4-2023-4057=1 ## Package List: * openSUSE Leap 15.4 (aarch64 x86_64) * kernel-azure-optional-debuginfo-5.14.21-150400.14.69.1 * kernel-syms-azure-5.14.21-150400.14.69.1 * kernel-azure-debugsource-5.14.21-150400.14.69.1 * kernel-azure-optional-5.14.21-150400.14.69.1 * ocfs2-kmp-azure-5.14.21-150400.14.69.1 * cluster-md-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * ocfs2-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * dlm-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * kernel-azure-debuginfo-5.14.21-150400.14.69.1 * cluster-md-kmp-azure-5.14.21-150400.14.69.1 * kernel-azure-devel-debuginfo-5.14.21-150400.14.69.1 * kernel-azure-extra-debuginfo-5.14.21-150400.14.69.1 * gfs2-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * kselftests-kmp-azure-5.14.21-150400.14.69.1 * reiserfs-kmp-azure-5.14.21-150400.14.69.1 * kernel-azure-livepatch-devel-5.14.21-150400.14.69.1 * kernel-azure-extra-5.14.21-150400.14.69.1 * dlm-kmp-azure-5.14.21-150400.14.69.1 * kernel-azure-devel-5.14.21-150400.14.69.1 * gfs2-kmp-azure-5.14.21-150400.14.69.1 * kselftests-kmp-azure-debuginfo-5.14.21-150400.14.69.1 * reiserfs-kmp-azure-debuginfo-5.14.21-150400.14.69.1 *openSUSE Leap 15.4 (aarch64 nosrc x86_64) * kernel-azure-5.14.21-150400.14.69.1 * openSUSE Leap 15.4 (noarch) * kernel-devel-azure-5.14.21-150400.14.69.1 * kernel-source-azure-5.14.21-150400.14.69.1 * Public Cloud Module 15-SP4 (aarch64 nosrc x86_64) * kernel-azure-5.14.21-150400.14.69.1 * Public Cloud Module 15-SP4 (aarch64 x86_64) * kernel-azure-debugsource-5.14.21-150400.14.69.1 * kernel-azure-devel-debuginfo-5.14.21-150400.14.69.1 * kernel-azure-devel-5.14.21-150400.14.69.1 * kernel-syms-azure-5.14.21-150400.14.69.1 * kernel-azure-debuginfo-5.14.21-150400.14.69.1 * Public Cloud Module 15-SP4 (noarch) * kernel-devel-azure-5.14.21-150400.14.69.1 * kernel-source-azure-5.14.21-150400.14.69.1 ## References: * https://www.suse.com/security/cve/CVE-2023-1192.html * https://www.suse.com/security/cve/CVE-2023-1206.html * https://www.suse.com/security/cve/CVE-2023-1859.html * https://www.suse.com/security/cve/CVE-2023-2177.html * https://www.suse.com/security/cve/CVE-2023-37453.html * https://www.suse.com/security/cve/CVE-2023-39192.html * https://www.suse.com/security/cve/CVE-2023-39193.html * https://www.suse.com/security/cve/CVE-2023-39194.html * https://www.suse.com/security/cve/CVE-2023-4155.html * https://www.suse.com/security/cve/CVE-2023-42753.html * https://www.suse.com/security/cve/CVE-2023-42754.html * https://www.suse.com/security/cve/CVE-2023-4389.html * https://www.suse.com/security/cve/CVE-2023-4563.html * https://www.suse.com/security/cve/CVE-2023-4622.html * https://www.suse.com/security/cve/CVE-2023-4623.html * https://www.suse.com/security/cve/CVE-2023-4881.html * https://www.suse.com/security/cve/CVE-2023-4921.html * https://www.suse.com/security/cve/CVE-2023-5345.html * https://bugzilla.suse.com/show_bug.cgi?id=1202845 * https://bugzilla.suse.com/show_bug.cgi?id=1213772 * https://bugzilla.suse.com/show_bug.cgi?id=1213808 * https://bugzilla.suse.com/show_bug.cgi?id=1214928 *https://bugzilla.suse.com/show_bug.cgi?id=1214943 * https://bugzilla.suse.com/show_bug.cgi?id=1214944 * https://bugzilla.suse.com/show_bug.cgi?id=1214950 * https://bugzilla.suse.com/show_bug.cgi?id=1214951 * https://bugzilla.suse.com/show_bug.cgi?id=1214954 * https://bugzilla.suse.com/show_bug.cgi?id=1214957 * https://bugzilla.suse.com/show_bug.cgi?id=1214986 * https://bugzilla.suse.com/show_bug.cgi?id=1214988 * https://bugzilla.suse.com/show_bug.cgi?id=1214992 * https://bugzilla.suse.com/show_bug.cgi?id=1214993 * https://bugzilla.suse.com/show_bug.cgi?id=1215322 * https://bugzilla.suse.com/show_bug.cgi?id=1215523 * https://bugzilla.suse.com/show_bug.cgi?id=1215877 * https://bugzilla.suse.com/show_bug.cgi?id=1215894 * https://bugzilla.suse.com/show_bug.cgi?id=1215895 * https://bugzilla.suse.com/show_bug.cgi?id=1215896 * https://bugzilla.suse.com/show_bug.cgi?id=1215911 * https://bugzilla.suse.com/show_bug.cgi?id=1215915 * https://bugzilla.suse.com/show_bug.cgi?id=1215916 . SUSE reveals critical kernel patch addressing 18 vulnerabilities, safeguarding system stability. Update immediately!. SUSE Linux Update, Kernel Security, System Integrity, Local Privilege Escalation, DoS Fixes. . Severity: Important. LinuxSecurity.com Team

Oct 12, 2023 •Important SuSE

Community Poll

More Polls

Stay Secure with the Latest Linux Advisories

Fedora 43 hplip Major Update Addressing Possible Arbitrary Code Execution

Oracle Linux 8 Important Kernel Security Advisory ELSA-2026-21706

Oracle Linux 8 httpd Important Denial of Service Vuln ELSA-2026-22140

Oracle Linux 8 ELSA-2026-22315 compat-openssl10 Moderate DoS Fix

Oracle Linux 8 gnutls Important Buffer Overflow Auth Bypass ELSA-2026-20611

Ubuntu 20.04 LTS nginx Security Advisory for Critical DoS Vulnerabilities

Ubuntu 20.04 LTS MySQL Important Security Issues USN-8363-2

Ubuntu 20.04 LTS GStreamer Base Significant DoS Attack Vulnerability Alert

Ubuntu 26.04 LTS python-pip Moderate DoS Regression Fix USN-8344-3

Refine advisories

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Ubuntu 25.10 kmod Critical Algif_aead Privilege Escalation USN-8226-1

Ubuntu 26.04 LTS nginx Critical Denial of Service 2026-42945

Ubuntu 26.04 Docker Critical Security Threats USN-8230-1 CVE-2026-33747

Debian OpenSSH Critical DSA-6204-1 CVE-2026-3497 Remote DoS Execution

Explore Latest Linux Security advisories

SUSE: 2024:3767-1 important: Kernel Memory Issues Resolved in Live Patch

Debian: DSA-5653-1 Critical: gtkwave Code Execution Issues

SUSE Linux 12 SP5: Critical Kernel Update for Multiple Bugs

SUSE: 2023:7947-1 critical advisory for six security issues in libqt4

openSUSE 15.4 SUSE-SU-2023:4455-1 Important: PostgreSQL13 Security Issues

SUSE: 2023:3563-3 Moderate: icu73_2 Security Flaws Resolved

Mageia 9: MGASA-2023-0295 Moderate: Kernel Security Flaws Update

SUSE: 2023:4057-1 Important: Local Privilege Issues Resolved

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Ubuntu 25.10 kmod Critical Algif_aead Privilege Escalation USN-8226-1

Ubuntu 26.04 LTS nginx Critical Denial of Service 2026-42945

Ubuntu 26.04 Docker Critical Security Threats USN-8230-1 CVE-2026-33747

Debian OpenSSH Critical DSA-6204-1 CVE-2026-3497 Remote DoS Execution

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Stay Secure with the Latest Linux Advisories

Fedora 43 hplip Major Update Addressing Possible Arbitrary Code Execution

Oracle Linux 8 Important Kernel Security Advisory ELSA-2026-21706

Oracle Linux 8 httpd Important Denial of Service Vuln ELSA-2026-22140

Oracle Linux 8 ELSA-2026-22315 compat-openssl10 Moderate DoS Fix

Oracle Linux 8 gnutls Important Buffer Overflow Auth Bypass ELSA-2026-20611

Ubuntu 20.04 LTS nginx Security Advisory for Critical DoS Vulnerabilities

Ubuntu 20.04 LTS MySQL Important Security Issues USN-8363-2

Ubuntu 20.04 LTS GStreamer Base Significant DoS Attack Vulnerability Alert

Ubuntu 26.04 LTS python-pip Moderate DoS Regression Fix USN-8344-3

Refine advisories

severity

Topics

Distro

Published Date

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Explore Latest Linux Security advisories

Get the latest News and Insights

Community Poll

What got you started with Linux?

Trending News

Search Topics

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!