- augeas
-
- add augeas-sysctl_parsing.patch (bsc#1197443)
* backport original patch
- bash
-
- Add bsc1197674.patch to fix memory leak in array asignment (bsc#1197674)
- bind
-
- When using forwarders, bogus NS records supplied by, or via, those
forwarders may be cached and used by named if it needs to recurse
for any reason, causing it to obtain and pass on potentially
incorrect answers.
[CVE-2021-25220, bsc#1197135, bind-9.11.37-0001-CVE-2021-25220.patch]
- cifs-utils
-
- CVE-2022-27239: mount.cifs: fix length check for ip option
parsing; (bsc#1197216) (bso#15025); CVE-2022-27239.
* add 0016-CVE-2022-27239-mount.cifs-fix-length-check-for-ip-op.patch
- cloud-regionsrv-client
-
- Update to version 10.0.3 (bsc#1198389)
- Descend into the extension tree even if top level module is recommended
- Cache license state for AHB support to detect type switch
- Properly clean suse.com credentials when switching from SCC to update
infrastructure
- New log message to indicate base product registration success
- Update to version 10.0.2
+ Fix name of logfile in error message
+ Fix variable scoping to properly detect registration error
+ Cleanup any artifacts on registration failure
+ Fix latent bug with /etc/hosts population
+ Do not throw error when attemting to unregister a system that is not
registered
+ Skip extension registration if the extension is recommended by the
baseproduct as it gets automatically installed
- Update to version 10.0.1 (bsc#1197113)
+ Provide status feedback on registration, success or failure
+ Log warning message if data provider is configured but no data
can be retrieved
- Update -addon-azure to 1.0.3 follow up fix for (bsc#1195414, bsc#1195564)
+ The repo enablement timer cannot depend on guestregister.service
- Update -addon-azure to 1.0.2 (bsc#1196305)
+ The is-registered() function expects a string of the update server FQDN.
The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
+ Lower case the region hint to reduce issues with Azure region name
case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
+ Refactor removes check_registration() function in utils implementation
+ Only start the registration service for PAYG images
- addon-azure sub-package to version 1.0.1
- Follow up changes to (jsc#PCT-130, bsc#1182026)
+ Fix executable name for AHB service/timer
+ Update manpage for BYOS instance registration
- coreutils
-
- Add coreutils-du-fts-xfs-noleaf.patch to remove problematic
special leaf optimization cases for XFS that can lead to du
crashes. (bsc#1190354)
- cyrus-sasl
-
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
in plugins/sql.c (bsc#1196036)
o add upstream patch:
0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
- cyrus-sasl-saslauthd
-
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
in plugins/sql.c (bsc#1196036)
o add upstream patch:
0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
- e2fsprogs
-
- libext2fs-add-sanity-check-to-extent-manipulation.patch: libext2fs: add
sanity check to extent manipulation (bsc#1198446 CVE-2022-1304)
- expat
-
- Security fixes:
* (CVE-2022-25236, bsc#1196784) [>=2.4.5] Fix to CVE-2022-25236
breaks biboumi, ClairMeta, jxmlease, libwbxml,
openleadr-python, rnv, xmltodict
- Added expat-CVE-2022-25236-relax-fix.patch
- Security fixes:
* (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
attackers to insert namespace-separator characters into
namespace URIs
- Added expat-CVE-2022-25236.patch
* (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
2.4.5 does not check whether a UTF-8 character is valid in a
certain context.
- Added expat-CVE-2022-25235.patch
* (CVE-2022-25313, bsc#1196168) Stack exhaustion in
build_model() via uncontrolled recursion
- Added expat-CVE-2022-25313.patch
- The fix upstream introduced a regression that was later
amended in 2.4.6 version
+ Added expat-CVE-2022-25313-fix-regression.patch
* (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
- Added expat-CVE-2022-25314-before.patch
- Added expat-CVE-2022-25314.patch
* (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
- Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
* Expat (aka libexpat) before 2.4.4 has a signed integer overflow
in XML_GetBuffer, for configurations with a nonzero
XML_CONTEXT_BYTES
* Add tests for CVE-2022-23852.
* Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
* Fix unsigned integer overflow in function doProlog triggered
by large content in element type declarations when there is
an element declaration handler present (from a prior call to
XML_SetElementDeclHandler).
* Add expat-CVE-2022-23990.patch
* Added expat-CVE-2022-22827.patch
- gcc11
-
- Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from
packages provided by older GCC work. Add a requires from that
package to the corresponding libstc++6 package to keep those
at the same version. [bsc#1196107]
- Add gcc11-D-dependence-fix.patch to fix memory corruption when
creating dependences with the D language frontend.
- Sync cross.spec.in to avoid trying to build cross-aarch64-gcc1-bootstrap
on aarch64 which is unresolvable.
- Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
- Put libstdc++6-pp Requires on the shared library and drop
to Recommends.
- glib2
-
- Add glib2-CVE-2021-3800.patch: Fix a flaw due to random charset
alias, pkexec can leak content from files owned by privileged
users to unprivileged ones under the right condition (bsc#1191489,
glgo#GNOME/glib!1369)
- glibc
-
- clnt-create-unix-overflow.patch: Buffer overflow in sunrpc clnt_create
for "/unix"/ (CVE-2022-23219, bsc#1194768, BZ #22542)
- svcunix-create-overflow.patch: Buffer overflow in sunrpc svcunix_create
(CVE-2022-23218, bsc#1194770, BZ #28768)
- getcwd-erange.patch: getcwd: Set errno to ERANGE for size == 1
(CVE-2021-3999, bsc#1194640, BZ #28769)
- hton-identity.patch: Make endian-conversion macros always return correct
types (bsc#1193478, BZ #16458)
- dl-sort-maps.patch, dlopen-filter-object.patch: Allow dlopen of filter
object to work (bsc#1192620, BZ #16272)
- cancelable-syscall-stack-align.patch: x86: fix stack alignment in
cancelable syscall stub (bsc#1191835)
- gzip
-
- Add hardening for zgrep (CVE-2022-1271, bsc#1198062)
* bsc1198062-2.patch
- Fix escaping of malicious filenames (CVE-2022-1271 bsc#1198062)
* bsc1198062.patch
- kdump
-
- Update kdump-add-watchdog-modules.patch
Fix return code when no watchdog sysfs entry is found (bsc#1197069)
- kernel-default
-
- Update
patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch
references (add CVE-2022-28356 bsc#1197391).
- commit 658b50e
- netfilter: nf_tables: initialize registers in nft_do_chain()
(CVE-2022-1016 bsc#1197227).
- commit 4726ea9
- llc: fix netdevice reference leaks in llc_ui_bind() (git-fixes).
- commit caaa7d4
- can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb
in error path (CVE-2022-28389 bsc#1198033).
- can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb()
in error path (CVE-2022-28388 bsc#1198032).
- can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb()
in error path (CVE-2022-28390 bsc#1198031).
- commit 2396928
- tcp: add some entropy in __inet_hash_connect() (bsc#1180153).
- tcp: change source port randomizarion at connect() time
(bsc#1180153).
- commit c5e24fe
- xprtrdma: fix incorrect header size calculations (CVE-2022-0812
bsc#1196639).
- commit 19d5b1d
- ALSA: pcm: Fix potential AB/BA lock with buffer_mutex and
mmap_lock (CVE-2022-1048 bsc#1197331).
- Refresh
patches.kabi/ALSA-kABI-workaround-for-snd_pcm_runtime-changes.patch.
- commit 62bc950
- series sort
- commit 6f57f5d
- ext4: fix kernel infoleak via ext4_extent_header (bsc#1189562
bsc#1196761 CVE-2022-0850).
- commit 91866e7
- Update patches.suse/sr9700-sanity-check-for-packet-length.patch
(bsc#1196836 CVE-2022-26966).
fixed typo in References
- commit e04f4f1
- x86/tsc: Make calibration refinement more robust (bsc#1196573).
- commit cbea5b9
- esp: Fix possible buffer overflow in ESP transformation
(bsc#1197131 CVE-2022-0886).
- commit d9e58bc
- Refresh patches.suse/xfrm-fix-mtu-regression.patch.
- commit 0ee241b
- quota: check block number when reading the block in quota file
(bsc#1197366 CVE-2021-45868).
- commit b7d9616
- ALSA: kABI workaround for snd_pcm_runtime changes (CVE-2022-1048
bsc#1197331).
- Refresh patches.kabi/ALSA-pcm-oss-rw_ref-kabi-fix.patch.
- commit f284bec
- Fixing a series_sort.py issue for a patch
The patch: blk-mq-move-_blk_mq_update_nr_hw_queues-synchronize_rcu-call
was placed at the end of the sorted section by series_insert.py at
one time, but now series_sort.py is complaining. So move this patch
to later in series.conf, outside of the sorted section, making
series_sort.py happy.
- commit a65cae5
- ALSA: pcm: Fix races among concurrent prealloc proc writes
(CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent prepare and
hw_params/hw_free calls (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent read/write and buffer
changes (CVE-2022-1048 bsc#1197331).
- ALSA: pcm: Fix races among concurrent hw_params and hw_free
calls (CVE-2022-1048 bsc#1197331).
- commit 0f72275
- macros.kernel-source: Fix conditional expansion.
Fixes: bb95fef3cf19 ("/rpm: Use bash for %() expansion (jsc#SLE-18234)."/)
- commit 7e857f7
- rpm: Use bash for %() expansion (jsc#SLE-18234).
Since 15.4 alternatives for /bin/sh are provided by packages
<something>-sh. While the interpreter for the build script can be
selected the interpreter for %() cannot.
The kernel spec files use bashisms in %().
While this could technically be fixed there is more serious underlying
problem: neither bash nor any of the alternatives are 100% POSIX
compliant nor bug-free.
It is not my intent to maintain bug compatibility with any number of
shells for shell scripts embedded in the kernel spec file. The spec file
syntax is not documented so embedding the shell script in it causes some
unspecified transformation to be applied to it. That means that
ultimately any changes must be tested by building the kernel, n times if
n shells are supported.
To reduce maintenance effort require that bash is used for kernel build
always.
- commit bb95fef
- net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
(bsc#1196018).
- commit 95d7e2c
- net: usb: ax88179_178a: fix packet alignment padding
(bsc#1196018).
- commit 065384f
- ax88179_178a: Merge memcpy + le32_to_cpus to get_unaligned_le32
(bsc#1196018).
- commit f59903f
- Update patches.suse/sr9700-sanity-check-for-packet-length.patch
(bac#1196836 CVE-2022-26966).
added CVE number
- commit 7e940d6
- rpm: Run external scriptlets on uninstall only when available
(bsc#1196514 bsc#1196114 bsc#1196942).
When dependency cycles are encountered package dependencies may not be
fulfilled during zypper transaction at the time scriptlets are run.
This is a problem for kernel scriptlets provided by suse-module-tools
when migrating to a SLE release that provides these scriptlets only as
part of LTSS. The suse-module-tools that provides kernel scriptlets may
be removed early causing migration to fail.
- commit ab8dd2d
- rpm: SC2006: Use $(...) notation instead of legacy backticked `...`.
- commit f0d0e90
- rpm/kernel-source.spec.in: call fdupes per subpackage
It is a waste of time to do a global fdupes when we have
subpackages.
- commit 1da8439
- net: sched: use Qdisc rcu API instead of relying on rtnl lock
(bsc#1196973 CVE-2021-39713).
- net: sched: add helper function to take reference to Qdisc
(bsc#1196973 CVE-2021-39713).
- net: sched: extend Qdisc with rcu (bsc#1196973 CVE-2021-39713).
- net: sched: rename qdisc_destroy() to qdisc_put() (bsc#1196973
CVE-2021-39713).
- net: core: netlink: add helper refcount dec and lock function
(bsc#1196973 CVE-2021-39713).
- commit a22ecb0
- xen/netfront: react properly to failing
gnttab_end_foreign_access_ref() (bsc#1196488, XSA-396,
CVE-2022-23042).
- commit 2b38f30
- xen/gnttab: fix gnttab_end_foreign_access() without page
specified (bsc#1196488, XSA-396, CVE-2022-23041).
- commit 7149843
- xen/9p: use alloc/free_pages_exact() (bsc#1196488, XSA-396,
CVE-2022-23041).
- commit a920e1c
- xen/usb: don't use gnttab_end_foreign_access() in
xenhcd_gnttab_done() (bsc#1196488, XSA-396).
- commit e8ca175
- xen/gntalloc: don't use gnttab_query_foreign_access()
(bsc#1196488, XSA-396, CVE-2022-23039).
- commit 02e08de
- xen/scsifront: don't use gnttab_query_foreign_access() for
mapped status (bsc#1196488, XSA-396, CVE-2022-23038).
- commit 78fd62a
- xen/netfront: don't use gnttab_query_foreign_access() for
mapped status (bsc#1196488, XSA-396, CVE-2022-23037).
- commit 335a138
- xen/blkfront: don't use gnttab_query_foreign_access() for
mapped status (bsc#1196488, XSA-396, CVE-2022-23036).
- commit 69cc608
- xen/grant-table: add gnttab_try_end_foreign_access()
(bsc#1196488, XSA-396, CVE-2022-23036, CVE-2022-23038).
- commit d8d4a06
- xen/xenbus: don't let xenbus_grant_ring() remove grants in
error case (bsc#1196488, XSA-396, CVE-2022-23040).
- commit 9eb0e70
- genirq: Use rcu in kstat_irqs_usr() (bsc#1193738).
- commit b6e9db8
- rpm/arch-symbols,guards,*driver: Replace Novell with SUSE.
- commit 174a64f
- usb: host: xen-hcd: add missing unlock in error path
(git-fixes).
- commit af60176
- Refresh
patches.suse/0002-usb-Introduce-Xen-pvUSB-frontend-xen-hcd.patch.
- commit ee8e3fd
- Refresh
patches.suse/0001-usb-Add-Xen-pvUSB-protocol-description.patch.
- commit 29bb7f5
- rpm/kernel-docs.spec.in: use %%license for license declarations
Limited to SLE15+ to avoid compatibility nightmares.
- commit 73d560e
- rpm/*.spec.in: Use https:// urls
- commit 77b5f8e
- sr9700: sanity check for packet length (bsc#1196836).
- commit 7ac3395
- nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
(CVE-2022-26490 bsc#1196830).
- commit 47ae8c5
- Update patch reference for iov security fix (CVE-2022-0847 bsc#1196584)
- commit 43f0d0b
- net/mlx5e: Fix page DMA map/unmap attributes (bsc#1196468).
- commit 4fdd4d6
- kernel-binary.spec: Also exclude the kernel signing key from devel package.
There is a check in OBS that fails when it is included. Also the key is
not reproducible.
Fixes: bb988d4625a3 ("/kernel-binary: Do not include sourcedir in certificate path."/)
- commit 68fa069
- rpm/check-for-config-changes: Ignore PAHOLE_VERSION.
- commit 88ba5ec
- lib/iov_iter: initialize "/flags"/ in new pipe_buffer
(bsc#1196584).
- commit 589ad87
- x86/speculation: Use generic retpoline by default on AMD
(bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit 48c6ffe
- x86/speculation: Include unprivileged eBPF status in Spectre v2
mitigation reporting (bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- commit 433d042
- x86/speculation: Add eIBRS + Retpoline options (bsc#1191580
CVE-2022-0001 CVE-2022-0002).
- Refresh
patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Refresh patches.suse/IBRS-forbid-shooting-in-foot.patch.
- commit 1e409f9
- crypto: af_alg - get_page upon reassignment to TX SGL
(bsc#1195840).
- commit f9977fb
- hv_netvsc: move VF to same namespace as netvsc device
(bsc#1107207).
- Refresh
patches.suse/hv_netvsc-ignore-devices-that-are-not-PCI.patch.
- commit 4149931
- hv_netvsc: fix network namespace issues with VF support
(bsc#1107207).
- Refresh
patches.suse/msft-hv-1755-hv_netvsc-fix-schedule-in-RCU-context.patch.
- commit 0206296
- x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE
(bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- Refresh
patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- commit 7560138
- Refresh
patches.suse/0001-x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete patches.suse/do-not-default-to-ibrs-on-skl.patch.
Remove a statement which cancels itself out with the following patch
which removes it anyway.
- commit d8913d1
- x86,bugs: Unconditionally allow spectre_v2=retpoline,amd
(bsc#1191580 CVE-2022-0001 CVE-2022-0002).
- commit ffe3214
- udf: Restore i_lenAlloc when inode expansion fails (bsc#1196079
CVE-2022-0617).
- commit 2533a5b
- udf: Fix NULL ptr deref when converting from inline format
(bsc#1196079 CVE-2022-0617).
- commit 87d491f
- x86/speculation: Merge one test in
spectre_v2_user_select_mitigation() (bsc#1191580 CVE-2022-0001
CVE-2022-0002).
- commit 2dadfe9
- cpu/SMT: create and export cpu_smt_possible() (bsc#1191580
CVE-2022-0001 CVE-2022-0002).
- commit 0a4181d
- Update patch reference for vfs fix (CVE-2022-0644 bsc#1196155)
- commit 4656612
- NFSv4.x: by default serialize open/close operations (bsc#1114893 bsc#1195934).
Make this work-around for a server bug optional.
- commit 6204513
- f2fs: fix to do sanity check on inode type during garbage
collection (CVE-2021-44879 bsc#1195987).
- commit e8b60dc
- Update
patches.suse/0001-PCI-hv-Use-expected-affinity-when-unmasking-IRQ.patch
(bsc#1185973, bsc#1195536).
- commit 82f717d
- tipc: improve size validations for received domain records
(bsc#1195254, CVE-2022-0435).
- commit daaae48
- yam: fix a memory leak in yam_siocdevprivate() (CVE-2022-24959
bsc#1195897).
- commit 2b51111
- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
(bsc#1194516 CVE-2022-0487).
- commit b3ff0d9
- kernel-binary: Do not include sourcedir in certificate path.
The certs macro runs before build directory is set up so it creates the
aggregate of supplied certificates in the source directory.
Using this file directly as the certificate in kernel config works but
embeds the source directory path in the kernel config.
To avoid this symlink the certificate to the build directory and use
relative path to refer to it.
Also fabricate a certificate in the same location in build directory
when none is provided.
- commit bb988d4
- constraints: Also adjust disk requirement for x86 and s390.
- commit 9719db0
- constraints: Increase disk space for aarch64
- commit 09c2882
- cgroup-v1: Require capabilities to set release_agent
(bsc#1195543 CVE-2022-0492).
- commit 25a96a7
- NFSv4: Handle case where the lookup of a directory fails
(bsc#1195612 CVE-2022-24448).
- commit fe40712
- Add Thomas Abraham as additional maintainer.
- commit df758e8
- Update
patches.suse/net-tipc-validate-domain-record-count-on-input.patch
(bsc#1195254 CVE-2022-0435).
- commit dfe5976
- kernel-obs-build: include 9p (boo#1195353)
To be able to share files between host and the qemu vm of the build
script, the 9p and 9p_virtio kernel modules need to be included in
the initrd of kernel-obs-build.
- commit 0cfe67a
- Update patch reference for BT fix (CVE-2021-3564 bsc#1186207)
- commit ea7857c
- Bluetooth: fix the erroneous flush_work() order (git-fixes).
- commit 9b1f0b0
- net: tipc: validate domain record count on input (bsc#1195254).
- commit eff4836
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
CVE-2021-45095).
- commit 413134f
- xfrm: fix MTU regression (bsc#1185377, bsc#1194048).
- Delete
patches.suse/xfrm-xfrm_state_mtu-should-return-at-least-1280-for-.patch.
which caused a regression (bsc#1194048).
- Replace with an alternative fix for bsc#1185377
- commit 3800186
- net: mana: Add RX fencing (bsc#1193507).
- commit 6543648
- net: mana: Add XDP support (bsc#1193507).
- commit 0e16cf6
- net: mana: Fix spelling mistake "/calledd"/ -> "/called"/
(bsc#1193507).
- commit fb3ef5f
- net: mana: Support hibernation and kexec (bsc#1193507).
- commit 90dd5e6
- net: mana: Improve the HWC error handling (bsc#1193507).
- commit a5366c4
- net: mana: Fix the netdev_err()'s vPort argument in
mana_init_port() (bsc#1193507).
- commit 1269099
- net: mana: Allow setting the number of queues while the NIC
is down (bsc#1193507).
- commit 3e7cce9
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193507).
- commit 3d82622
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- commit 0c2b6fb
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit()
(bsc#1193507).
- commit 1d9afac
- bpf: Verifer, adjust_scalar_min_max_vals to always call
update_reg_bounds() (bsc#1194227).
- commit c098fc7
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
callback (bsc#1193864 CVE-2021-39657).
- commit 39c5f8e
- usb: gadget: configfs: Fix use-after-free issue with udc_name
(bsc#1193861 CVE-2021-39648).
- commit 9ec119b
- fget: clarify and improve __fget_files() implementation
(bsc#1193727).
- commit 3ce5a50
- tee: handle lookup of shm with reference count 0 (bsc#1193767
CVE-2021-44733).
- commit 10b0db6
- kernel-binary.spec.in: Move 20-kernel-default-extra.conf to the correctr
directory (bsc#1195051).
- commit c80b5de
- drm/i915: Flush TLBs before releasing backing store
(CVE-2022-0330 bsc#1194880).
- commit bd11976
- kabi/severities: Add a kabi exception for drivers/tee/tee
According to the partner modules database, the structs of this driver
are not used by anything external so make a kABI exception for them.
Do that on purpose so that any external module using this fails to load
instead of causing a potential memory corruption due to a kabi
workaround which would use the same offset but for a different thing:
- struct dma_buf *dmabuf;
+ refcount_t refcount;
See upstream commit
dfd0743f1d9e ("/tee: handle lookup of shm with reference count 0"/)
- commit ac7feb6
- sctp: account stream padding length for reconf chunk
(bsc#1194985 CVE-2022-0322).
- commit f5ee3ee
- vfs: check fd has read access in kernel_read_file_from_fd() (bsc#1194888).
- commit b248150
- kernel-binary.spec: Do not use the default certificate path (bsc#1194943).
Using the the default path is broken since Linux 5.17
- commit 68b36f0
- moxart: fix potential use-after-free on remove path
(bsc#1194516).
- commit 5a3dfcb
- memstick: rtsx_usb_ms: fix UAF (bsc#1194516).
- commit 9692e25
- livepatch: Avoid CPU hogging with cond_resched (bsc#1071995).
- commit 0b7dd97
- watchdog: iTCO_wdt: Make ICH_RES_IO_SMI optional (bsc#1177101).
- commit 1d4ba2c
- watchdog: iTCO_wdt: Export vendorsupport (bsc#1177101).
- commit 22a54d0
- cgroup: Use open-time credentials for process migraton perm
checks (bsc#1194302 CVE-2021-4197).
- commit b76ad03
- NFC: add NCI_UNREG flag to eliminate the race (CVE-2021-4202
bsc#1194529).
- NFC: reorder the logic in nfc_{un,}register_device
(CVE-2021-4202 bsc#1194529).
- NFC: reorganize the functions in nci_request (CVE-2021-4202
bsc#1194529).
- commit 68b4b42
- Update patches.suse/tcp-fix-a-race-in-inet_diag_dump_icsk.patch
(networking-stable-19_01_04 bsc#1186222).
Fix bsc#1186222 by using proper atomic helper.
- commit bd29e90
- fget: check that the fd still exists after getting a ref to it
(bsc#1193727 CVE-2021-4083).
- commit 5441599
- kprobes: Limit max data_size of the kretprobe instances
(bsc#1193669).
- commit 3600b27
- btrfs: unlock newly allocated extent buffer after error (bsc#1194001, CVE-2021-4149).
- commit 0a8af05
- inet: use bigger hash table for IP ID generation (CVE-2021-45486
bsc#1194087).
- commit 0387442
- fix rpm build warning
tumbleweed rpm is adding these warnings to the log:
It's not recommended to have unversioned Obsoletes: Obsoletes: microcode_ctl
- commit 3ba8941
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- commit b8b1ef9
- recordmcount.pl: look for jgnop instruction as well as bcrl
on s390 (bsc#1192267).
- Delete patches.suse/ftrace-recordmcount-binutils.patch.
- commit 9b6815f
- Update config files.
- commit f87a32f
- af_unix: fix garbage collect vs MSG_PEEK (CVE-2021-0920
bsc#1193731).
- commit 167f0fb
- net: split out functions related to registering inflight socket
files (CVE-2021-0920 bsc#1193731).
- commit 8ec3ad8
- build initrd without systemd
This reduces the size of the initrd by over 25%, which
improves startup time of the virtual machine by 0.5-0.6s on
very fast machines, more on slower ones.
- commit ef4c569
- xen/netback: don't queue unlimited number of packages
(CVE-2021-28715 XSA-392 bsc#1193442).
- commit a67e40b
- xen/netback: fix rx queue stall detection (CVE-2021-28714
XSA-392 bsc#1193442).
- commit aa10f67
- xen/console: harden hvc_xen against event channel storms
(CVE-2021-28713 XSA-391 bsc#1193440).
- commit f9f6563
- xen/netfront: harden netfront against event channel storms
(CVE-2021-28712 XSA-391 bsc#1193440).
- commit 785c1f2
- xen/blkfront: harden blkfront against event channel storms
(CVE-2021-28711 XSA-391 bsc#1193440).
- commit adb747c
- tty: hvc: replace BUG_ON() with negative return value
(git-fixes).
- commit 24773f9
- xen/netfront: don't trust the backend response data blindly
(git-fixes).
- commit 61f473d
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- commit a27eb85
- xen/netfront: don't read data from request on the ring page
(git-fixes).
- commit d843191
- xen/netfront: read response from backend only once (git-fixes).
- commit 10c97f1
- xen/blkfront: don't trust the backend response data blindly
(git-fixes).
- commit 8238939
- xen/blkfront: don't take local copy of a request from the ring
page (git-fixes).
- commit 0c42763
- xen/blkfront: read response from backend only once (git-fixes).
- commit 7b30def
- xen: sync include/xen/interface/io/ring.h with Xen's newest
version (git-fixes).
- commit 0df7133
- kernel-obs-build: remove duplicated/unused parameters
lbs=0 - this parameters is just giving "/unused parameter"/ and it looks
like I can not find any version that implemented this.
rd.driver.pre=binfmt_misc is not needed when setup_obs is used, it
alread loads the kernel module.
quiet and panic=1 will now be also always added by OBS, so we don't have
to set it here anymore.
- commit 972c692
- ring-buffer: Protect ring_buffer_reset() from reentrancy
(CVE-2020-27825 bsc#1179960).
- commit 432ad3d
- bpf: fix truncated jump targets on heavy expansions (bsc#1193575
CVE-2018-25020).
- commit bf19161
- Revert "/- rpm/*build: use buildroot macro instead of env variable"/
buildroot macro is not being expanded inside a shell script. go
back to the environment variable usage. This reverts parts of
commit e2f60269b9330d7225b2547e057ef0859ccec155.
- commit fe85f96
- kernel-obs-build: include the preferred kernel parameters
Currently the Open Build Service hardcodes the kernel boot parameters
globally. Recently functionality was added to control the parameters
by the kernel-obs-build package, so make use of that. parameters here
will overwrite what is used by OBS otherwise.
- commit a631240
- kABI compatibility for struct l2tp_tunnel (bsc#1192032
CVE-2021-0935).
- commit 237dc6f
- l2tp: fix races with ipv4-mapped ipv6 addresses (bsc#1192032
CVE-2021-0935).
- commit 3f8483b
- kernel-obs-build: inform build service about virtio-serial
Inform the build worker code that this kernel supports virtio-serial,
which improves performance and relability of logging.
- commit 301a3a7
- rpm/*.spec.in: use buildroot macro instead of env variable
The RPM_BUILD_ROOT variable is considered deprecated over
a buildroot macro. future proof the spec files.
- commit e2f6026
- kernel-binary.spec: Fix kernel-default-base scriptlets after packaging
merge.
- commit 275c61a
- nouveau: Suppress sysfs bind (CVE-2020-27820 bsc#1179599).
- commit c2489c9
- hugetlbfs: flush TLBs correctly after huge_pmd_unshare
(bsc#1192946 (CVE-2021-4002)).
- commit c355959
- atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
(bsc#1192845 CVE-2021-43975).
- commit c3c1eae
- rpm/kernel-binary.spec.in: don't strip vmlinux again (bsc#1193306)
After usrmerge, vmlinux file is not named vmlinux-<version>, but simply
vmlinux. And this is not reflected in STRIP_KEEP_SYMTAB we set.
So fix this by removing the dash...
- commit 83af88d
- ixgbe: fix large MTU request from VF (bsc#1192877
CVE-2021-33098).
- commit 56240b9
- Move upstreamed BT patch into sorted section
- commit a0f930a
- mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
(CVE-2021-43976 bsc#1192847).
- commit c14a908
- brcmfmac: add CLM download support (bsc#1167162 CVE-2019-15126).
- commit 7737eec
- constraints: Build aarch64 on recent ARMv8.1 builders.
Request asimdrdm feature which is available only on recent ARMv8.1 CPUs.
This should prevent scheduling the kernel on an older slower builder.
- commit 60fc53f
- objtool: Support Clang non-section symbols in ORC generation
(bsc#1169514).
- commit 5ab2439
- elfcore: fix building with clang (bsc#1169514).
- commit b91821c
- x86/xen: Mark cpu_bringup_and_idle() as dead_end_function
(bsc#1169514).
- commit cf74b00
- kernel-source.spec: install-kernel-tools also required on 15.4
- commit 6cefb55
- kernel-*-subpackage: Add dependency on kernel scriptlets (bsc#1192740).
- commit a133bf4
- Fix problem with missing installkernel on Tumbleweed.
- commit 2ed6686
- rpm/kernel-obs-build.spec.in: move to zstd for the initrd
Newer distros have capability to decompress zstd, which
provides a 2-5% better compression ratio at very similar
cpu overhead. Plus this tests the zstd codepaths now as well.
- commit 3d53a5b
- rpm/kernel-obs-build.spec.in: reduce initrd functionality
For building in OBS, we always build inside a virtual machine
that gets a new, freshly created scratch filesystem image. So
we do not need to handle fscks because that ain't gonna happen,
as well as not we do not need to handle microcode update in the
initrd as these only can be run on the host system anyway. We
can also strip and hardlink as an additional optimisation that
should not significantly hurt.
- commit c72c6fc
- kernel-spec-macros: Since rpm 4.17 %verbose is unusable (bsc#1191229).
The semantic changed in an incompatible way so invoking the macro now
causes a build failure.
- commit 3e55f55
- rpm: use _rpmmacrodir (boo#1191384)
- commit e350c14
- kernel-binary.spec: Do not sign kernel when no key provided
(bsc#1187167).
- commit 6c24533
- kernel-binary.spec: suse-kernel-rpm-scriptlets required for uninstall as
well.
Fixes: e98096d5cf85 ("/rpm: Abolish scritplet templating (bsc#1189841)."/)
- commit e082fbf
- kernel-binary.spec: Check for no kernel signing certificates.
Also remove unused variable.
- commit bdc323e
- Revert "/rpm/kernel-binary.spec: Use only non-empty certificates."/
This reverts commit 30360abfb58aec2c9ee7b6a27edebe875c90029d.
- commit 413e05b
- rpm/kernel-binary.spec: Use only non-empty certificates.
- commit 30360ab
- fixup "/rpm: support gz and zst compression methods"/ once more
(bsc#1190428, bsc#1190358)
Fixes: 3b8c4d9bcc24 ("/rpm: support gz and zst compression methods"/)
Fixes: 23510fce36ec ("/fixup "/rpm: support gz and zst compression methods"/"/)
- commit 165378a
- fixup "/rpm: support gz and zst compression methods"/ once more
Fixes: 3b8c4d9bcc24 ("/rpm: support gz and zst compression methods"/)
Fixes: 23510fce36ec ("/fixup "/rpm: support gz and zst compression methods"/"/)
- commit 34e68f4
- fixup "/rpm: support gz and zst compression methods"/
Fixes: 3b8c4d9bcc24 ("/rpm: support gz and zst compression methods"/)
- commit 23510fc
- kernel-cert-subpackage: Fix certificate location in scriptlets
(bsc#1189841).
Fixes: d9a1357edd73 ("/rpm: Define $certs as rpm macro (bsc#1189841)."/)
- commit 8684de8
- kernel-binary.spec.in Stop templating the scriptlets for subpackages
(bsc#1190358).
The script part for base package case is completely separate from the
part for subpackages. Remove the part for subpackages from the base
package script and use the KMP scripts for subpackages instead.
- commit 5d1f677
- kernel-binary.spec: Do not fail silently when KMP is empty
(bsc#1190358).
Copy the code from kernel-module-subpackage that deals with empty KMPs.
- commit d7d2e6e
- rpm/kernel-source.spec.in: do some more for vanilla_only
Make sure:
* sources are NOT executable
* env is not used as interpreter
* timestamps are correct
We do all this for normal kernel builds, but not for vanilla_only
kernels (linux-next and vanilla).
- commit b41e4fd
- rpm: Fold kernel-devel and kernel-source scriptlets into spec files
(bsc#1189841).
These are unchanged since 2011 when they were introduced. No need to
track them separately.
- commit 692d38b
- rpm: Abolish image suffix (bsc#1189841).
This is used only with vanilla kernel which is not supported in any way.
The only effect is has is that the image and initrd symlinks are created
with this suffix.
These symlinks are not used except on s390 where the unsuffixed symlinks
are used by zipl.
There is no reason why a vanilla kernel could not be used with zipl as
well as it's quite unexpected to not be able to boot when only a vanilla
kernel is installed.
Finally we now have a backup zipl kernel so if the vanilla kernel is
indeed unsuitable the backup kernel can be used.
- commit e2f37db
- kernel-binary.spec: Define $image as rpm macro (bsc#1189841).
- commit e602b0f
- rpm: Define $certs as rpm macro (bsc#1189841).
Also pass around only the shortened hash rather than full filename.
As has been discussed in bsc#1124431 comment 51
https://bugzilla.suse.com/show_bug.cgi?id=1124431#c51 the placement of
the certificates is an API which cannot be changed unless we can ensure
that no two kernels that use different certificate location can be built
with the same certificate.
- commit d9a1357
- rpm: Abolish scritplet templating (bsc#1189841).
Outsource kernel-binary and KMP scriptlets to suse-module-tools.
This allows fixing bugs in the scriptlets as well as defining initrd
regeneration policy independent of the kernel packages.
- commit e98096d
- rpm/kernel-binary.spec.in: Use kmod-zstd provide.
This makes it possible to use kmod with ZSTD support on non-Tumbleweed.
- commit 357f09a
- rpm/kernel-binary.spec.in: avoid conflicting suse-release
suse-release has arbitrary values in staging, we can't use it for
dependencies. The filesystem one has to be enough (boo#1184804).
- commit 56f2cba
- rpm: fix kmp install path
- commit 22ec560
- post.sh: detect /usr mountpoint too
- commit c7b3d74
- kernel-binary.spec.in: make sure zstd is supported by kmod if used
- commit f36412b
- kernel-binary.spec.in: add zstd to BuildRequires if used
- commit aa61dba
- rpm: support gz and zst compression methods
Extend commit 18fcdff43a00 ("/rpm: support compressed modules"/) for
compression methods other than xz.
- commit 3b8c4d9
- kernel-binary.spec: Require dwarves for kernel-binary-devel when BTF is
enabled (jsc#SLE-17288).
About the pahole version: v1.18 should be bare mnimum, v1.22 should be
fully functional, for now we ship git snapshot with fixes on top of
v1.21.
- commit 8ba3382
- README: Modernize build instructions.
- commit 8cc5c28
- rpm/kernel-obs-build.spec.in: make builds reproducible (bsc#1189305)
- commit 7f9ade7
- Fix filesystem requirement and suse-release requires
Reduce filesystem conflict to anything less than 16 to allow pulling the
change into the next major stable version.
Don't require suse-release as that's not technically required. Conflict
with a too old one instead.
- commit 913f755
- rpm/kernel-source.rpmlintrc: ignore new include/config files
In 5.13, since 0e0345b77ac4, config files have no longer .h suffix.
Adapt the zero-length check.
Based on Martin Liska's change.
- commit b6f021b
- Add obsolete_rebuilds_subpackage (boo#1172073 bsc#1191731).
- commit f037781
- libsolv
-
- fix memory leaks in SWIG generated code
- fix misparsing of '&' in attributes with libxml2
- try to keep packages from a cycle close togther in the
transaction order [bsc#1189622]
- fix split provides not working if the update includes a
forbidden vendor change [bsc#1195485]
- fix segfault on conflict resolution when using bindings
- do not replace noarch problem rules with arch dependent ones
in problem reporting
- fix and simplify pool_vendor2mask implementation
- bump version to 0.6.39
- libtirpc
-
- fix memory leak in client protocol version 2 code (bsc#1193805)
- update: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
- libxml2
-
- Security fix: [bsc#1196490, CVE-2022-23308]
* Use-after-free of ID and IDREF attributes.
- Add libxml2-CVE-2022-23308.patch
- libzypp
-
- Hint on ptf resolver conflicts (bsc#1194848)
- Fix package signature check (bsc#184501)
Pay attention that header and payload are secured by a valid
signature and report more detailed which signature is missing.
- Set ZYPP_RPM_DEBUG=1 to capture verbose rpm command output.
- version 16.22.4 (0)
- mozilla-nss
-
- Mozilla NSS 3.68.3 (bsc#1197903)
This release improves the stability of NSS when used in a multi-threaded
environment. In particular, it fixes memory safety violations that
can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097).
We presume that with enough effort these memory safety violations are exploitable.
* Remove token member from NSSSlot struct (bmo#1756271).
* Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots
(bmo#1755555).
* Check return value of PK11Slot_GetNSSToken (bmo#1370866).
- nfs-utils
-
- Add 0200-mountd-Initialize-logging-early.patch
If an error or warning message is produced before
closeall() is called, mountd gets confused and doesn't work.
(bsc#1194661)
- 0191-mount-don-t-bind-a-socket-needlessly.patch
Don't bind() a non-priv socket immediately before connecting,
as this wastes port numbers.
(bsc#1187922)
- openldap2
-
- bsc#1193296 - Resolve double free in sssvlv overlay
* 0223-ITS-8592-Fix-double-free-in-sssvlv-overlay.patch
- openssl-1_0_0
-
- Security Fix: [bsc#1196249]
* Allow CRYPTO_THREADID_set_callback to be called with NULL parameter
* Add openssl-CRYPTO_THREADID_set_callback.patch
- Security Fix: [bsc#1196877, CVE-2022-0778]
* Infinite loop in BN_mod_sqrt() reachable when parsing certificates
* Add openssl-CVE-2022-0778.patch
- polkit
-
- CVE-2021-4115: fixed a denial of service via file descriptor leak (bsc#1195542)
added CVE-2021-4115.patch
- psmisc
-
* Add a fallback if the system call name_to_handle_at() is
not supported by the used file system.
- Add patch psmisc-22.21-semaphores.patch
* Replace the synchronizing over pipes of the sub process for the
stat(2) system call with mutex and conditions from pthreads(7)
(bsc#1194172)
- Add patch psmisc-22.21-statx.patch
* Use statx(2) or SYS_statx system call to replace the stat(2)
system call and avoid the sub process at all (bsc#1194172)
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
* Determine the namespace of a process only once to speed
up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
- python
-
- python-2.7.9-sles-disable-verification-by-default.patch: removed,
was no longer been used (default was "/enabled"/ since a while).
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
(bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- python-base
-
- python-2.7.9-sles-disable-verification-by-default.patch: removed,
was no longer been used (default was "/enabled"/ since a while).
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Recover again proper value of %python2_package_prefix
(bsc#1175619).
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- Older SLE versions should use old OpenSSL.
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- build against openssl 1.1.x (incompatible with openssl 3.0x)
for now.
- on sle12, python2 modules will still be called python-xxxx until EOL,
for newer SLE versions they will be python2-xxxx
- BuildRequire rpm-build-python: The provider to inject python(abi)
has been moved there. rpm-build pulls rpm-build-python
automatically in when building anything against python3-base, but
this implies that the initial build of python3-base does not
trigger the automatic installation.
- python3
-
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- python3-base
-
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Add CVE-2022-0391-urllib_parse-newline-parsing.patch
(bsc#1195396, CVE-2022-0391, bpo#43882) sanitizing URLs
containing ASCII newline and tabs in urlparse.
- Add CVE-2021-4189-ftplib-trust-PASV-resp.patch (bsc#1194146,
bpo#43285, CVE-2021-4189, gh#python/cpython#24838) make ftplib
not trust the PASV response.
- salt
-
- Clear network interfaces cache on grains request (bsc#1196050)
- Handle old qemu-img not supporting -U parameter (bsc#1195221)
- Added:
* clear-network-interface-cache-when-grains-are-reques.patch
* handle-old-qemu-img-not-supporting-u-parameter-bsc-1.patch
- Renamed:
* patch_for_cve_bsc1197417.patch -> fix-multiple-security-issues-bsc-1197417.patch
- Restrict "/state.orchestrate_single"/ to pass a pillar value if it exists (bsc#1194632)
- Added:
* fix-state.orchestrate_single-to-not-pass-pillar-none.patch
- Fix sparse disk errors on Python 2 (virt module)
- Added:
* python2-adjustments-for-virt-module.patch
- Fix multiple security fixes (bsc#1197417)
* Sign authentication replies to prevent MiTM (CVE-2020-22935)
* Sign pillar data to prevent MiTM attacks. (CVE-2022-22934)
* Prevent job and fileserver replays (CVE-2022-22936)
* Fixed targeting bug, especially visible when using syndic and user auth. (CVE-2022-22941)
- Added:
* patch_for_cve_bsc1197417.patch
- Fix inspector module export function (bsc#1097531)
- Wipe NOTIFY_SOCKET from env in cmdmod (bsc#1193357)
- Fix possible traceback on ip6_interface grain (bsc#1193565)
- Don't check for cached pillar errors on state.apply (bsc#1190781)
- Added:
* vendor-stateresult.patch
* fix-possible-traceback-on-ip6_interface-grain-bsc-11.patch
* state.apply-don-t-check-for-cached-pillar-errors.patch
* wipe-notify_socket-from-env-in-cmdmod-bsc-1193357-30.patch
* fix-inspector-module-export-function-bsc-1097531-478.patch
- Simplify "/transactional_update"/ module to not use SSH wrapper and allow more flexible execution
- Add "/--no-return-event"/ option to salt-call to prevent sending return event back to master.
- Make "/state.highstate"/ to acts on concurrent flag.
- Added:
* refactor-and-improvements-for-transactional-updates-.patch
- samba
-
- CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
module; (bsc#1194859); (bso#14914).
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
+ Include cloud-init logs whenever they are present
+ Update the packages we track in AWS, Azure, and Google
+ Include the ecs logs for AWS ECS instances
- suse-build-key
-
- extended expiry of SUSE PTF key, move it to suse_ptf_key_old.asc
- added new SUSE PTF key with RSA2048 bit as suse_ptf_key.asc (bsc#1196494)
- extended expiry of SUSE SLES11 key (bsc#1194845)
- added SUSE Contaner signing key in PEM format for use e.g. by cosign.
- SUSE security key replaced with 2022 edition (E-Mail usage only). (bsc#1196495)
- removed old security key.
- systemd
-
- Import commit 81e1235110a58f78e4e7514b45a2897ceddadf88
8348b7f7ea systemd-coredump: allow setting external core size to infinity (bsc#1195899 jsc#SLE-23869 jsc#SLE-23871)
d827639164 systemctl: exit with 1 if no unit files found (bsc#1193841)
99d0949499 umount: show correct error message
16f9b8a5fa core/umount: fix unitialized fields in MountPoint in dm_list_get()
8f7b39e250 umount: Add more asserts and remove some unused arguments
6858714b68 umount: Fix memory leak
4a83c21fb1 mount-util: fix fd_is_mount_point() when both the parent and directory are network fs (bsc#1190984)
- Import commit 3fad90a5e2a1d0099ba2925793df42e0084cad35
dbf8419fdb busctl: add a timestamp to the output of the busctl monitor command (bsc#1180225 jsc#SLE-21861)
7a9abad886 sysctl: configure kernel parameters in the order they occur in each sysctl configuration files (#4205) (bsc#1191399)
7dd902bfa6 manager: reexecute on SIGRTMIN+25, user instances only
fb9e399bca basic/unit-name: do not use strdupa() on a path (bsc#1188063 CVE-2021-33910)
e0fde642ec logind: terminate cleanly on SIGTERM/SIGINT (bsc#1188018)
fe106cccdd units: make fsck/grows/makefs/makeswap units conflict against shutdown.target
- Make sure the versions of both udev and systemd packages are always the same (bsc#1189480)
- Avoid the error message when udev is updated due to udev being
already active when the sockets are started again (bsc#1188291)
- Drop 1001-basic-unit-name-do-not-use-strdupa-on-a-path.patch
It's been merged in branch SUSE/v228.
- Allow systemd sysusers config files to be overriden during system
installation (bsc#1171962).
- While at it, add a comment to explain why we don't use
%sysusers_create in %pre and why it should be safe in %post.
- tcpdump
-
- Security fix: [bsc#1195825, CVE-2018-16301]
* Fix segfault when handling large files
* Add tcpdump-CVE-2018-16301.patch
- timezone
-
- timezone update 2022a (bsc#1177460):
* Palestine will spring forward on 2022-03-27, not -03-26*
* zdump -v now outputs better failure indications
* Bug fixes for code that reads corrupted TZif data
- util-linux
-
- Apply a simple work-around for root owning of
/var/lib/libuuid/clock.txt (bsc#1194642#c66).
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
util-linux-libuuid-extend-cache.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
(bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
- ipcutils: Avoid potential memory allocation overflow
(bsc#1188921, CVE-2021-37600,
util-linux-ipcutils-overflow-CVE-2021-37600.patch).
- Fix ipcs testsuite (bsc#1178236#c19,
util-linux-ipcs-shmall-overflow-ts.patch).
- ipcs: Avoid overflows (bsc#1178236,
util-linux-ipcs-shmall-overflow-1.patch,
util-linux-ipcs-shmall-overflow-2.patch).
- libblkid: Do not trigger CDROM autoclose (bsc#1084671,
util-linux-libblkid-cdrom-autoclose-1.patch,
util-linux-libblkid-cdrom-autoclose-2.patch,
util-linux-libblkid-cdrom-autoclose-3.patch).
- Modernize patch util-linux-sulogin4bsc1175514.patch
* Try to autoconfigure broken serial lines
- Add patch util-linux-sulogin4bsc1175514.patch
Avoid sulogin failing on not existing or not functional console
devices (bsc#1175514)
- Build with libudev support to support non-root users
(boo#1169006).
- lscpu: avoid segfault on PowerPC systems with valid hardware
configurations
(bsc#1175623, bsc#1178554, bsc#1178825,
lscpu-avoid-segfault-on-PowerPC-systems-with-valid-h.patch)
- Fix for SG#57988, bsc#1174942:
libmount-fix-mount-a-EBUSY-for-cifs.patch: Fix warning on mounts
to CIFS with mount –a.
- blockdev: Do not fail --report on kpartx-style partitions on
multipath (bsc#1168235, util-linux-blockdev-report-dm.patch).
- nologin: Add support for -c to prevent error from su -c
(bsc#1151708, util-linux-nologin-su-c.patch).
- Add libmount-Avoid-triggering-autofs-in-lookup_umount_fs.patch:
Avoid triggering autofs in lookup_umount_fs_by_statfs
(boo#1168389)
- Issue a warning for outdated pam files
(bsc#1082293, boo#1081947#c68).
- Do not skip trim of file systems with bind mounts
(boo1089529, util-linux-fstrim-a-bindmount.patch).
- Do not trim read-only volumes
(boo#1106214, util-linux-fstrim-RO.patch).
- libmount: To prevent incorrect behavior, recognize more pseudofs
and netfs (bsc#1122417, util-linux-libmount-pseudofs.patch).
- Fix license of libraries: LGPL-2.1-or-later and BSD-3-Clause for
libuuid (bsc#1135708).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196,
util-linux-agetty-smart-reload-01.patch,
util-linux-agetty-smart-reload-02.patch,
util-linux-agetty-smart-reload-03.patch,
util-linux-agetty-smart-reload-04.patch,
util-linux-agetty-smart-reload-05.patch,
util-linux-agetty-smart-reload-06.patch,
util-linux-agetty-smart-reload-07.patch,
util-linux-agetty-smart-reload-08.patch,
util-linux-agetty-smart-reload-09.patch,
util-linux-agetty-smart-reload-10.patch,
util-linux-agetty-smart-reload-11.patch,
util-linux-agetty-smart-reload-12.patch).
- agetty: Return previous response of agetty for special characters
(bsc#1085196, bsc#1125886,
util-linux-agetty-smart-reload-13.patch,
util-linux-agetty-smart-reload-14.patch).
- agetty BEHAVIOR CHANGE: Terminal switches to character mode when
entering logname; echo is generated by the agetty itself.
(In past, logname echo was generated locally by the terminal,
using the canonical line editing mode.)
- util-linux-systemd
-
- Apply a simple work-around for root owning of
/var/lib/libuuid/clock.txt (bsc#1194642#c66).
- Extend cache in uuid_generate_time_generic() (bsc#1194642#c51,
util-linux-libuuid-extend-cache.patch).
- Warn if uuidd lock state is not usable (bsc#1194642,
util-linux-uuidd-check-lock-state.patch).
- Fix "/su -s"/ bash completion
(bsc#1172427, util-linux-bash-completion-su-chsh-l.patch).
- ipcutils: Avoid potential memory allocation overflow
(bsc#1188921, CVE-2021-37600,
util-linux-ipcutils-overflow-CVE-2021-37600.patch).
- Fix ipcs testsuite (bsc#1178236#c19,
util-linux-ipcs-shmall-overflow-ts.patch).
- ipcs: Avoid overflows (bsc#1178236,
util-linux-ipcs-shmall-overflow-1.patch,
util-linux-ipcs-shmall-overflow-2.patch).
- libblkid: Do not trigger CDROM autoclose (bsc#1084671,
util-linux-libblkid-cdrom-autoclose-1.patch,
util-linux-libblkid-cdrom-autoclose-2.patch,
util-linux-libblkid-cdrom-autoclose-3.patch).
- Modernize patch util-linux-sulogin4bsc1175514.patch
* Try to autoconfigure broken serial lines
- Add patch util-linux-sulogin4bsc1175514.patch
Avoid sulogin failing on not existing or not functional console
devices (bsc#1175514)
- Build with libudev support to support non-root users
(boo#1169006).
- lscpu: avoid segfault on PowerPC systems with valid hardware
configurations
(bsc#1175623, bsc#1178554, bsc#1178825,
lscpu-avoid-segfault-on-PowerPC-systems-with-valid-h.patch)
- Fix for SG#57988, bsc#1174942:
libmount-fix-mount-a-EBUSY-for-cifs.patch: Fix warning on mounts
to CIFS with mount –a.
- blockdev: Do not fail --report on kpartx-style partitions on
multipath (bsc#1168235, util-linux-blockdev-report-dm.patch).
- nologin: Add support for -c to prevent error from su -c
(bsc#1151708, util-linux-nologin-su-c.patch).
- Add libmount-Avoid-triggering-autofs-in-lookup_umount_fs.patch:
Avoid triggering autofs in lookup_umount_fs_by_statfs
(boo#1168389)
- Issue a warning for outdated pam files
(bsc#1082293, boo#1081947#c68).
- Do not skip trim of file systems with bind mounts
(boo1089529, util-linux-fstrim-a-bindmount.patch).
- Do not trim read-only volumes
(boo#1106214, util-linux-fstrim-RO.patch).
- libmount: To prevent incorrect behavior, recognize more pseudofs
and netfs (bsc#1122417, util-linux-libmount-pseudofs.patch).
- Fix license of libraries: LGPL-2.1-or-later and BSD-3-Clause for
libuuid (bsc#1135708).
- raw.service: Add RemainAfterExit=yes (bsc#1135534).
- agetty: Reload issue only if it is really needed (bsc#1085196,
util-linux-agetty-smart-reload-01.patch,
util-linux-agetty-smart-reload-02.patch,
util-linux-agetty-smart-reload-03.patch,
util-linux-agetty-smart-reload-04.patch,
util-linux-agetty-smart-reload-05.patch,
util-linux-agetty-smart-reload-06.patch,
util-linux-agetty-smart-reload-07.patch,
util-linux-agetty-smart-reload-08.patch,
util-linux-agetty-smart-reload-09.patch,
util-linux-agetty-smart-reload-10.patch,
util-linux-agetty-smart-reload-11.patch,
util-linux-agetty-smart-reload-12.patch).
- agetty: Return previous response of agetty for special characters
(bsc#1085196, bsc#1125886,
util-linux-agetty-smart-reload-13.patch,
util-linux-agetty-smart-reload-14.patch).
- agetty BEHAVIOR CHANGE: Terminal switches to character mode when
entering logname; echo is generated by the agetty itself.
(In past, logname echo was generated locally by the terminal,
using the canonical line editing mode.)
- xen
-
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
map (AMD-Vi) handling issues (XSA-400)
624ebcef-VT-d-dont-needlessly-look-up-DID.patch
624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch
624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch
- bsc#1197423 - VUL-0: CVE-2022-26356: xen: Racy interactions
between dirty vram tracking and paging log dirty hypercalls
(XSA-397)
xsa397.patch
- bsc#1197425 - VUL-0: CVE-2022-26357: xen: race in VT-d domain ID
cleanup (XSA-399)
xsa399.patch
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
map (AMD-Vi) handling issues (XSA-400)
xsa400-00a.patch
xsa400-00b.patch
xsa400-01.patch
xsa400-02.patch
xsa400-03.patch
xsa400-04.patch
xsa400-05.patch
xsa400-06.patch
xsa400-07.patch
xsa400-08.patch
xsa400-09.patch
xsa400-10.patch
xsa400-11.patch
- bsc#1196915 - VUL-0: CVE-2022-0001, CVE-2022-0002,CVE-2021-26401:
xen: BHB speculation issues (XSA-398)
xsa398.patch
- bsc#1194581 - VUL-0: CVE-2022-23034: xen: a PV guest could DoS
Xen while unmapping a grant (XSA-394)
xsa394.patch
- bsc#1194588 - VUL-0: CVE-2022-23035: xen: insufficient cleanup of
passed-through device IRQs (XSA-395)
xsa395.patch
- xz
-
- Fix ZDI-CAN-16587 Fix escaping of malicious filenames
(ZDI-CAN-16587 bsc#1198062 CVE-2022-1271)
* bsc1198062.patch
- zlib
-
- CVE-2018-25032: Fix memory corruption on deflate, bsc#1197459
* zlib-bsc1197459.patch
- zsh
-
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Add CVE-2018-1100.patch: it fixes buffer overflow in utils.c:checkmailpath()
can lead to local arbitrary code execution (CVE-2018-1100 bsc#1089030)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
could be exploited through e.g. VCS_Info to execute arbitrary shell
commands (CVE-2021-45444 bsc#1196435)