- cloud-regionsrv-client
-
- Update to version 10.1.7 (bsc#1220164, bsc#1220165)
+ Fix the failover path to a new target update server. At present a new
server is not found since credential validation fails. We targeted
the server detected in down condition to verify the credentials instead
of the replacement server.
- avahi
-
- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in
avahi_rdata_parse (bsc#1216853, CVE-2023-38472).
- Add avahi-CVE-2023-38470.patch: Ensure each label is at least one
byte long (bsc#1215947, CVE-2023-38470).
- Add avahi-CVE-2023-38471.patch: Extract host name usin
avahi_unescape_label (bsc#1216594, CVE-2023-38471).
- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
records (bsc#1216598, CVE-2023-38469).
- vim
-
- Updated to version 9.1 with patch level 0330, fixes the following problems
* Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1
- refreshed vim-7.3-filetype_spec.patch
- refreshed vim-7.3-filetype_ftl.patch
- Update spec.skeleton to use autosetup in place of setup macro.
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330
- Updated to version 9.1 with patch level 0111, fixes the following security problems
* Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close()
* Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol()
* Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command
* Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count
* Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing
* Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number
* Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line
* Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute
* Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c
* Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix
- Revert the patch which caused GTK incompatibility problem
* Add: vim-9.1-revert-v9.1.86.patch
* This reverts commit 725c7c31a4c7603e688511d769b0addaab442d07
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
- krb5
-
- Fix warning executing %postun scriptlet; (bsc#1223122);
- Fix memory leaks, add patch 0015-Fix-two-unlikely-memory-leaks.patch
* CVE-2024-26458, bsc#1220770
* CVE-2024-26461, bsc#1220771
- Update to krb5 1.16.3 (jsc#PED-7884). Most relevant changes:
* Remove the triple-DES and RC4 encryption types from the default
value of supported_enctypes, which determines the default key
and salt types for new password-derived keys. By default, keys
will only created only for AES128 and AES256. This mitigates
some types of password guessing attacks.
* Add support for the AES-SHA2 enctypes, which allows sites to
conform to Suite B crypto requirements.
- Removed patches, useless or upstreamed
* krb5-1.10-kpasswd_tcp.patch
* krb5-1.7-doublelog.patch
* krb5-1.9-kprop-mktemp.patch
* krb5-1.10-ksu-access.patch
* krb5-kvno-230379.patch
* krb5-1.12-doxygen.patch
* bnc#897874-CVE-2014-5351.diff
* krb5-1.13-work-around-replay-cache-creation-race.patch
* 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
* 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
* 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
* 0109-Preserve-GSS-context-on-init-accept-failure.patch
* 0115-Remove-incorrect-KDC-assertion.patch
* 0116-Implement-GSS_KRB5_CRED_NO_CI_FLAGS_X-cred-option.patch
* 0117-Add-tests-for-GSS_KRB5_CRED_NO_CI_FLAGS_X.patch
* 0118-Implement-GSS_KRB5_CRED_NO_CI_FLAGS_X-for-SPNEGO.patch
* 0119-Load-mechglue-config-files-from-etc-gss-mech.d.patch
* 0120-Document-etc-gss-mech.d-.conf.patch
* 0121-Fix-impersonate_name-to-work-with-interposers.patch
* 0122-Use-preauth-options-when-changing-password.patch
* 0123-Improve-extended-gic-option-support.patch
* 0124-Use-responder-for-non-preauth-AS-requests.patch
- New patches:
* 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
* 0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
- Renamed patches:
* Patch krb5-1.12-pam.patch -> 0001-krb5-1.12-pam.patch
* Patch krb5-1.9-manpaths.dif -> 0002-krb5-1.9-manpaths.patch
* Patch krb5-1.12-buildconf.patch -> 0003-krb5-1.12-buildconf.patch
* Patch krb5-1.6.3-gssapi_improve_errormessages.dif ->
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* Patch krb5-1.6.3-ktutil-manpage.dif ->
0005-krb5-1.6.3-ktutil-manpage.patch
* Patch krb5-1.12-api.patch -> 0006-krb5-1.12-api.patch
* Patch krb5-1.12-ksu-path.patch -> 0007-krb5-1.12-ksu-path.patch
* Patch krb5-1.12-selinux-label.patch -> 0008-krb5-1.12-selinux-label.patch
* Patch krb5-1.9-debuginfo.patch -> 0009-krb5-1.9-debuginfo.patch
* Patch 0125-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch ->
0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
* Patch 0126-Fix-integer-overflows-in-PAC-parsing.patch ->
0013-Fix-integer-overflows-in-PAC-parsing.patch
* Patch 0127-Ensure-array-count-consistency-in-kadm5-RPC.patch ->
0014-Ensure-array-count-consistency-in-kadm5-RPC.patch
- libssh
-
- Update to 0.9.8: [jsc#PED-7719, bsc#1218126, CVE-2023-48795]
* Rebase 0001-disable-timeout-test-on-slow-buildsystems.patch
* Remove patches fixed in the update:
- CVE-2019-14889.patch
- 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch
- Update to version 0.9.8
* Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
* Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
* Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
* Allow @ in usernames when parsing from URI composes
- Update to version 0.9.7
* Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
guessing (bsc#1211188)
* Fix CVE-2023-2283: a possible authorization bypass in
pki_verify_data_signature under low-memory conditions (bsc#1211190)
* Fix several memory leaks in GSSAPI handling code
- Update to version 0.9.6 (bsc#1189608, CVE-2021-3634)
* https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6
- Add missing BR for openssh needed for tests
- update to 0.9.5 (bsc#1174713, CVE-2020-16135):
* CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
* Improve handling of library initialization (T222)
* Fix parsing of subsecond times in SFTP (T219)
* Make the documentation reproducible
* Remove deprecated API usage in OpenSSL
* Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
* Define version in one place (T226)
* Prevent invalid free when using different C runtimes than OpenSSL (T229)
* Compatibility improvements to testsuite
- Update to version 0.9.4
* https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
* Fix possible Denial of Service attack when using AES-CTR-ciphers
CVE-2020-1730 (bsc#1168699)
- libxml2
-
- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
* Added libxml2-CVE-2024-25062.patch
- suseconnect-ng
-
- Allow "--rollback" flag to run on readonly filesystem (bsc#1220679)
- Update to version 1.7.0
* Allow SUSEConnect on read write transactional systems (bsc#1219425)
- util-linux-systemd
-
- Properly neutralize escape sequences in wall
(util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
and its prerequisites: util-linux-fputs_careful1.patch,
util-linux-wall-migrate-to-memstream.patch
util-linux-fputs_careful2.patch).
- ncurses
-
- Add patch ncurses-5.9-bsc1220061.patch (bsc#1220061, CVE-2023-45918)
* Backport from ncurses-6.4-20230615.patch
improve checks in convert_string() for corrupt terminfo entry
- shim
-
- Update shim to 15.8-150300.4.20.2 from SLE15-SP3
+ Version: 15.8, "Thu Apr 18 2024"
+ Update the SLE signatures
+ Include the fixes for (bsc#1215099,CVE-2023-40546),
(bsc#1215098,CVE-2023-40547), (bsc#1215103,CVE-2023-40551),
(bsc#1215102,CVE-2023-40550), (bsc#1215101,CVE-2023-40549),
(bsc#1215100,CVE-2023-40548), bsc#1205588, bsc#1202120, bsc#1201066,
(bsc#1198458, CVE-2022-28737), bsc#1198101, bsc#1193315, bsc#1193282
- sudo
-
- Fix NOPASSWD issue introduced by patches for CVE-2023-42465
[bsc#1221151, bsc#1221134]
* Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
* Enable running regression selftests during build time.
- Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465]
* Try to make sudo less vulnerable to ROWHAMMER attacks.
* Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
- cpio
-
- Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238
* fix-bsc1219238.patch
- wicked
-
- client: do not convert sec to msec twice (bsc#1222105)
[+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]
- addrconf: fix fallback-lease drop (bsc#1220996)
[+ 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
- extensions/nbft: use upstream `nvme nbft show` (bsc#1221358)
[+ 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
- hide secrets in debug log (bsc#1221194)
[+ 0003-move-all-attribute-definitions-to-compiler-h.patch]
[+ 0004-hide-secrets-in-debug-log-bsc-1221194.patch]
- update to version 0.6.74
+ team: add new options like link_watch_policy (jsc#PED-7183)
+ Fix memory leaks in dbus variant destroy and fsm free (gh#openSUSE/wicked#1001)
+ xpath: allow underscore in node identifier (gh#openSUSE/wicked#999)
+ vxlan: don't format unknown rtnl attrs (bsc#1219751)
- removed patches included in the source archive:
[- 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
[- 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
[- 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
[- 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
[- 0005-duid-fix-comment-for-v6time.patch]
[- 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
[- 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
[- 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
[- 0001-fix_arp_notify_loop_and_burst_sending.patch]
- ifreload: VLAN changes require device deletion (bsc#1218927)
[+ 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
- ifcheck: fix config changed check (bsc#1218926)
[+ 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
- client: fix exit code for no-carrier status (bsc#1219265)
[+ 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
- dhcp6: omit the SO_REUSEPORT option (bsc#1215692)
[+ 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
- duid: fix comment for v6time
(https://github.com/openSUSE/wicked/pull/989)
[+ 0005-duid-fix-comment-for-v6time.patch]
- rtnl: fix peer address parsing for non ptp-interfaces
(https://github.com/openSUSE/wicked/pull/987,
https://github.com/openSUSE/wicked/pull/988)
[+ 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
[+ 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
- system-updater: Parse updater format from XML configuration to
ensure install calls can run.
(https://github.com/openSUSE/wicked/pull/985)
[+ 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
- grub2
-
- Make consistent check to enable relative path on btrfs (bsc#1174567) (bsc#1216912)
* 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
- openssh
-
- also remember the active state of the service, so openssh8.4
can pick it up. bsc#1220110
- handle these when we do go from openssh8.4-server back to openssh
- remember the enabled state of sshd state, so openssh8,4 can pick it
up. bsc#1220110
- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
This limits the use of shell metacharacters in host- and
user names.
- _product:SLES-release
-
n/a
- python3-base
-
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
which fails on slow machines in IBS (s390x).
- perl-Bootloader
-
- merge gh#openSUSE/perl-bootloader#166
- log grub2-install errors correctly (bsc#1221470)
- 0.947
- merge gh#openSUSE/perl-bootloader#161
- support old grub versions (<= 2.02) that used /usr/lib
(bsc#1218842)
- create EFI boot fallback directory if necessary
- 0.946
- merge gh#openSUSE/perl-bootloader#157
- bootloader_entry script can have an optional 'force-default'
argument (bsc#1215064)
- skip warning about unsupported options when in compat mode
- 0.945
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
+ Remove duplicate data collection for the plugin itself
+ Collect archive metering data when available
+ Query billing flavor status
- openssl-1_0_0
-
- Security fix: [bsc#1219243, CVE-2024-0727]
* Add NULL checks where ContentInfo data can be NULL
* Add openssl-CVE-2024-0727.patch
- libzypp
-
- applydeltaprm: Create target directory if it does not exist
(bsc#1219442)
- version 16.22.12 (0)
- less
-
- Fix CVE-2024-32487, mishandling of \n character in paths when
LESSOPEN is set leads to OS command execution
(CVE-2024-32487, bsc#1222849)
* CVE-2024-32487.patch
- Fix CVE-2022-48624, LESSCLOSE handling in less does not quote shell
metacharacters, bsc#1219901
* CVE-2022-48624.patch
- shadow
-
- bsc#1188307: Fix passwd segfault
Add shadow-bsc1188307-passwd-segfault.patch
- nghttp2
-
- security update
- added patches
fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+ nghttp2-CVE-2024-28182-1.patch
fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+ nghttp2-CVE-2024-28182-2.patch
- systemd
-
- Import commit 15ca9f01c18a8037bf26b1a85fee344c65944268
eedf77456d util: improve comments why we ignore EACCES and EPERM
2018a0d492 util: bind_remount_recursive_with_mountinfo(): ignore submounts which cannot be accessed
4c98cb57e2 namespace: don't fail on masked mounts (#3794) (bsc#1220285)
7dd5e84ab6 man: Document ranges for distributions config files and local config files
7282534592 Recommend drop-ins over modifications to the main config file
29e632c34a man: reword the description of "main conf file"
e903f529e8 man: rework section about configuration file precedence
4438e1be12 man: document paths under /usr/local in standard-conf.xml
- mozilla-nss
-
- update to NSS 3.90.2
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
decryption in TLS. (bsc#1216198)
* bmo#1867408 - add a defensive check for large ssl_DefSend
return values.
- cloud-netconfig
-
- Update to version 1.14
+ Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757)
- Add version settings to Provides/Obsoletes
- Update to version 1.12 (bsc#1221202)
+ If token access succeeds using IPv4 do not use the IPv6 endpoint
only use the IPv6 IMDS endpoint if IPv4 access fails.
- Add Provides/Obsoletes for dropped cloud-netconfig-nm
- Install dispatcher script into /etc/NetworkManager/dispatcher.d
on older distributions
- Add BuildReqires: NetworkManager to avoid owning dispatcher.d
parent directory
- Update to version 1.11:
+ Revert address metadata lookup in GCE to local lookup (bsc#1219454)
+ Fix hang on warning log messages
+ Check whether getting IPv4 addresses from metadata failed and abort
if true
+ Only delete policy rules if they exist
+ Skip adding/removing IPv4 ranges if metdata lookup failed
+ Improve error handling and logging in Azure
+ Set SCRIPTDIR when installing netconfig wrapper
- Update to version 1.10:
+ Drop cloud-netconfig-nm sub package and include NM dispatcher
script in main packages (bsc#1219007)
+ Spec file cleanup
- Update to version 1.9:
+ Drop package dependency on sysconfig-netconfig
+ Improve log level handling
+ Support IPv6 IMDS endpoint in EC2 (bsc#1218069)
- kernel-default
-
- Refresh patches.kabi/cpufeatures-kabi-fix.patch. (bsc#1221287)
X86_FEATURE_LFENCE_RDTSC became an extended bit and was set via
cpu_set_cap as opposed to setup_force_cpu_cap. So extend the
infrastructure to also cover cpu_set_cap.
- commit 3fcb500
- blacklist.conf: update blacklist
The entries added in the commit are temporary ones so once
MU is done I'll revert the commit
- commit 874c87d
- gve: Fix skb truesize underestimation (git-fixes).
- commit 983edc4
- Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
(git-fixes).
- commit 3ea2575
- phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600)
- commit 20e2c08
- RDMA/rxe: Clear all QP fields if creation failed (bsc#1220863 CVE-2021-47078)
- commit f8dcd39
- RDMA/rxe: Return CQE error if invalid lkey was supplied (bsc#1220860 CVE-2021-47076)
- commit 3f60a4e
- ACPI: extlog: fix NULL pointer dereference check (bsc#1221039
CVE-2023-52605).
- commit b0968bd
- blacklist.conf: Add d4ccd54d28d3 exit: Put an upper limit on how often we can oops
and its dependant.
- commit 64ce341
- KVM: s390: fix setting of fpc register (bsc#1221040
CVE-2023-52597).
- commit 0f89ca1
- net: usb: dm9601: fix wrong return value in dm9601_mdio_read
(git-fixes).
- commit d69a5b8
- net: nfc: llcp: Add lock when modifying device list (git-fixes).
- commit b462198
- igb: clean up in all error paths when enabling SR-IOV
(git-fixes).
- commit 0f0e6a7
- net/sched: tcindex: search key must be 16 bits (git-fixes).
- commit 190e0f5
- stmmac: fix potential division by 0 (git-fixes).
- commit 40876e6
- kcm: fix strp_init() order and cleanup (git-fixes).
- commit b31a598
- ipv6: fix typos in __ip6_finish_output() (git-fixes).
- commit 54553b6
- kabi: team: Hide new member header_ops (bsc#1220870
CVE-2023-52574).
- commit 9fab77a
- blacklist.conf: update blacklist
- commit 9263a68
- wcn36xx: fix RX BD rate mapping for 5GHz legacy rates
(git-fixes).
- commit c4e8a82
- wcn36xx: Fix discarded frames due to wrong sequence number
(git-fixes).
- commit 8553436
- x86/srso: Add SRSO mitigation for Hygon processors (bsc#1220735
CVE-2023-52482).
- commit c7d3dd8
- Revert "wcn36xx: Disable bmps when encryption is disabled"
(git-fixes).
- commit e5924b8
- vt: fix memory overlapping when deleting chars in the buffer
(bsc#1220845 CVE-2022-48627).
- commit 6d7d615
- wcn36xx: Fix (QoS) null data frame bitrate/modulation
(git-fixes).
- commit 405ced7
- ipv6: Fix handling of LLA with VRF and sockets bound to VRF
(git-fixes).
- commit 519a8b2
- kcm: Call strp_stop before strp_done in kcm_attach (git-fixes).
- commit b01e9bb
- blacklist.conf: update blacklist
- commit 347e348
- KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746).
- commit 789616b
- x86/rfds: Mitigate Register File Data Sampling (RFDS) (bsc#1213456 CVE-2023-28746).
- Update config files.
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
- commit 47b68f4
- Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746).
- commit 959a93f
- scsi: qedf: Add pointer checks in qedf_update_link_speed()
(bsc#1220861 CVE-2021-47077).
- commit 499d19e
- Refresh patches.suse/0001-powerpc-pseries-memhp-Fix-access-beyond-end-of-drmem.patch.
Refresh patch metadata and sort.
- commit 15cb428
- ravb: Fix use-after-free issue in ravb_tx_timeout_work()
(bsc#1212514 CVE-2023-35827).
- team: fix null-ptr-deref when team device type is changed
(bsc#1220870 CVE-2023-52574).
- commit 36ef587
- net: mana: Fix TX CQE error handling (bsc#1220932
CVE-2023-52532).
- commit d388327
- Update reference of bpf-Fix-masking-negation-logic-upon-negative-dst-reg.patch
(bsc#1186484,CVE-2021-33200,bsc#1220700,CVE-2021-46974).
- commit d334f65
- nfsd: Do not refuse to serve out of cache (bsc#1220957).
- commit 828470f
- wifi: mac80211: fix potential key use-after-free (CVE-2023-52530
bsc#1220930).
- wifi: iwlwifi: mvm: Fix a memory corruption issue
(CVE-2023-52531 bsc#1220931).
- commit 4749167
- net: nfc: fix races in nfc_llcp_sock_get() and
nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831).
- commit d0dd97d
- tls: fix race between tx work scheduling and socket close
(CVE-2024-26585 bsc#1220187).
- commit 2d824be
- kabi: restore return type of dst_ops::gc() callback
(CVE-2023-52340 bsc#1219295).
- ipv6: remove max_size check inline with ipv4 (CVE-2023-52340
bsc#1219295).
- commit dd00c24
- netfilter: nf_tables: fix 64-bit load issue in
nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- netfilter: nf_tables: fix pointer math issue in
nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- commit b635ad7
- Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch
(CVE-2022-20154 CVE-2021-46929 bsc#1200599 bsc#1220482).
- commit 23c3231
- tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825
CVE-2024-26622).
- commit e934259
- Bluetooth: hci_ll: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit 8e9750e
- Bluetooth: hci_h5: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit e3ec875
- locking/qrwlock: Fix ordering in queued_write_lock_slowpath()
(CVE-2021-46921 bsc#1220468 bsc#1185041).
- commit 9f2e845
- locking/barriers: Introduce smp_cond_load_relaxed() and
atomic_cond_read_relaxed() (bsc#1220468 bsc#1050549).
- commit 76b2073
- Bluetooth: hci_bcsp: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit 3114978
- Bluetooth: hci_qca: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit 40c2728
- Input: appletouch - initialize work before device registration
(CVE-2021-46932 bsc#1220444).
- commit 02010d5
- powerpc/pseries/memhp: Fix access beyond end of drmem array
(bsc#1220250,CVE-2023-52451).
- commit 22d7587
- ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe
failure (bsc#1220599 CVE-2021-46953).
- commit 69d8de2
- mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
(bsc#1220238 CVE-2023-52449).
- commit a845e8b
- Input: powermate - fix use-after-free in
powermate_config_complete (CVE-2023-52475 bsc#1220649).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
(CVE-2023-52478 bsc#1220796).
- commit 6daf909
- i2c: Fix a potential use after free (bsc#1220409
CVE-2019-25162).
- commit 0be34df
- i2c: cadence: fix reference leak when pm_runtime_get_sync fails
(bsc#1220570 CVE-2020-36784).
- commit 8727379
- bus: qcom: Put child node before return (CVE-2021-47054
bsc#1220767).
- commit 0c0fa8d
- NFC: st21nfca: Fix memory leak in device probe and remove
(CVE-2021-46924 bsc#1220459).
- commit 01b7814
- netfilter: nft_limit: avoid possible divide error in
nft_limit_init (CVE-2021-46915 bsc#1220436).
- commit 9130a3d
- HID: usbhid: fix info leak in hid_submit_ctrl (CVE-2021-46906
bsc#1220421).
- commit 1d243b9
- media: pvrusb2: fix use after free on context disconnection
(CVE-2023-52445 bsc#1220241).
- commit f8f3542
- media: dvbdev: Fix memory leak in dvb_media_device_free()
(CVE-2020-36777 bsc#1220526).
- commit cd311ab
- apparmor: avoid crash when parsed profile name is empty
(CVE-2023-52443 bsc#1220240).
- commit 8387a56
- nfc: nci: fix possible NULL pointer dereference in
send_acknowledge() (bsc#1219125 CVE-2023-46343).
- commit 7ff1724
- md: bypass block throttle for superblock update (git-fixes).
- commit e6ba7c9
- blacklist.conf: add non-backport md git-fixes commits.
- commit d3c59de
- tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd (bsc#1218450).
- commit 4a3997c
- netfilter: nftables: avoid overflows in nft_hash_buckets()
(CVE-2021-46992 bsc#1220638).
- commit c79b980
- netfilter: nft_set_hash: add nft_hash_buckets() (CVE-2021-46992
bsc#1220638).
- commit 5542c1b
- net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
(CVE-2021-47013 bsc#1220641).
- commit a848ac2
- net: fec: Better handle pm_runtime_get() failing in .remove()
(git-fixes).
- commit 60e6dbc
- net: fec: fix use-after-free in fec_drv_remove (git-fixes).
- commit 192ab42
- i40e: Fix use-after-free in i40e_client_subtask()
(CVE-2021-46991 bsc#1220575).
- commit 27d6f39
- KVM: s390: vsie: fix race during shadow creation (git-fixes
bsc#1220613).
- commit a2a5381
- s390: use the correct count for __iowrite64_copy() (git-fixes
bsc#1220607).
- commit 0823e37
- mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in
error path (bsc#1220344 CVE-2024-26595).
- commit 71c942e
- net: fec: fix clock count mis-match (git-fixes).
- commit 90008dd
- net: hns3: add compatible handling for MAC VLAN switch parameter
configuration (git-fixes).
- commit 9cbe2e0
- net: phy: initialise phydev speed and duplex sanely (git-fixes).
- commit 5fc404a
- bnx2x: Fix PF-VF communication over multi-cos queues
(git-fixes).
- commit 58f28c6
- ixgbe: protect TX timestamping from API misuse (git-fixes).
- commit c740900
- net: phy: dp83867: enable robust auto-mdix (git-fixes).
- commit 51f918b
- net: fec: add missed clk_disable_unprepare in remove
(git-fixes).
- commit 26193da
- e1000: fix memory leaks (git-fixes).
- commit 63cea05
- igb: Fix constant media auto sense switching when no cable is
connected (git-fixes).
- commit ecbd46c
- net: hisilicon: Fix usage of uninitialized variable in function
mdio_sc_cfg_reg_write() (git-fixes).
- commit 467a700
- net: hns3: not allow SSU loopback while execute ethtool -t dev
(git-fixes).
- commit feac716
- net/mlx5e: ethtool, Avoid setting speed to 56GBASE when autoneg
off (git-fixes).
- commit 38e0f13
- blacklist.conf: update blacklist
- commit 803afb1
- blacklist.conf: add ep93xx_eth
the config option is not enabled
- commit aed74c8
- blacklist.conf: add emac_rockchip
the config option is not enabled
- commit 27c4413
- Update metadata
- commit fca1f53
- net: openvswitch: limit the number of recursions from action
sets (bsc#1219835 CVE-2024-1151).
- commit 9353f4f
- EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330, CVE-2023-52464)
- commit a228c17
- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- commit 7dad6e2
- blacklist.conf: Blacklist a clang fix
- commit e954d52
- net: lpc-enet: fix printk format strings (git-fixes).
- commit dcd5e66
- net: tundra: tsi108: use spin_lock_irqsave instead of
spin_lock_irq in IRQ context (git-fixes).
- commit 3fddc2a
- net: hisilicon: Fix dma_map_single failed on arm64 (git-fixes).
- commit 65f9c53
- net: hisilicon: fix hip04-xmit never return TX_BUSY (git-fixes).
- commit b56984b
- net: hisilicon: make hip04_tx_reclaim non-reentrant (git-fixes).
- Refresh
patches.suse/net-hisilicon-Fix-ping-latency-when-deal-with-high-t.patch.
- commit 1de9297
- net: sfp: add mutex to prevent concurrent state checks
(git-fixes).
- commit 4badb38
- blacklist.conf: update blacklist
- commit eb0a485
- media: usb: dvd-usb: fix uninit-value bug in
dibusb_read_eeprom_byte() (git-fixes).
- commit 4772961
- media: uvcvideo: Set capability in s_param (git-fixes).
- commit df9234c
- media: dw2102: Fix use after free (git-fixes).
- commit 6909f5e
- media: dw2102: make dvb_usb_device_description structures const
(git-fixes).
- Refresh
patches.suse/media-dw2102-Fix-memleak-on-sequence-of-probes.patch.
- commit cfe8bf2
- media: dvb-usb: Add memory free on error path in dw2102_probe()
(git-fixes).
- Refresh
patches.suse/media-dw2102-Fix-memleak-on-sequence-of-probes.patch.
- commit 60bfc4d
- [media] media drivers: annotate fall-through (git-fixes).
- commit 550adce
- rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE
Introduced by commit 68fb3ca0e408 ("update workarounds for gcc "asm
goto" issue").
- commit be1bdab
- media: rc: ir-rc6-decoder: enable toggle bit for Kathrein
RCU-676 remote (git-fixes).
- commit 40a7cdd
- media: rc: do not remove first bit if leader pulse is present
(git-fixes).
- commit 055036d
- blacklist.conf: feature fixed hasn't been backported
- commit 299071b
- media: coda: reuse coda_s_fmt_vid_cap to propagate format in
coda_s_fmt_vid_out (git-fixes).
- commit 346be28
- media: coda: set min_buffers_needed (git-fixes).
- commit 9e4f67c
- media: coda: constify platform_device_id (git-fixes).
- commit da6a628
- media: coda: reduce iram size to leave space for suspend to ram
(git-fixes).
- commit 015f50d
- media: coda: explicitly request exclusive reset control
(git-fixes).
- commit 19dcce2
- media: coda: wake up capture queue on encoder stop after output
streamoff (git-fixes).
- Refresh
patches.suse/media-coda-fix-last-buffer-handling-in-V4L2_ENC_CMD_.patch.
- commit 4fba70d
- [media] coda: simplify optional reset handling (git-fixes).
- commit bc3f552
- [media] media: platform: coda: remove variable self assignment
(git-fixes).
- commit 6d6901a
- blacklist.conf: driver not backported
- commit c5ae253
- media: dvb-usb: dw2102: fix uninit-value in
su3000_read_mac_address (git-fixes).
- commit abccca4
- media: dvb-usb: m920x: Fix a potential memory leak in
m920x_i2c_xfer() (git-fixes).
- commit 4716702
- media: m920x: don't use stack on USB reads (git-fixes).
- commit 45368d1
- media: dw2102: Fix memleak on sequence of probes (git-fixes).
- commit d5c69b6
- blacklist.conf: false positive
- commit 7722626
- blacklist.conf: renames a module. direct breakage of user space
- commit bf0df5d
- usb: musb: dsps: Fix the probe error path (git-fixes).
- commit 2f6dfb0
- usb: musb: tusb6010: check return value after calling
platform_get_resource() (git-fixes).
- commit 3b8e34e
- usb: musb: musb_dsps: request_irq() after initializing musb
(git-fixes).
- commit 9ef2688
- usb: host: fotg210: fix the actual_length of an iso packet
(git-fixes).
- commit bcd63df
- usb: host: fotg210: fix the endpoint's transactional
opportunities calculation (git-fixes).
- commit f16fc26
- compute-PATCHVERSION: Do not produce output when awk fails
compute-PATCHVERSION uses awk to produce a shell script that is
subsequently executed to update shell variables which are then printed
as the patchversion.
Some versions of awk, most notably bysybox-gawk do not understand the
awk program and fail to run. This results in no script generated as
output, and printing the initial values of the shell variables as
the patchversion.
When the awk program fails to run produce 'exit 1' as the shell script
to run instead. That prevents printing the stale values, generates no
output, and generates invalid rpm spec file down the line. Then the
problem is flagged early and should be easier to diagnose.
- commit 8ef8383
- x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (git-fixes).
- commit 55e0925
- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (git-fixes).
- commit aebeb2d
- KVM: x86: synthesize CPUID leaf 0x80000021h if useful (git-fixes).
- commit 9c96097
- KVM: x86: add support for CPUID leaf 0x80000021 (git-fixes).
- commit 5a997a6
- x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes).
- commit 54b16df
- KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes).
- KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes).
- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes).
Also add mds_user_clear to kABI severity as it's used purely for
mitigation so it's low risk.
- x86/entry_32: Add VERW just before userspace transition (git-fixes).
- x86/entry_64: Add VERW just before userspace transition (git-fixes).
- x86/bugs: Add asm helpers for executing VERW (bsc#1213456).
- commit 7cd11ce
- net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
(bsc#1219127 CVE-2024-23849).
- commit e941df3
- USB: hub: check for alternate port before enabling
A_ALT_HNP_SUPPORT (bsc#1218527).
- commit aaefb30
- blacklist.conf: add macsonic ethernet driver
- commit 1c0cfbf
- blacklist.conf: update blacklist
- commit b541c7e
- net: bonding: debug: avoid printing debug logs when bond is
not notifying peers (git-fixes).
- commit f58ad69
- usb: typec: tcpci: clear the fault status bit (git-fixes).
- commit fbeda7b
- PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD
device (git-fixes).
- commit 2012056
- Update to add CVE-2024-23851 tag,
patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch
(bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851).
- commit 7dd5c42
- blacklist.conf: cleanup of comments
- commit d4049bd
- blacklist.conf: documentation only
- commit 3d84250
- audit: fix possible soft lockup in __audit_inode_child()
(git-fixes).
- commit a347e97
- blacklist.conf: not a fix but a cleanup
- commit a5da3c1
- blacklist.conf: only comments cleanup
- commit 2e15690
- blacklist.conf: at this time kerneldocs no longer matter
- commit ed23d03
- ASN.1: Fix check for strdup() success (git-fixes).
- commit 26b2327
- blacklist.conf: attributed to wrong commit id in fixes tag
- commit 652fa5d
- dm: limit the number of targets and parameter size area
(bsc#1219827, bsc#1219146, CVE-2023-52429).
- commit 3ddaf98
- scripts/PMU: Add option to skip livepatch submission
Kernel resubmissions that don't involve livepatches can be done without
kgraft package(s) and channel updates.
- commit 8373df8
- Update
patches.suse/nvmet-tcp-fix-a-crash-in-nvmet_req_complete.patch
(bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
CVE-2023-6356).
- commit 1a6bd68
- nvmet-tcp: Fix the H2C expected PDU len calculation
(bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
CVE-2023-6356).
- nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988
bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356).
- nvmet-tcp: Fix a kernel panic when host sends an invalid H2C
PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535
CVE-2023-6536 CVE-2023-6356).
- commit 3e8a84f
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
Simple arithmetic fix.
- commit df1ea97
- vhost: use kzalloc() instead of kmalloc() followed by memset()
(CVE-2024-0340, bsc#1218689).
- commit 265772f
- blacklist.conf: add Korina ethernet controleer
- commit 754d7b6
- blacklist.conf: update blacklist
- commit 65ec0f0
- mlx4: handle non-napi callers to napi_poll (git-fixes).
- commit 13aca9d
- bnxt_en: Log unknown link speed appropriately (git-fixes).
- commit cab91f3
- net/mlx5: Don't call timecounter cyc2time directly from 1PPS flow (git-fixes).
- commit 30b8d5c
- net: mvneta: fix double free of txq->buf (git-fixes).
- commit abfb85a
- r8169: fix data corruption issue on RTL8402 (git-fixes).
- commit a389731
- rpm/kernel-binary.spec.in: install scripts/gdb when enabled in config
(bsc#1219653)
They are put into -devel subpackage. And a proper link to
/usr/share/gdb/auto-load/ is created.
- commit 1dccf2a
- net: stmmac: dwmac1000: fix out-of-bounds mac address reg
setting (git-fixes).
- commit 51f13e8
- net: fec: Do not use netdev messages too early (git-fixes).
- commit 24b07f8
- net: stmmac: dwmac4/5: Clear unused address entries (git-fixes).
- commit 156e8fc
- net: stmmac: dwmac1000: Clear unused address entries
(git-fixed).
- commit b89c3f6
- blacklist.conf: add mediatek ethernet
- commit ed969c9
- net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0
(git-fixed).
- commit 63f7ed7
- blacklist.conf: update blacklist
- commit ba8fcb7
- net: xilinx: fix possible object reference leak (git-fixed).
- commit 0884dff
- net: macb: Add null check for PCLK and HCLK (git-fixed).
- Refresh
patches.suse/0006-net-macb-fix-error-format-in-dev_err.patch.
- commit 1fdfc75
- netfilter: nf_tables: reject QUEUE/DROP verdict parameters
(CVE-2024-1086 bsc#1219434).
- commit 1f42903
- configfs: fix a use-after-free in __configfs_open_file
(git-fixes).
- commit 839bbef
- chardev: fix error handling in cdev_device_add() (git-fixes).
- commit 76071ad
- fs: don't audit the capability check in simple_xattr_list()
(git-fixes).
- commit 32c621d
- pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
(git-fixes).
- commit 165619a
- pstore/ram: Fix error return code in ramoops_probe()
(git-fixes).
- commit 6c26e9c
- kernfs: fix use-after-free in __kernfs_remove (git-fixes).
- commit 1e4394d
- kernfs: Separate kernfs_pr_cont_buf and rename_lock (git-fixes).
- commit 302cbf3
- configfs: fix a race in configfs_{,un}register_subsystem()
(git-fixes).
- commit ff1ac8a
- vfs: make freeze_super abort when sync_filesystem returns error
(git-fixes).
- commit a0e15ea
- fs: orangefs: fix error return code of
orangefs_revalidate_lookup() (git-fixes).
- commit 05692b2
- fs: warn about impending deprecation of mandatory locks
(git-fixes).
- commit d313c61
- configfs: fix memleak in configfs_release_bin_file (git-fixes).
- commit e182771
- 9p: missing chunk of "fs/9p: Don't update file type when
updating file attributes" (git-fixes).
- commit d7f7957
- kernfs: bring names in comments in line with code (git-fixes).
- commit b2412a4
- configfs: fix config_item refcnt leak in configfs_rmdir()
(git-fixes).
- commit a4e6173
- help_next should increase position index (git-fixes).
- commit a734d52
- configfs: fix a deadlock in configfs_symlink() (git-fixes).
- commit 31f30f9
- locks: print a warning when mount fails due to lack of "mand"
support (git-fixes).
- commit 4a54942
- configfs: provide exclusion between IO and removals (git-fixes).
- commit be9e3af
- configfs: new object reprsenting tree fragments (git-fixes).
- commit 727fecd
- configfs: stash the data we need into configfs_buffer at open
time (git-fixes).
- commit 57d5998
- pstore/ram: Run without kernel crash dump region (git-fixes).
- Refresh patches.suse/pstore-backend-autoaction.
- commit 27a20a7
- fs/file.c: initialize init_files.resize_wait (git-fixes).
- commit 4e99111
- fs: ratelimit __find_get_block_slow() failure message
(git-fixes).
- commit 066abb3
- iomap: sub-block dio needs to zeroout beyond EOF (git-fixes).
- commit c176969
- fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
(git-fixes).
- commit 97bf06c
- proc: fix /proc/*/map_files lookup (git-fixes).
- commit 66524a9
- pstore: ram_core: fix possible overflow in
persistent_ram_init_ecc() (git-fixes).
- commit 3b8a874
- pstore/ram: Check start of empty przs during init (git-fixes).
- commit 86b8610
- statfs: enforce statfs[64] structure initialization (git-fixes).
- commit e9ab62b
- aio: fix mremap after fork null-deref (git-fixes).
- commit f633071
- drm/amdgpu: Fix potential fence use-after-free v2 (bsc#1219128
CVE-2023-51042).
- commit 78c123f
- rpm/mkspec: sort entries in _multibuild
Otherwise it creates unnecessary diffs when tar-up-ing. It's of course
due to readdir() using "random" order as served by the underlying
filesystem.
See for example:
https://build.opensuse.org/request/show/1144457/changes
- commit d1155de
- nvmet-tcp: fix a crash in nvmet_req_complete() (git-fixes).
- commit 45b3590
- scsi: qla0xxx: Fix system crash due to bad pointer access
(git-fixes).
- commit 9c33792
- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780
bsc#1218730).
- commit 42f1cd3
- mm,mremap: bail out earlier in mremap_to under map pressure
(bsc#1123986).
- commit d63623c
- scripts/PMU: Rework option parsing, support user branches
This converts optional arguments into more traditional option arguments
and parses them with popular getopt.
Drop explicit product specification and use the derived default because
the 'prod' variable is rather an internal implementation detail.
Additionally, prepare prompts for a possible (embargoed) submission from
a user branch.
- commit c3590b1
- xen-netback: don't produce zero-size SKB frags (CVE-2023-46838,
XSA-448, bsc#1218836).
- commit 6d25bad
- USB: serial: option: fix FM101R-GL defines (git-fixes).
- commit c34221c
- blacklist.conf: Add baa9be4ffb55 sched/fair: Fix throttle_list starvation with low CFS quota
- commit f2444c0
- libceph: use kernel_connect() (bsc#1219446).
- ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
(bsc#1219445).
- commit 92ba85d
- USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
(git-fixes).
- commit 9c63fba
- USB: serial: option: add entry for Sierra EM9191 with new
firmware (git-fixes).
- commit e18b083
- USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
(git-fixes).
- commit 3c25206
- ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
(CVE-2021-33631 bsc#1219412).
- commit 019d3a9
- kernel-source: Fix description typo
- commit 8abff35
- blacklist.conf: remove a merge relic
Remove a merge relic introduced in 44aaf966aab ("Merge remote-tracking
branch 'origin/SLE12-SP4' into SLE12-SP5-UPDATE").
- commit 78c957f
- blacklist.conf: add a not-relevant jump_label commit
- commit 7bff5db
- tracing/trigger: Fix to return error if failed to alloc snapshot
(git-fixes).
- commit 57e8982
- blacklist.conf: Blacklist 447ae316670230d7d29430e2cbf1f5db4f49d14c
It reworks header inclusion to no real benefit for out kernel and
results in massive kABI breakage. Just blacklist it.
- commit 879fd91
- wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
(CVE-2023-47233 bsc#1216702).
- commit d2e0155
- net: stmmac: don't overwrite discard_frame status (git-fixes).
- commit af86f48
- net: ethernet: ti: fix possible object reference leak
(git-fixes).
- commit 8292c78
- blacklist.conf: update blacklist
- commit 3ec6d28
- blacklist.conf: update blacklist
- commit b305f8c
- rpm/constraints.in: set jobs for riscv to 8
The same workers are used for x86 and riscv and the riscv builds take
ages. So align the riscv jobs count to x86.
- commit b2c82b9
- net: ks8851: Set initial carrier state to down (git-fixes).
- commit 667be0a
- net: ks8851: Delay requesting IRQ until opened (git-fixes).
- commit 605f94a
- net: ks8851: Reassert reset pin if chip ID check fails
(git-fixes).
- commit 93e9e83
- net: dsa: qca8k: Enable delay for RGMII_ID mode (git-fixes).
- commit 94c1dc4
- net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing
MII_PHYSID2 (git-fixes).
- commit d97991c
- blacklist.conf: update blacklist
- commit 23ba946
- blacklist.conf: Black unapplicable patch
This one requires 45b575c00d8e72d69d75dd8c112f044b7b01b069 which is
blacklisted. So black list this one as well.
- commit 8ad7e95
- x86/unwind/orc: Fix unreliable stack dump with gcov (git-fixes).
- commit db29225
- x86/pm: Add enumeration check before spec MSRs save/restore setup (git-fixes).
- commit 0b71917
- x86/kvm/lapic: always disable MMIO interface in x2APIC mode (git-fixes).
- commit 42aa4b1
- x86/purgatory: Don't generate debug info for purgatory.ro (git-fixes).
- commit ad7d236
- x86/cpu: Add another Alder Lake CPU to the Intel family (git-fixes).
- commit 5e43536
- x86/build: Turn off -fcf-protection for realmode targets (git-fixes).
- commit 06f5589
- x86/build: Treat R_386_PLT32 relocation as R_386_PC32 (git-fixes).
- commit c5cf689
- x86/lib: Fix overflow when counting digits (git-fixes).
- commit 0070bad
- x86/asm: Ensure asm/proto.h can be included stand-alone (git-fixes).
- commit b6c5df9
- x86: __always_inline __{rd,wr}msr() (git-fixes).
- commit 8507f62
- x86: Mark stop_this_cpu() __noreturn (git-fixes).
- commit 47a8413
- x86: Clear .brk area at early boot (git-fixes).
- commit 63c0fc3
- mkspec: Use variant in constraints template
Constraints are not applied consistently with kernel package variants.
Add variant to the constraints template as appropriate, and expand it
in mkspec.
- commit cc68ab9
- rpm/constraints.in: add static multibuild packages
Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
constraints on multibuild) added "kernel-source:" prefix to the
dynamically generated kernels. But there are also static ones like
kernel-docs. Those fail to build as the constraints are still not
applied.
So add the prefix also to the static ones.
Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
will ever be multibuilt...
- commit c2e0681
- bs-check-kernel-results: Handle multibuild packages correctly
The package prefix was stripped too early leading to errors while
getting logfiles in bs-check-kernel-results. Strip it just before
passing the data to handle-kernel-result.
Fixes: #61
- commit 4422573
- MyBS.pm: Do not use the 'ports' repository for ALP
The ALP project has 'ports' repository that does not have useful
content, skip it when searching for repository to build against.
- commit 761463e
- drm/atomic: Fix potential use-after-free in nonblocking commits
(bsc#1219120 CVE-2023-51043).
- commit a69e3d8
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
Adjust the cpuid check when applying alternatives. Fixes false BUG_ON
in the presence of extra bugints/capints.
- commit 48af78f
- Revert "Limit kernel-source build to architectures for which the kernel binary"
This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a
- mkspec: Include constraints for both multibuild and plain package always
There is no need to check for multibuild flag, the constraints can be
always generated for both cases.
- commit 308ea09
- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b
- wd-functions.sh: Use pixz for xz compresion when available.
This makes xz compression highly non-deterministic but deterministic
results were not provided by xz in the first place.
- commit 1524b56
- rpm/kernel-source.rpmlintrc: add action-ebpf
Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
plugin) added this precompiled binary blob. Adapt rpmlintrc for
kernel-source.
- commit b5ccb33
- Refresh patches.suse/mce-fix-set_mce_nospec-to-always-unmap-the-whole-page.patch.
- commit 97df026
- usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
(git-fixes).
- commit f9ab50f
- blacklist.conf: not a bug fix
- commit 89a46f3
- blacklist.conf: driver not compiled
- commit e4d38bb
- blacklist.conf: false positive
- commit be0a82f
- blacklist.conf: not a bug fix
- commit 3adfd09
- blacklist.conf: false positive
- commit 9076062
- scsi: qedf: fc_rport_priv reference counting fixes
(bsc#1212152).
Refresh:
- patches.suse/scsi-qedf-correctly-handle-refcounting-of-rdata
- patches.suse/scsi-qedf-print-message-during-bailout-conditions
- patches.suse/scsi-qedf-print-scsi_cmd-backpointer-in-good-completion-path-if-the-command-is-still-being-used
- commit e171158
- ext4: silence the warning when evicting inode with
dioread_nolock (bsc#1206889).
- commit 3433e7a
- writeback: Export inode_io_list_del() (bsc#1216989).
patches/patches.suse/writeback-Protect-inode-i_io_list-with-inode-i_lock.patch:
Refresh
- commit c969261
- ext4: improve error recovery code paths in __ext4_remount()
(bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit 3bb0d48
- Update
patches.suse/ext4-improve-error-recovery-code-paths-in-__ext4_rem.patch
(bsc#1213017 bsc#1219053 CVE-2024-0775).
- commit a5b396b
- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
The previous change added the manual entry from kernel-sources.change.old
to old_changelog.txt unnecessarily. Let's fix it.
- commit fb033e8
- Refresh
patches.suse/ipmi-Cleanup-oops-on-initialization-failure.patch.
Alt-commit added
- commit 5093b56
- x86: Pin task-stack in __get_wchan() (git-fixes).
- commit 96f1d7b
- rpm/kernel-docs.spec.in: fix build with 6.8
Since upstream commit f061c9f7d058 (Documentation: Document each netlink
family), the build needs python yaml.
- commit 6a7ece3
- x86: Fix __get_wchan() for !STACKTRACE (git-fixes).
- commit 23a1a0e
- asix: Add check for usbnet_get_endpoints (git-fixes).
- commit d1fcea8
- x86/mce: relocate set{clear}_mce_nospec() functions (git-fixes).
- commit d9f49bd
- x86/CPU/AMD: Check vendor in the AMD microcode callback (git-fixes).
- commit 79b1f36
- mce: fix set_mce_nospec to always unmap the whole page (git-fixes).
- commit 2dcf8c9
- x86/alternatives: Sync core before enabling interrupts (git-fixes).
- commit d500914
- x86/cpu/hygon: Fix the CPU topology evaluation for real (git-fixes).
- commit 01e7093
- x86/kvm: Do not try to disable kvmclock if it was not enabled (git-fixes).
- commit 293b127
- x86: Fix get_wchan() to support the ORC unwinder (git-fixes).
- commit 1693c4c
- x86/pat: Pass valid address to sanitize_phys() (git-fixes).
- commit 9776480
- x86/pat: Fix x86_has_pat_wp() (git-fixes).
- blacklist.conf:
- commit 0a8ce61
- x86/mm: Add a x86_has_pat_wp() helper (git-fixes).
- commit 794f377
- veth: Fixing transmit return status for dropped packets
(git-fixes).
- commit c39655b
- preserve KABI for struct sfp_socket_ops (git-fixes).
- commit 58a9bc4
- blacklist.conf:
- Delete
patches.suse/NFSD-Fix-possible-sleep-during-nfsd4_release_lockown.patch.
This patch is harmful on all kernels, and irrelevant on kernels before
v5.4
bsc#1218968
- commit 5365a0a
- KVM: s390: vsie: Fix STFLE interpretive execution identification
(git-fixes bsc#1219022).
- commit 16098a4
- net: phylink: avoid resolving link state too early (git-fixes).
- commit 67b00b5
- gtp: change NET_UDP_TUNNEL dependency to select (git-fixes).
- commit dd6be0d
- mlxsw: spectrum: Avoid -Wformat-truncation warnings (git-fixes).
- commit bd062d1
- mlxsw: spectrum: Set LAG port collector only when active (git-fixes).
- commit 42cb04e
- net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() (git-fixes).
- commit 5db0cbe
- net: systemport: Fix reception of BPDUs (git-fixes).
- commit 54f0189
- sfc: initialise found bitmap in efx_ef10_mtd_probe (git-fixes).
- commit 36c912f
- net: sfp: do not probe SFP module before we're attached (git-fixes).
- commit b335b5c
- net: phy: sfp: warn the user when no tx_disable pin is available (git-fixes).
- commit 921c51c
- blacklist.conf: update blacklist
- commit 0fefc1a
- net: stmmac: Disable EEE mode earlier in XMIT callback
(git-fixes).
- commit 42ea2f4
- blacklist.conf: update blacklist
- commit 16074da
- preserve KABI for struct plat_stmmacenet_data (git-fixes).
- commit be0b5cc
- net: stmmac: Fallback to Platform Data clock in Watchdog
conversion (git-fixes).
- commit c0e8ae4
- net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
(git-fixes).
- commit 1f97aba
- blacklist.conf: update blacklist
- commit 160c442
- net: dsa: bcm_sf2: Propagate error value from mdio_write
(git-fixes).
- commit 042ff8c
- net: (cpts) fix a missing check of clk_prepare (git-fixes).
- commit a0511a4
- blacklist.conf: update blacklist
- commit 778d638
- mlxsw: spectrum: Properly cleanup LAG uppers when removing
port from LAG (git-fixes).
- commit 65b3a7e
- blacklist.conf: update blacklist
- commit 72f91b3
- nfsd: drop st_mutex and rp_mutex before calling
move_to_close_lru() (bsc#1217525).
- commit d08e536
- blacklist.conf: add wont-backport commit
- commit 65861c5
- libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and
check its return value (git-fixes).
- nvdimm: Fix badblocks clear off-by-one error (git-fixes).
- nvdimm: Allow overwrite in the presence of disabled dimms
(git-fixes).
- nvdimm/btt: do not call del_gendisk() if not needed (git-fixes).
- libnvdimm/region: Fix label activation vs errors (git-fixes).
- commit dc5bee2
- libnvdimm: cover up changes in struct nvdimm_bus_descriptor
(git-fixes).
- libnvdimm: Validate command family indices (git-fixes).
- commit 27f581b
- libnvdimm: Out of bounds read in __nd_ioctl() (git-fixes).
- acpi/nfit: improve bounds checking for 'func' (git-fixes).
- libnvdimm/btt: fix variable 'rc' set but not used (git-fixes).
- libnvdimm/pmem: Delete include of nd-core.h (git-fixes).
- =?UTF-8?q?libnvdimm:=20Fix=20endian=20conversion=20issues?=
=?UTF-8?q?=C2=A0?= (git-fixes).
- libnvdimm: Fix compilation warnings with W=1 (git-fixes).
- libnvdimm/pmem: fix a possible OOB access when read and write
pmem (git-fixes).
- libnvdimm/btt: Fix a kmemdup failure check (git-fixes).
- libnvdimm/namespace: Fix a potential NULL pointer dereference
(git-fixes).
- libnvdimm/btt: Fix LBA masking during 'free list' population
(git-fixes).
- libnvdimm/btt: Remove unnecessary code in btt_freelist_init
(git-fixes).
- acpi/nfit: Require opt-in for read-only label configurations
(git-fixes).
- UAPI: ndctl: Fix g++-unsupported initialisation in headers
(git-fixes).
- commit e6b26fa
- blacklist.conf: false positive
- commit de6f57b
- blacklist.conf: blacklist Huawei HiNIC
- commit d68e629
- s390/dasd: fix double module refcount decrement (bsc#1141539).
- commit 1d573b9
- scripts: Add commit-msg check for patch references
References in the commit message are important when generating the RPM
changelog.
Although scripts/log takes into account References: header, a reference
may possibly be missed out when the script is skipped or the message
misedited.
Add a new hook that validates that the commit message contains all newly
added references.
- commit 500dd98
- scripts/install-git-hooks: Simplify relative path detection
- commit 0415010
- scripts/git_sort/git_sort.py: Add 'perf-tools' branch
- commit 7ef21eb
- netfilter: nf_tables: Reject tables of unsupported family
(CVE-2023-6040 bsc#1218752).
- commit 9e6d9d4
- net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782
bsc#1218757).
- commit 5e6770d
- powerpc/pseries/memhotplug: Quieten some DLPAR operations
(bsc#1065729).
- commit 4d451a9
- powerpc/powernv: Add a null pointer check in
opal_powercap_init() (bsc#1181674 ltc#189159 git-fixes).
- powerpc/powernv: Add a null pointer check in opal_event_init()
(bsc#1065729).
- powerpc/pseries/memhp: Fix access beyond end of drmem array
(bsc#1065729).
- powerpc: Don't clobber f0/vs0 during fp|altivec register save
(bsc#1065729).
- commit d5de04b
- Store the old kernel changelog entries in kernel-docs package (bsc#1218713)
The old entries are found in kernel-docs/old_changelog.txt in docdir.
rpm/old_changelog.txt can be an optional file that stores the similar
info like rpm/kernel-sources.changes.old. It can specify the commit
range that have been truncated. scripts/tar-up.sh expands from the
git log accordingly.
- commit c9a2566
- fs: ocfs2: namei: check return value of ocfs2_add_entry()
(git-fixes).
- commit 37053b5
- orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
(git-fixes).
- commit 22c7474
- orangefs: Fix sysfs not cleanup when dev init failed
(git-fixes).
- commit 3dc6f72
- fat: add ratelimit to fat*_ent_bread() (git-fixes).
- commit 2e4dd8d
- orangefs: fix orangefs df output (git-fixes).
- commit 14af1e9
- fs/fat/file.c: issue flush after the writeback of FAT
(git-fixes).
- commit 4b5cf8c
- fs/exofs: fix potential memory leak in mount option parsing
(git-fixes).
- commit c3e2f19
- orangefs: rate limit the client not running info message
(git-fixes).
- commit 9ffd7ce
- gfs2: ignore negated quota changes (git-fixes).
- commit 65c2047
- gfs2: Fix possible data races in gfs2_show_options()
(git-fixes).
- commit 57d66df
- gfs2: Fix inode height consistency check (git-fixes).
- commit d7ee5ae
- gfs2: Check sb_bsize_shift after reading superblock (git-fixes).
- commit 381ce29
- gfs2: Make sure FITRIM minlen is rounded up to fs block size
(git-fixes).
- commit 59f59dc
- gfs2: assign rgrp glock before compute_bitstructs (git-fixes).
- commit 8e79a5c
- gfs2: Don't call dlm after protocol is unmounted (git-fixes).
- commit 0e0a651
- gfs2: Fix use-after-free in gfs2_glock_shrink_scan (git-fixes).
- commit 4dff329
- gfs2: report "already frozen/thawed" errors (git-fixes).
- commit e5108bb
- gfs2: Don't skip dlm unlock if glock has an lvb (git-fixes).
- commit 38230f9
- gfs2: check for empty rgrp tree in gfs2_ri_update (git-fixes).
- commit 3484422
- gfs2: Wake up when sd_glock_disposal becomes zero (git-fixes).
- commit 6e96bc8
- gfs2: check for live vs. read-only file system in gfs2_fitrim
(git-fixes).
- commit dece8b9
- gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix
use-after-free (git-fixes).
- commit 5f11647
- gfs2: add validation checks for size of superblock (git-fixes).
- commit 4bfdec0
- gfs2: fix use-after-free on transaction ail lists (git-fixes).
- commit 3c0934a
- gfs2: initialize transaction tr_ailX_lists earlier (git-fixes).
- commit a3dcb8b
- gfs2: Allow lock_nolock mount to specify jid=X (git-fixes).
- commit c3d10eb
- gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache
(git-fixes).
- commit 50b2782
- gfs2: clear buf_in_tr when ending a transaction in
sweep_bh_for_rgrps (git-fixes).
- commit 0638ce6
- gfs2: Fix sign extension bug in gfs2_update_stats (git-fixes).
- commit 6905d0e
- gfs2: Fix lru_count going negative (git-fixes).
- commit 22c6d6f
- gfs2: take jdata unstuff into account in do_grow (git-fixes).
- commit f6cafad
- gfs2: Fix marking bitmaps non-full (git-fixes).
- commit 27f21b4
- GFS2: Flush the GFS2 delete workqueue before stopping the
kernel threads (git-fixes).
- commit c0d61c2
- gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated
(git-fixes).
- commit ca05c1f
- gfs2: Special-case rindex for gfs2_grow (git-fixes).
- commit 77ffe3d
- reiserfs: Replace 1-element array with C99 style flex-array
(git-fixes).
- commit ed361ae
- reiserfs: Check the return value from __getblk() (git-fixes).
- commit c984c17
- affs: fix basic permission bits to actually work (git-fixes).
- commit 6abe668
- timezone
-
- update to 2024a:
* Kazakhstan unifies on UTC+5. This affects Asia/Almaty and
Asia/Qostanay which together represent the eastern portion of the
country that will transition from UTC+6 on 2024-03-01 at 00:00 to
join the western portion. (Thanks to Zhanbolat Raimbekov.)
* Palestine springs forward a week later than previously predicted
in 2024 and 2025. (Thanks to Heba Hamad.) Change spring-forward
predictions to the second Saturday after Ramadan, not the first;
this also affects other predictions starting in 2039.
* Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00
not 00:00. (Thanks to Đoàn Trần Công Danh.)
* From 1947 through 1949, Toronto's transitions occurred at 02:00
not 00:00. (Thanks to Chris Walton.)
* In 1911 Miquelon adopted standard time on June 15, not May 15.
* The FROM and TO columns of Rule lines can no longer be "minimum"
or an abbreviation of "minimum", because TZif files do not support
DST rules that extend into the indefinite past - although these
rules were supported when TZif files had only 32-bit data, this
stopped working when 64-bit TZif files were introduced in 1995.
This should not be a problem for realistic data, since DST was
first used in the 20th century. As a transition aid, FROM columns
like "minimum" are now diagnosed and then treated as if they were
the year 1900; this should suffice for TZif files on old systems
with only 32-bit time_t, and it is more compatible with bugs in
2023c-and-earlier localtime.c. (Problem reported by Yoshito
Umaoka.)
* localtime and related functions no longer mishandle some
timestamps that occur about 400 years after a switch to a time
zone with a DST schedule. In 2023d data this problem was visible
for some timestamps in November 2422, November 2822, etc. in
America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.)
* strftime %s now uses tm_gmtoff if available. (Problem and draft
patch reported by Dag-Erling Smørgrav.)
* The strftime man page documents which struct tm members affect
which conversion specs, and that tzset is called. (Problems
reported by Robert Elz and Steve Summit.)
- update to 2023d:
* Ittoqqortoormiit, Greenland changes time zones on
2024-03-31.
* Vostok, Antarctica changed time zones on 2023-12-18.
* Casey, Antarctica changed time zones five times since
2020.
* Code and data fixes for Palestine timestamps starting in
2072.
* A new data file zonenow.tab for timestamps starting now.
* Fix predictions for DST transitions in Palestine in
2072-2075, correcting a typo introduced in 2023a.
* Vostok, Antarctica changed to +05 on 2023-12-18. It had
been at +07 (not +06) for years.
* Change data for Casey, Antarctica to agree with
timeanddate.com, by adding five time zone changes since 2020.
Casey is now at +08 instead of +11.
* Much of Greenland, represented by America/Nuuk, changed
its standard time from -03 to -02 on 2023-03-25, not on
2023-10-28.
* localtime.c no longer mishandles TZif files that contain
a single transition into a DST regime. Previously,
it incorrectly assumed DST was in effect before the transition
too.
* tzselect no longer creates temporary files.
* tzselect no longer mishandles the following:
* Spaces and most other special characters in BUGEMAIL,
PACKAGE, TZDIR, and VERSION.
* TZ strings when using mawk 1.4.3, which mishandles
regular expressions of the form /X{2,}/.
* ISO 6709 coordinates when using an awk that lacks the
GNU extension of newlines in -v option-arguments.
* Non UTF-8 locales when using an iconv command that
lacks the GNU //TRANSLIT extension.
* zic no longer mishandles data for Palestine after the
year 2075.
- Refresh tzdata-china.diff
- openssl-1_1
-
- Security fix: [bsc#1219243, CVE-2024-0727]
* Add NULL checks where ContentInfo data can be NULL
* Add openssl-CVE-2024-0727.patch
- python3
-
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Repurpose skip-failing-tests.patch to increase timeout for
test.test_asyncio.test_tasks.TimeoutTests.test_timeout_time,
which fails on slow machines in IBS (s390x).
- xen
-
- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
History Injection (XSA-456)
661560b9-x86-use-indirect-calls-in-reset-stack.patch
661560ba-x86-drop-INDIRECT_JMP.patch
661560bb-x86-TSX-expose-RTM_ALWAYS_ABORT.patch
661560bc-x86-spec-ctrl-support-BHI_DIS_S.patch
661560bd-x86-spec-ctrl-BHB-clearing-sequences.patch
661560be-x86-spec-ctrl-wire-up-native-BHI-sequences.patch
661560bf-x86-spec-ctrl-long-BHB-loop-sequence.patch
- Upstream bug fixes and renamed patches (bsc#1027519)
61a4db41-wait-remove-indirect-jump.patch
65bbf68a-x86-spec-ctrl-expose-IPRED_CTRL.patch
65bbf68b-x86-spec-ctrl-expose-RRSBA_CTRL.patch
65bbf68c-x86-spec-ctrl-expose-BHI_CTRL.patch
65c37b93-VMX-tertiary-exec-control.patch
66100277-x86-TSX-cope-with-ALWAYS_ABORT-vs-RTM-mismatch.patch
66155013-x86-dont-expose-IPRED-RRSBA-BHI-ctrl-to-PV.patch
661560b1-x86-rename-spec_ctrl_flags.patch
661560b2-x86-spec-ctrl-rework-cond-safety-for-ENTRY.patch
661560b3-x86-entry-arrange-for-r14-to-be-STACK_END-across.patch
661560b4-x86-spec_ctrl-hold-SCF-in-ebx-across-ENTRY-PV-INTR.patch
661560b5-x86-spec-ctrl-simplify-DO_COND_IBPB.patch
661560b6-x86-spec-ctrl-detail-the-safety-in-ENTRY.patch
661560b7-VMX-support-virtualize-SPEC_CTRL.patch
661560b8-x86-spec-ctrl-widen-fields.patch
xsa455.patch -> 661560b0-x86-spec-ctrl-Fix-BTC-SRSO-mitigations.patch
xsa454-1.patch -> 66152b54-hypercall_xlat_continuation-replace-BUG_ON.patch
xsa454-2.patch -> 66152b54-x86-HVM-clear-upper-halves-of-GPRs-upon.patch
- Correction to the following patch
646e51b7-x86-TSX-remove-opencoded-MSR_ARCH_CAPS-check.patch
- Upstream bug fixes (bsc#1027519)
65cb29fe-x86-HVM-tidy-state-on-hvmemul_map_linear_addr.patch
65ddea7c-x86-spec-set-INDIRECT_THUNK-only-when-enabled.patch
65ddea90-x86-spec-dont-log-thunk-option-if-not.patch
- bsc#1222302 - VUL-0: CVE-2024-31142: xen: x86: Incorrect logic
for BTC/SRSO mitigations (XSA-455)
xsa455.patch
- Upstream bug fixes (bsc#1027519)
652fef4f-x86-AMD-erratum-1485.patch
6532858d-x86-DOITM.patch
6566fef3-x86-vLAPIC-x2APIC-derive-LDR-from-APIC-ID.patch
6569ad03-libxg-mem-leak-in-cpu-policy-get-set.patch
656ee5e1-x86emul-avoid-triggering-event-assertions.patch
656ee6c3-domain_create-error-path.patch
65842d5c-x86-AMD-extend-CPU-erratum-1474-fix.patch
659d44da-x86-HVM-hide-SVM-VMX-when.patch
65a7a0a4-x86-Intel-GPCC-setup.patch
65b27990-x86-p2m-pt-off-by-1-in-entry-check.patch
- bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may
trigger Xen bug check (XSA-454)
xsa454-1.patch
xsa454-2.patch
- Code and comment adjustments to previous fixes
62cd91d5-x86-cpuid-BTC_NO-enum.patch
636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch
642d51ac-x86-remove-temporary-policy-defines.patch
64bea1b2-x86-AMD-Zenbleed.patch
64d24f05-x86-spec-ctrl-mitigate-SRSO.patch
65f079a3-x86-spec-ctrl-rename-VERW-related-options.patch
65f079aa-locking-wrappers-always-inline.patch
- Upstream bug fixes (bsc#1027519)
5dfce874-x86-APIC-force-phys-if-no-intremap.patch
5e5930f7-AMD-IOMMU-correct-handling-when-XT-prereqs.patch
5e67a376-AMD-IOMMU-no-XT-x2APIC-phys.patch
616e7cfe-x86-paging-restrict-paddr-width-reported.patch
61e0296a-x86-time-calibration-relative-counts.patch
61e029c8-x86-time-TSC-freq-calibration-accuracy.patch
61f7b2af-libxl-dont-touch-nr_vcpus_out-if-listing.patch
61f933a4-x86-cpuid-advertise-SSB_NO.patch
625fca42-VT-d-reserved-CAP-ND.patch
626f7ee8-x86-MSR-handle-P5-MC-reads.patch
627549d6-IO-shutdown-race.patch
62d65105-x86-spec-ctrl-MD_CLEAR-reporting.patch
62d807c1-x86-suppress-MMX.patch
62ecfc08-VMX-use-IST-RSB-protection.patch
62f5f479-PCI-simplify-and-thus-correct-pci_get_pdev-.patch
6346e404-VMX-correct-error-handling-in-vmx_create_vmcs.patch
635274c0-EFI-dont-convert-runtime-mem-to-RAM.patch
637b5f4f-efifb-ignore-invalid.patch
63a03e28-x86-high-freq-TSC-overflow.patch
6419697d-AMD-IOMMU-no-XT-x2APIC-phys.patch
6424a76c-xenstore-quota-check-in-acc_fix_domains.patch
646b782b-PCI-pci_get_pdev-respect-segment.patch
648863fc-AMD-IOMMU-Invalidate-All-check.patch
64c7b1ac-x86-Zen2-disable-C6-after-1000-days.patch
64e6459b-revert-VMX-sanitize-rIP-before-reentering.patch
64eef7e9-x86-reporting-spurious-i8259-interrupts.patch
- bsc#1221332 - VUL-0: CVE-2023-28746: xen: x86: Register File Data
Sampling (XSA-452)
65dcd66b-x86-entry-EFRAME_-constants.patch
65e2371b-x86-CP-allow-levelling-of-VERW-side-effects.patch
65f079a1-VMX-perform-VERW-flushing-later.patch
65f079a2-x86-spec-ctrl-perform-VERW-flushing-later.patch
65f079a3-x86-spec-ctrl-rename-VERW-related-options.patch
65f079a4-x86-spec-ctrl-VERW-handling-adjustments.patch
65f079a5-x86-spec-ctrl-mitigate-RFDS.patch
- bsc#1221334 - VUL-0: CVE-2024-2193: xen: GhostRace: Speculative
Race Conditions (XSA-453)
60700077-x86-vpt-avoid-pt_migrate-rwlock.patch
650dac01-x86-paging-drop-update_cr3-do_locking.patch
65f079a6-swap-order-of-actions-in-FREE-macros.patch
65f079a7-x86-spinlock-block-speculation-into.patch
65f079a8-rwlock-block-speculation-into.patch
65f079a9-percpu-rwlock-block-speculation-into.patch
65f079aa-locking-wrappers-always-inline.patch
65f079ab-x86-mm-speculation-barriers-in-open-coded.patch
65f079ac-x86-protect-conditional-locking-from-speculative.patch
- Upstream bug fixes and renamed patches (bsc#1027519)
xsa368.patch -> 60535c11-libxl-Fix-domain-soft-reset-state-handling.patch
xsa370.patch -> 60913ab0-non-shim-32bit-PV-doc-speculative-status.patch
xsa376.patch -> 61dd5f64-limit-support-statement-for-Linux-and-Windows-frontends.patch
xsa393.patch -> 61efec1d-Arm-P2M-always-clear-entry-on-mapping-removal.patch
xsa394.patch -> 61efec4d-gnttab-only-decrement-refcounter-on-final-unmap.patch
xsa395.patch -> 61efec96-IOMMU-x86-stop-pirq-iteration-immediately-on-error.patch
xsa397.patch -> 624c31f2-x86-HAP-dont-switch-on-log-dirty-for.patch
xsa398-1.patch -> 62278667-Arm-introduce-new-processors.patch
xsa398-2.patch -> 62278668-Arm-move-errata-CSV2-check-earlier.patch
xsa398-3.patch -> 62278669-Arm-add-ECBHB-and-CLEARBHB-ID-fields.patch
xsa398-4.patch -> 6227866a-Arm-Spectre-BHB-handling.patch
xsa398-5.patch -> 6227866b-Arm-allow-SMCCC_ARCH_WORKAROUND_3-use.patch
xsa398-6.patch -> 6227866c-x86-AMD-cease-using-thunk-lfence.patch
xsa399.patch -> 624c322b-VT-d-correct-order-in-cleanup_domid_map.patch
xsa400-00.patch -> 619e0e9c-VT-d-split-domid-map-cleanup-check.patch
xsa400-01.patch -> 624c32e5-VT-d-fix-de-assign-ordering-with-RMRRs.patch
xsa400-02.patch -> 624c330a-VT-d-fix-add-remove-ordering-with-RMRRs.patch
xsa400-03.patch -> 624c3351-VT-d-drop-ownership-checking-from-dcm1.patch
xsa400-04.patch -> 624c3366-VT-d-re-assign-devices-directly.patch
xsa400-05.patch -> 624c337c-AMD-IOMMU-re-assign-devices-directly.patch
xsa400-06.patch -> 624c3392-VT-d-prepare-per-dev-quarantine-pt-I.patch
xsa400-07.patch -> 624c33a8-VT-d-prepare-per-dev-quarantine-pt-II.patch
xsa400-08.patch -> 624c33be-IOMMU-x86-maintain-per-dev-pseudo-domID.patch
xsa400-09.patch -> 624c33de-IOMMU-x86-drop-TLB-flushes-from-qinit.patch
xsa400-10.patch -> 624c33f4-AMD-IOMMU-abstract-max-pt-levels.patch
xsa400-11.patch -> 624c34f2-IOMMU-x86-use-per-dev-pts-for-quarantine.patch
xsa401-1.patch -> 62a1e594-x86-clean-up-_get_page_type.patch
xsa401-2.patch -> 62a1e5b0-x86-ABAC-race-in-_get_page_type.patch
xsa402-0.patch -> 5d31ae8e-x86-Intel-clear-cache-self-snoop-when.patch
xsa402-1.patch -> 62a1e5d2-x86-introduce-_PAGE_-for-mem-types.patch
xsa402-2.patch -> 62a1e5f0-x86-dont-change-cacheability-of-directmap.patch
xsa402-3.patch -> 62a1e60e-x86-split-cache_flush-out-of-cache_writeback.patch
xsa402-4.patch -> 62a1e62b-x86-AMD-work-around-CLFLUSH-ordering.patch
xsa402-5.patch -> 62a1e649-x86-track-and-flush-non-coherent.patch
xsa404-1.patch -> 62ab0fab-x86-spec-ctrl-VERW-flushing-runtime-cond.patch
xsa404-2.patch -> 62ab0fac-x86-spec-ctrl-enum-for-MMIO-Stale-Data.patch
xsa404-3.patch -> 62ab0fad-x86-spec-ctrl-add-unpriv-mmio.patch
xsa407-0a.patch -> 61e98e8a-x86-spec-ctrl-drop-ENTRY-EXIT-HVM.patch
xsa407-0b.patch -> 61f933a5-x86-drop-use_spec_ctrl-boolean.patch
xsa407-0c.patch -> 61f933a6-x86-new-has_spec_ctrl-boolean.patch
xsa407-0d.patch -> 61f933a7-x86-dont-use-spec_ctrl-enter-exit-for-S3.patch
xsa407-0e.patch -> 61f933a9-x86-SPEC_CTRL-use-common-logic-for-AMD.patch
xsa407-0f.patch -> 62bdd840-x86-spec-ctrl-only-adjust-idle-with-legacy-IBRS.patch
xsa407-0g.patch -> 62bdd841-x86-spec-ctrl-knobs-for-STIBP-and-PSFD.patch
xsa407-0h.patch -> 62cc31ee-cmdline-extend-parse_boolean.patch
xsa407-0i.patch -> 62cc31ef-x86-spec-ctrl-fine-grained-cmdline-subopts.patch
xsa407-1.patch -> 62cd91d0-x86-spec-ctrl-rework-context-switching.patch
xsa407-2.patch -> 62cd91d1-x86-spec-ctrl-rename-SCF_ist_wrmsr.patch
xsa407-3.patch -> 62cd91d2-x86-spec-ctrl-rename-opt_ibpb.patch
xsa407-4.patch -> 62cd91d3-x86-spec-ctrl-rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch
xsa407-5.patch -> 62cd91d4-x86-spec-ctrl-IBPB-on-entry.patch
xsa407-6.patch -> 62cd91d5-x86-cpuid-BTC_NO-enum.patch
xsa407-7.patch -> 62cd91d6-x86-spec-ctrl-enable-Zen2-chickenbit.patch
xsa407-8.patch -> 62cd91d7-x86-spec-ctrl-mitigate-Branch-Type-Confusion.patch
xsa408.patch -> 62dfe40a-x86-mm-gpt-TLB-flush-condition.patch
xsa410-01.patch -> 63455f82-Arm-P2M-prevent-adding-mapping-when-dying.patch
xsa410-02.patch -> 63455fa8-Arm-P2M-preempt-when-freeing-intermediate.patch
xsa410-03.patch -> 63455fc3-x86-p2m_teardown-allow-skip-root-pt-removal.patch
xsa410-04.patch -> 63455fe4-x86-HAP-monitor-table-error-handling.patch
xsa410-05.patch -> 63456000-x86-tolerate-sh_set_toplevel_shadow-failure.patch
xsa410-06.patch -> 6345601d-x86-tolerate-shadow_prealloc-failure.patch
xsa410-07.patch -> 6345603a-x86-P2M-refuse-new-alloc-for-dying.patch
xsa410-08.patch -> 63456057-x86-P2M-truly-free-paging-pool-for-dying.patch
xsa410-09.patch -> 63456075-x86-P2M-free-paging-pool-preemptively.patch
xsa410-10.patch -> 63456090-x86-p2m_teardown-preemption.patch
xsa411.patch -> 634561aa-gnttab-locking-on-transitive-copy-error-path.patch
xsa422-01.patch -> 636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch
xsa422-02.patch -> 636a9130-x86-spec-ctrl-Mitigate-IBPB-not-flushing-the-RSB-RAS.patch
xsa427.patch -> 64199e0c-x86-shadow-account-for-log-dirty-mode.patch
xsa428-1.patch -> 64199e0d-x86-HVM-bound-number-of-pca-regions.patch
xsa428-2.patch -> 64199e0e-x86-HVM-serialize-pca-list-manipulation.patch
xsa429.patch -> 64199e0f-x86-spec-ctrl-defer-CR4_PV32_RESTORE-for-CSTAR.patch
xsa433.patch -> 64bea1b2-x86-AMD-Zenbleed.patch
xsa434-1.patch -> 64d24f03-x86-spec-ctrl-rework-ibpb_calculations.patch
xsa434-2.patch -> 64d24f04-x86-spec-ctrl-enumerations-for-SRSO.patch
xsa434-3.patch -> 64d24f05-x86-spec-ctrl-mitigate-SRSO.patch
xsa435-0-01.patch -> 5d728656-x86-extend-cpuid-option-to-support-all.patch
xsa435-0-02.patch -> 5e581082-x86-gen-cpuid-rework-logic-to-ease.patch
xsa435-0-03.patch -> 6081bae4-x86-cpuid-LFENCE-always-serialising.patch
xsa435-0-04.patch -> 60c90488-x86-MSR-expose-MSR_ARCH_CAPS-in-policies.patch
xsa435-0-05.patch -> 6202afa8-x86-spec-ctrl-clean-up-MSR_MCU_OPT_CTRL-handling.patch
xsa435-0-06.patch -> 60be3097-x86-cpuid-drop-special_features.patch
xsa435-0-07.patch -> 61bba121-x86-cpuid-split-dom0-handling-out-of-init_.patch
xsa435-0-08.patch -> 61bba121-x86-cpuid-factor-common-parsing-out-of.patch
xsa435-0-09.patch -> 61bba121-x86-dom0-cpuid-cmdline-option.patch
xsa435-0-10.patch -> 61f2dd76-x86-migration-compatibility-MSR_SPEC_CTRL.patch
xsa435-0-11.patch -> 62f27ebd-x86-expose-more-MSR_ARCH_CAPS-to-hwdom.patch
xsa435-0-12.patch -> 62f51e16-x86-spec-ctrl-enumerate-PBRSB_NO.patch
xsa435-0-13.patch -> 63e53ac9-x86-cpuid-infrastructure-leaves-7-1.patch
xsa435-0-14.patch -> 640f0862-x86-spec-ctrl-add-BHI-controls-to.patch
xsa435-0-15.patch -> 640f0862-x86-spec-ctrl-enumerate-DDP.patch
xsa435-0-16.patch -> 640f0861-tools-xen-cpuid-dash-as-separator.patch
xsa435-0-17.patch -> 640f0862-tools-xen-cpuid-rework-handling-of-dynamic.patch
xsa435-0-18.patch -> 640f0863-x86-sysctl-Retrofit-XEN_SYSCTL_cpu_featureset-max.patch
xsa435-0-19.patch -> 642d51a0-x86-rename-struct-cpu_policy-to-old.patch
xsa435-0-20.patch -> 642d51a1-x86-rename-domctl-sysctl-cpu_policy-msr-fields.patch
xsa435-0-21.patch -> 642d51a2-x86-rename-struct-cpuid_policy-to-cpu_policy.patch
xsa435-0-22.patch -> 642d51a3-x86-merge-struct-msr_policy-into-cpu_policy.patch
xsa435-0-23.patch -> 642d51a4-x86-merge-system-cpuid-msr-policies.patch
xsa435-0-24.patch -> 642d51a5-x86-merge-domain-cpuid-msr-policies.patch
xsa435-0-25.patch -> 642d51a6-x86-drop-struct-old_cpu_policy.patch
xsa435-0-26.patch -> 642d51a7-x86-out-of-inline-policy-featureset-convertors.patch
xsa435-0-27.patch -> 642d51a8-x86-boot-move-MSR-policy-init-logic-into.patch
xsa435-0-28.patch -> 642d51a9-x86-boot-merge-CPUID-policy-init-logic-into.patch
xsa435-0-29.patch -> 642d51aa-x86-emul-switch-x86_emulate_ctxt-to-cpu_policy.patch
xsa435-0-30.patch -> 642d51ab-libx86-update-library-API-for-cpu_policy.patch
xsa435-0-31.patch -> 642d51ac-x86-remove-temporary-policy-defines.patch
xsa435-0-32.patch -> 6462035f-x86-cpuid-Calculate-FEATURESET_NR_ENTRIES-more-helpfully.patch
xsa435-0-33.patch -> 646e51b0-x86-boot-rework-dom0-feature-configuration.patch
xsa435-0-34.patch -> 646e51b1-x86-boot-adjust-MSR_ARCH_CAPS-handling-for-Host.patch
xsa435-0-35.patch -> 646e51b2-x86-cpu-policy-infrastructure-for-MSR_ARCH_CAPS.patch
xsa435-0-36.patch -> 646e51b3-x86-cpu-policy-MSR_ARCH_CAPS-names.patch
xsa435-0-37.patch -> 646e51b4-x86-boot-record-MSR_ARCH_CAPS-for-Raw-and-Host.patch
xsa435-0-38.patch -> 646e51b5-x86-boot-expose-MSR_ARCH_CAPS-in-guest-max.patch
xsa435-0-39.patch -> 646e51b6-VT-x-remove-opencoded-MSR_ARCH_CAPS-check.patch
xsa435-0-40.patch -> 646e51b7-x86-TSX-remove-opencoded-MSR_ARCH_CAPS-check.patch
xsa435-0-41.patch -> 646e51b9-x86-spec-ctrl-remove-opencoded-MSR_ARCH_CAPS-check.patch
xsa435-0-42.patch -> 64763137-x86-spec-ctrl-update-hints.patch
xsa435-0-43.patch -> 648c6258-x86-spec-ctrl-rendering-of-FB_CLEAR.patch
xsa435-0-44.patch -> 648c6259-x86-spec-ctrl-rename-retpoline_safe-to.patch
xsa435-0-45.patch -> 648c625a-x86-spec-ctrl-fix-up-RSBA-RRSBA-bits.patch
xsa435-0-46.patch -> 648c625b-x86-cpu-policy-derive-RSBA-RRSBA-for-guest.patch
xsa435-0-47.patch -> 64c0edc7-x86-cpu-policy-advertise-MSR_ARCH_CAPS.patch
xsa435-0-48.patch -> 609185e7-libxl-dont-ignore-retval-from-xc_cpuid_apply_policy.patch
xsa435-0-49.patch -> 64c0edc8-libs-guest-introduce-support-for-setting-guest-MSRs.patch
xsa435-0-50.patch -> 64c0edc9-libxl-introduce-MSR-data-in-libxl_cpuid_policy.patch
xsa435-0-51.patch -> 64c0edca-libxl-split-logic-to-parse-user-provided-features.patch
xsa435-0-52.patch -> 64c0edcb-libxl-use-cpuid-feature-names-from.patch
xsa435-0-53.patch -> 64c0edcc-libxl-support-parsing-MSR-features.patch
xsa435-0-54.patch -> xsa435-0.patch
xsa435-1.patch -> 64d24f05-x86-cpu-policy-hide-CLWB-by-default-on.patch
xsa435-2.patch -> 64d24f05-x86-spec-ctrl-enumerate-GDS.patch
xsa435-3.patch -> 64d24f05-x86-spec-ctrl-mitigate-GDS.patch
xsa438.patch -> 650abbfe-x86-shadow-defer-PV-top-level-release.patch
xsa439-1.patch -> 65087000-x86-spec-ctrl-SPEC_CTRL_EXIT_TO_XEN-confusion.patch
xsa439-2.patch -> 65087001-x86-spec-ctrl-fold-DO_SPEC_CTRL_EXIT_TO_XEN.patch
xsa439-3.patch -> 65087002-x86-spec-ctrl-SPEC_CTRL-ENTRY-EXIT-asm-macros.patch
xsa439-4.patch -> 65087003-x86-spec-ctrl-SPEC_CTRL-ENTER-EXIT-comments.patch
xsa439-5.patch -> 65087004-x86-entry-restore_all_xen-stack_end.patch
xsa439-6.patch -> 65087005-x86-entry-track-IST-ness-of-entry.patch
xsa439-7.patch -> 65087006-x86-spec-ctrl-VERW-on-IST-exit-to-Xen.patch
xsa439-8.patch -> 65087007-x86-AMD-Zen-1-2-predicates.patch
xsa439-9.patch -> 65087008-x86-spec-ctrl-Zen1-DIV-leakage.patch
xsa442.patch -> 65263470-AMD-IOMMU-flush-TLB-when-flushing-DTE.patch
xsa443-01.patch -> 65263471-libfsimage-xfs-remove-dead-code.patch
xsa443-02.patch -> 65263472-libfsimage-xfs-amend-mask32lo.patch
xsa443-03.patch -> 65263473-libfsimage-xfs-sanity-check-superblock.patch
xsa443-04.patch -> 65263474-libfsimage-xfs-compile-time-check.patch
xsa443-05.patch -> 65263475-pygrub-remove-unnecessary-hypercall.patch
xsa443-06.patch -> 65263476-pygrub-small-refactors.patch
xsa443-07.patch -> 65263477-pygrub-open-output-files-earlier.patch
xsa443-08.patch -> 65263478-libfsimage-function-to-preload-plugins.patch
xsa443-09.patch -> 65263479-pygrub-deprivilege.patch
xsa443-10.patch -> 6526347a-libxl-allow-bootloader-restricted-mode.patch
xsa443-11.patch -> 6526347b-libxl-limit-bootloader-when-restricted.patch
xsa444-1.patch -> 6526347c-SVM-fix-AMD-DR-MASK-context-switch-asymmetry.patch
xsa444-2.patch -> 6526347d-x86-PV-auditing-of-guest-breakpoints.patch
xsa445.patch -> 65536847-AMD-IOMMU-correct-level-for-quarantine-pt.patch
xsa446.patch -> 65536848-x86-spec-ctrl-remove-conditional-IRQs-on-ness.patch
xsa449.patch -> 65b8f961-PCI-fail-dev-assign-if-phantom-functions.patch
- bsc#1220141 - Call trace of XSAVE consistency problem in sle15sp6
PV domU on XEN
6306185f-x86-XSTATE-CPUID-subleaf-1-EBX.patch
- python-idna
-
- Add CVE-2024-3651.patch, backported from upstream commit
gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7
(bsc#1222842, CVE-2024-3651)
- util-linux
-
- Properly neutralize escape sequences in wall
(util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
and its prerequisites: util-linux-fputs_careful1.patch,
util-linux-wall-migrate-to-memstream.patch
util-linux-fputs_careful2.patch).
- curl
-
- Security fix: [bsc#1221665, CVE-2024-2004]
* Usage of disabled protocol
* Add curl-CVE-2024-2004.patch
- Security fix: [bsc#1221667, CVE-2024-2398]
* curl: HTTP/2 push headers memory-leak
* Add curl-CVE-2024-2398.patch