- pam
-
- Prevent cursor escape from the login prompt [bsc#1194818]
* Added: pam-bsc1194818-cursor-escape.patch
- suseconnect-ng
-
- Update version to 1.11
- Added uname as collector
- Added SAP workload detection
- Added detection of container runtimes
- Multiple fixes on ARM64 detection
- Use `read_values` for the CPU collector on Z
- Fixed data collection for ppc64le
- Grab the home directory from /etc/passwd if needed (bsc#1226128)
- Update version to 1.10.0
* Build zypper-migration and zypper-packages-search as standalone
binaries rather then one single binary
* Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004)
* Include /etc/products.d in directories whose content are backed
up and restored if a zypper-migration rollback happens. (bsc#1219004)
* Add the ability to upload the system uptime logs, produced by the
suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report.
(jsc#PED-7982) (jsc#PED-8018)
* Add support for third party packages in SUSEConnect
* Refactor existing system information collection implementation
- systemd
-
- Add 6001-udev_monitor_receive_device-dynamically-allocate-rec.patch (bsc#1226095)
- regionServiceClientConfigEC2
-
- Update to version 4.3.0 (bsc#1228363)
+ The IPv6 cert was switched up for the region server running in us-west-2
and as such the SSL handshake was failing. Drop the incorrect cert
and add the correct cert.
- Switch the patch syntax away form the deprecated shorthand macro
- util-linux-systemd
-
- agetty: Prevent login cursor escape (bsc#1194818,
util-linux-agetty-prevent-cursor-escape.patch).
- Don't delete binaries not common for all architectures. Create an
util-linux-extra subpackage instead, so users of third party
tools can use them. (bsc#1222285)
- fix Xen virtualization type misidentification bsc#1215918
lscpu-fix-parameter-order-for-ul_prefix_fopen.patch
- ca-certificates-mozilla
-
- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
- Added: FIRMAPROFESIONAL CA ROOT-A WEB
- Distrust: GLOBALTRUST 2020
- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
Added:
- CommScope Public Trust ECC Root-01
- CommScope Public Trust ECC Root-02
- CommScope Public Trust RSA Root-01
- CommScope Public Trust RSA Root-02
- D-Trust SBR Root CA 1 2022
- D-Trust SBR Root CA 2 2022
- Telekom Security SMIME ECC Root 2021
- Telekom Security SMIME RSA Root 2023
- Telekom Security TLS ECC Root 2020
- Telekom Security TLS RSA Root 2023
- TrustAsia Global Root CA G3
- TrustAsia Global Root CA G4
Removed:
- Autoridad de Certificacion Firmaprofesional CIF A62634068
- Chambers of Commerce Root - 2008
- Global Chambersign Root - 2008
- Security Communication Root CA
- Symantec Class 1 Public Primary Certification Authority - G6
- Symantec Class 2 Public Primary Certification Authority - G6
- TrustCor ECA-1
- TrustCor RootCert CA-1
- TrustCor RootCert CA-2
- VeriSign Class 1 Public Primary Certification Authority - G3
- VeriSign Class 2 Public Primary Certification Authority - G3
- remove-trustcor.patch: removed, now upstream
- do a versioned obsoletes of "openssl-certs".
- ksh
-
- do not use posix_spawn as it lacks proper job handling [bsc#1224057]
new patch: ksh93-no-posix_spawn.dif
- fix segfault in variable substitution [bsc#1129288]
new patch: ksh93-putval.dif
- fix untrusted environment execution [bsc#1160796] [CVE-2019-14868]
new patch: ksh93-untrustedenv.dif
- wget
-
- Fix mishandled semicolons in the userinfo subcomponent could lead to an
insecure behavior in which data that was supposed to be in the userinfo
subcomponent is misinterpreted to be part of the host subcomponent.
[bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]
- expat
-
- Security fix (bsc#1229932, CVE-2024-45492): detect integer
overflow in function nextScaffoldPart
* Added expat-CVE-2024-45492.patch
- Security fix (bsc#1229931, CVE-2024-45491): detect integer
overflow in dtdCopy
* Added expat-CVE-2024-45491.patch
- Security fix (bsc#1229930, CVE-2024-45490): reject negative
len for XML_ParseBuffer
* Added expat-CVE-2024-45490.patch
- Security fix (bsc#1221563, bsc#1219559, CVE-2023-52425):
* expat-CVE-2023-52425-1.patch: [PATCH] Grow buffer based on
current size
* expat-CVE-2023-52425-2.patch:
* expat-CVE-2023-52425-backport-parser-changes.patch:
CVE-2023-52425 Additional parser fixes
* expat-CVE-2023-52425-fix-tests.patch: CVE-2023-52425 Tests and
Test suite fixes
- libxml2
-
- Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in
xmlHTMLPrintFileContext in xmllint.c
* Added libxml2-CVE-2024-34459.patch
- glib2
-
- Add glib2-gdbusmessage-cache-arg0.patch: cache the arg0 value in
a dbus message. Fixes a possible use after free (boo#1224044).
- release-notes-sles
-
- 12.5.20240614 (tracked in bsc#933411)
- Added note about openSSH 8.4 (bsc#1222298)
- Added note about unsupported hibernate/suspend on Xen (bsc#1214405)
- Added note about chrony 4.1 (jsc#SLE-22248)
- Added note about adcli --dont-expire-password (jsc#SLE-21223)
- Added note about sudo -U -l restriction (jsc#SLE-22569)
- Added note about nodejs16 addition (jsc#SLE-21234)
- Added note about rsyslog 8.2106 (jsc#SLE-21522)
- Added note about tcl 8.6.12 (jsc#SLE-21015)
- Added note about sudo 1.8.27 update (jsc#SLE-17083)
- python-setuptools
-
- Add patch CVE-2024-6345-code-execution-via-download-funcs.patch:
* Sanitize any VCS URL we download. (CVE-2024-6345, bsc#1228105)
- openssl-1_0_0
-
- Pull libopenssl-1_0_0 when updating openssl-1_0_0 with the same
version. [bsc#1228291]
- Security fix: [bsc#1227138, bsc#1227227, CVE-2024-5535]
* SSL_select_next_proto buffer overread
* Add openssl-CVE-2024-5535.patch
- xfsprogs
-
- libfrog: fix missing error checking in workqueue code (bsc#1227232)
- add xfsprogs-libfrog-fix-missing-error-checking-in-workqueue-code.patch
- xfs_repair: ignore empty xattr leaf blocks (bsc#1227911)
- add xfsprogs-xfs_repair-ignore-empty-xattr-leaf-blocks.patch
- mkfs: terminate getsubopt arrays properly (bsc#1228270)
- add xfsprogs-mkfs-terminate-getsubopt-arrays-properly.patch
- xfs_copy: bail out early when superblock cannot be verified
(bsc#1227150)
- fix return value of error code, which is expected to be negative
- xfs_copy: bail out early when superblock cannot be verified
(bsc#1227150)
- add xfs_copy-bail-out-early-when-superblock-cannot-be-ve.patch
- gcc13
-
- Update to GCC 13.3 release
- Update to gcc-13 branch head, b7a2697733d19a093cbdd0e200, git8761
- Removed gcc13-pr111731.patch now included upstream
- Add gcc13-amdgcn-remove-fiji.patch removing Fiji support from
the GCN offload compiler as that is requiring Code Object version 3
which is no longer supported by llvm18.
- Add gcc13-pr101523.patch to avoid combine spending too much
compile-time and memory doing nothing on s390x. [boo#1188441]
- Make requirement to lld version specific to avoid requiring the
meta-package.
- Add gcc13-pr111731.patch to fix unwinding for JIT code.
[bsc#1221239]
- Revert libgccjit dependency change. [boo#1220724]
- Fix libgccjit-devel dependency, a newer shared library is OK.
- Fix libgccjit dependency, the corresponding compiler isn't required.
- Use %patch -P N instead of %patchN.
- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
crypt and crypt_r interceptors. The crypt API change in SLE15 SP3
breaks them. [bsc#1219520]
- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
- Add gcc13-pr88345-min-func-alignment.diff to add support for
- fmin-function-alignment. [bsc#1214934]
- Use %{_target_cpu} to determine host and build.
- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
* Includes fix for building TVM. [boo#1218492]
- Add cross-X-newlib-devel requires to newlib cross compilers.
[boo#1219031]
- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
in gcc13-devel. [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
are linked against libstdc++6.
- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205
- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
* Includes fix for building mariadb on i686. [bsc#1217667]
* Remove pr111411.patch contained in the update.
- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
%product_libs_llvm_ver where available and adjust tool discovery
accordingly. This should also properly trigger re-builds when
the patchlevel version of llvmVER changes, possibly changing
the binary names we link to. [bsc#1217450]
- python36
-
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
condition in ssl.SSLContext certificate store methods.
- util-linux
-
- agetty: Prevent login cursor escape (bsc#1194818,
util-linux-agetty-prevent-cursor-escape.patch).
- Don't delete binaries not common for all architectures. Create an
util-linux-extra subpackage instead, so users of third party
tools can use them. (bsc#1222285)
- fix Xen virtualization type misidentification bsc#1215918
lscpu-fix-parameter-order-for-ul_prefix_fopen.patch
- grub2
-
- Fix btrfs subvolume for platform modules not mounting at runtime when the
default subvolume is the topmost root tree (bsc#1228124)
* grub2-btrfs-06-subvol-mount.patch
- Rediff
* 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
- Fix error in grub-install when linux root device is on lvm thin volume
(bsc#1192622) (bsc#1191974)
- Fix error in grub-install when root is on tmpfs (bsc#1226100)
* 0001-grub-install-bailout-root-device-probing.patch
- bind
-
- Security Fixes:
* It is possible to craft excessively large numbers of resource
record types for a given owner name, which has the effect of
slowing down database processing. This has been addressed by
only allowing a maximum of 100 records to be stored per name
and type in a cache or zone database.
(CVE-2024-1737)
[bsc#1228256, bind-9.11-CVE-2024-1737.patch]
* Validating DNS messages signed using the SIG(0) protocol (RFC
2931) could cause excessive CPU load, leading to a
denial-of-service condition. Support for SIG(0) message
validation was removed from this version of named.
(CVE-2024-1975)
[bsc#1228257, bind-9.11-CVE-2024-1975.patch]
- shadow
-
- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
Update shadow-CVE-2013-4235.patch to be more complete
- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
Add shadow-CVE-2013-4235.patch
- libzypp
-
- Url: Hide known password entires when writing the query part
(bsc#1050625 bsc#1177583, CVE-2017-9271)
- version 16.22.13 (0)
- suse-build-key
-
- extended 2048 bit SUSE SLE 12, 15 GA-SP5 key until 2028. (bsc#1229339)
- gpg-pubkey-39db7c82-5f68629b.asc
+ gpg-pubkey-39db7c82-66c5d91a.asc
- krb5
-
- Fix vulnerabilities in GSS message token handling, add patch
0016-Fix-vulnerabilities-in-GSS-message-token-handling.patch
* CVE-2024-37370, bsc#1227186
* CVE-2024-37371, bsc#1227187
- zypper
-
- Show rpm install size before installing (bsc#1224771)
If filesystem snapshots are taken before the installation (e.g.
by snapper) no disk space is freed by removing old packages. In
this case the install size of all packages is a hint how much
additional disk space is needed by the new packages static
content.
- version 1.13.67
- clean: Do not report an error if no repos are defined at all
(bsc#1223971)
- version 1.13.66
- python3
-
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
- Stop using %%defattr, it seems to be breaking proper executable
attributes on /usr/bin/ scripts (bsc#1227378).
- cups
-
- cups-1.7.5-CVE-2024-35235.patch for CUPS 1.7.5 in SLE12
is derived from our cups-2.2.7-CVE-2024-35235.patch for SLE15
which was derived from the upstream patch for CUPS 2.5
to behave backward compatible for CUPS 1.7.5 in SLE12
to fix CVE-2024-35235
"cupsd Listen port arbitrary chmod 0140777"
without the more secure but backward-incompatible behaviour
of the upstream patch for CUPS 2.5
that ignores domain sockets specified in 'Listen' entries
in /etc/cups/cupsd.conf when cupsd is lauched via systemd
(in particular when launched on-demand by systemd)
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
bsc#1225365
- mozilla-nss
-
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
depends on it and will create a broken, empty config, if sed is
missing (bsc#1227918)
- update to NSS 3.101.2
* bmo#1905691 - ChaChaXor to return after the function
- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
- Updated nss-fips-approved-crypto-non-ec.patch and
nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
bsc#1222828, bsc#1222834.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.
- update to NSS 3.101.1
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
* bmo#1900413 - add diagnostic assertions for SFTKObject refcount.
* bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed
* bmo#1899883 - fix formatting issues.
* bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS.
* bmo#1899593 - remove invalid acvp fuzz test vectors.
* bmo#1898830 - pad short P-384 and P-521 signatures gtests.
* bmo#1898627 - remove unused FreeBL ECC code.
* bmo#1898830 - pad short P-384 and P-521 signatures.
* bmo#1898825 - be less strict about ECDSA private key length.
* bmo#1854439 - Integrate HACL* P-521.
* bmo#1854438 - Integrate HACL* P-384.
* bmo#1898074 - memory leak in create_objects_from_handles.
* bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1748105 - clean up escape handling
* bmo#1896353 - Use lib::pkix as default validator instead of the old-one
* bmo#1827444 - Need to add high level support for PQ signing.
* bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1893404 - Allow for non-full length ecdsa signature when using softoken
* bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects
* bmo#1793811 - Implement support for PBMAC1 in PKCS#12
* bmo#1897487 - disable VLA warnings for fuzz builds.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1893334 - add PK11_ReadDistrustAfterAttribute.
* bmo#215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update
* bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile.
* bmo#1830415 - Switch to the mozillareleases/image_builder image
- Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain)
- Remove part of nss-fips-zeroization.patch that got removed upstream
- update to NSS 3.100
- bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for
faster Xyber operations.
- bmo#1893752 - remove ckcapi.
- bmo#1893162 - avoid a potential PK11GenericObject memory leak.
- bmo#671060 - Remove incomplete ESDH code.
- bmo#215997 - Decrypt RSA OAEP encrypted messages.
- bmo#1887996 - Fix certutil CRLDP URI code.
- bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
- bmo#676118 - Add ability to encrypt and decrypt CMS messages using ECDH.
- bmo#676100 - Correct Templates for key agreement in smime/cmsasn.c.
- bmo#1548723 - Moving the decodedCert allocation to NSS.
- bmo#1885404 - Allow developers to speed up repeated local execution
of NSS tests that depend on certificates.
- update to NSS 3.99
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
- update to NSS 3.98
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
in TLS
* bmo#1879513 - Certificate Compression: enabling the check that
the compression was advertised
* bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
* bmo#1879945 - Remove Email trust bit from OISTE WISeKey
Global Root GC CA
* bmo#1877344 - Replace `distutils.spawn.find_executable` with
`shutil.which` within `mach` in `nss`
* bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
support Certificate compression
* bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
* bmo#1875356 - Add valgrind annotations to freebl kyber operations
for constant-time execution tests
* bmo#1870673 - Set nssckbi version number to 2.66
* bmo#1874017 - Add Telekom Security roots
* bmo#1873095 - Add D-Trust 2022 S/MIME roots
* bmo#1865450 - Remove expired Security Communication RootCA1 root
* bmo#1876179 - move keys to a slot that supports concatenation in
PK11_ConcatSymKeys
* bmo#1876800 - remove unmaintained tls-interop tests
* bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
flags
* bmo#1874937 - bogo: add support for the -curves shim flag and
update Kyber expectations
* bmo#1874937 - bogo: adjust expectation for a key usage bit test
* bmo#1757758 - mozpkix: add option to ignore invalid subject
alternative names
* bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
* bmo#1876390 - take ownership of ecckilla shims
* bmo#1874458 - add valgrind annotations to freebl/ec.c
* bmo#864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* bmo#1875965 - Update zlib to 1.3.1
- Use %patch -P N instead of deprecated %patchN.
- update to NSS 3.97
* bmo#1875506 - make Xyber768d00 opt-in by policy
* bmo#1871631 - add libssl support for xyber768d00
* bmo#1871630 - add PK11_ConcatSymKeys
* bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken
* bmo#1871152 - add a FreeBL API for Kyber
* bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo
* bmo#1835828 - Removing the calls to RSA Blind from loader.*
* bmo#1874111 - fix worker type for level3 mac tasks
* bmo#1835828 - RSA Blind implementation
* bmo#1869642 - Remove DSA selftests
* bmo#1873296 - read KWP testvectors from JSON
* bmo#1822450 - Backed out changeset dcb174139e4f
* bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* bmo#1871219 - Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
* bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
* bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
* bmo#1867408 - add a defensive check for large ssl_DefSend return values
* bmo#1869378 - Add dependency to the taskcluster script for Darwin
* bmo#1869378 - Upgrade version of the MacOS worker for the CI
- add nss-allow-slow-tests-s390x.patch: "certutil dump keys with
explicit default trust flags" test needs longer than the allowed
6 seconds on s390x
- update to NSS 3.95
* bmo#1842932 - Bump builtins version number.
* bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion
Firmaprofesional CIF A62634068 root cert.
* bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS.
* bmo#1850982 - Remove Camerfirma root certificates from NSS.
* bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional
Certificate.
* bmo#1860670 - Add four Commscope root certificates to NSS.
* bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
* bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL*
* bmo#1861728 - Include P-256 Scalar Validation from HACL*.
* bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes
256 ECC without DER wrapping at the softoken level
* bmo#1837987 - Add means to provide library parameters to C_Initialize
* bmo#1573097 - clang format
* bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
* bmo#1858241 - Typo in ssl3_AppendHandshakeNumber
* bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber
* bmo#1573097 - Fix Invalid casts in instance.c
- update to NSS 3.94
* bmo#1853737 - Updated code and commit ID for HACL*
* bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
current NSS
* bmo#1827303 - Softoken C_ calls should use system FIPS setting
to select NSC_ or FC_ variants
* bmo#1774659 - NSS needs a database tool that can dump the low level
representation of the database
* bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
* bmo#1852179 - avoid implicit conversion for ByteString
* bmo#1818766 - update rust version for acvp docker
* bmo#1852011 - Moving the init function of the mpi_ints before
clean-up in ec.c
* bmo#1615555 - P-256 ECDH and ECDSA from HACL*
* bmo#1840510 - Add ACVP test vectors to the repository
* bmo#1849077 - Stop relying on std::basic_string<uint8_t>
* bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
- Update to NSS 3.93:
* bmo#1849471 - Update zlib in NSS to 1.3.
* bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
* bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
- update to NSS 3.92
* bmo#1822935 - Set nssckbi version number to 2.62
* bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS
* bmo#1839992 - Add 4 SSL.com Root CA certificates
* bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates
* bmo#1840437 - Add LAWtrust Root CA2 (4096)
* bmo#1822936 - Remove E-Tugra Certification Authority root
* bmo#1827224 - Remove Camerfirma Chambers of Commerce Root.
* bmo#1840505 - Remove Hongkong Post Root CA 1
* bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3
* bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
* bmo#1837431 - Implementation of the HW support check for ADX instruction
* bmo#1836925 - Removing the support of Curve25519
* bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
* bmo#1839327 - Adding args to enable-legacy-db build
* bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
default trust flags"
* bmo#1837617 - Initialize flags in slot structures
* bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
* bmo#1829112 - Followup Fixes
* bmo#1784253 - avoid processing unexpected inputs by checking for
m_exptmod base sign
* bmo#1826652 - add a limit check on order_k to avoid infinite loop
* bmo#1834851 - Update HACL* to commit 5f6051d2
* bmo#1753026 - add SHA3 to cryptohi and softoken
* bmo#1753026 - HACL SHA3
* bmo#1836781 - Disabling ASM C25519 for A but X86_64
- removed upstreamed patch nss-fix-bmo1836925.patch
- update to NSS 3.90.3
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1748105 - clean up escape handling.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1836925 - Disable ASM support for Curve25519.
* bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64.
- remove upstreamed nss-fix-bmo1836925.patch
- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
when using FIPS-mode (bsc#1223724).
- Added "Provides: nss" so other RPMs that require 'nss' can
be installed (jira PED-6358).
- python3-base
-
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
- Stop using %%defattr, it seems to be breaking proper executable
attributes on /usr/bin/ scripts (bsc#1227378).
- python-requests
-
- Add CVE-2024-35195.patch (CVE-2024-35195, bsc#1224788)
- Add httpbin.patch to fix a test failure caused by the previous patch.
- _product:SLES-release
-
n/a
- kernel-default
-
- btrfs: send: fix send failure of a subcase of orphan inodes
(bsc#1228030).
- btrfs: send: fix failures when processing inodes with no links
(bsc#1228030).
- commit 9fd4ec5
- btrfs: send: use boolean types for current inode status
(bsc#1228030).
- commit 2ab676b
- btrfs: send: refactor arguments of get_inode_info()
(bsc#1228030).
- commit 3731717
- btrfs: send: always use the rbtree based inode ref management
infrastructure (bsc#1228030).
- commit 252130e
- btrfs: fix 64bit compat send ioctl arguments not initializing
version member (bsc#1228030).
- btrfs: fix send ioctl on 32bit with 64bit kernel (bsc#1228030).
- btrfs: send: add new command FILEATTR for file attributes
(bsc#1228030).
- btrfs: send: add stream v2 definitions (bsc#1228030).
- btrfs: send: avoid copying file data (bsc#1228030).
- btrfs: send: explicitly number commands and attributes
(bsc#1228030).
- btrfs: send: get rid of i_size logic in send_write()
(bsc#1228030).
- btrfs: send: prepare for v2 protocol (bsc#1228030).
- btrfs: send: remove unused send_ctx::{total,cmd}_send_size
(bsc#1228030).
- Refresh
patches.suse/Btrfs-fix-race-between-send-and-deduplication-that-l.patch.
- Refresh
patches.suse/btrfs-send-ensure-send_fd-is-writable.patch.
- Refresh
patches.suse/btrfs-send-fix-sending-link-commands-for-existing-fi.patch.
- commit 956ca27
- x86/bhi: Avoid warning in #DB handler due to BHI mitigation (git-fixes).
- commit f899605
- Refresh patches.suse/IB-hfi1-Fix-bugs-with-non-PAGE_SIZE-end-multi-iovec-.patch
Alt-commit added
Blacklist the follow-up fix of the Alt-commit
- commit c3542b0
- ima: Fix use-after-free on a dentry's dname.name (bsc#1227716
CVE-2024-39494).
- commit 2e3d558
- x86/bugs: Replace CONFIG_SPECTRE_BHI_{ON,OFF} with CONFIG_MITIGATION_SPECTRE_BHI (git-fixes).
- Update config files.
- commit 4549b89
- x86/bugs: Remove CONFIG_BHI_MITIGATION_AUTO and spectre_bhi=auto (git-fixes).
This commit was missing for SLE12-SP5 which made the performance profile
of SLE12-SP5 and SLE15-SP[56] differ. Our decision was to follow
upstream w.r.t how BHI is going to be mitigated and the decision was to
do away with 'auto' mode.
- Update config files.
- commit 02bfc90
- Sort BHI mitigation patches
- Refresh patches.suse/x86-bhi-Add-BHI-mitigation-knob.patch.
- Refresh
patches.suse/x86-bhi-Add-support-for-clearing-branch-history-at-syscall.patch.
- Refresh patches.suse/x86-bhi-Define-SPEC_CTRL_BHI_DIS_S.patch.
- Refresh
patches.suse/x86-bhi-Enumerate-Branch-History-Injection-BHI-bug.patch.
- Refresh patches.suse/x86-bhi-Mitigate-KVM-by-default.patch.
- Refresh
patches.suse/x86-cpufeature-Add-missing-leaf-enumeration.patch.
- commit f2f0729
- PCI: hv: Return zero, not garbage, when reading
PCI_INTERRUPT_PIN (git-fixes).
- commit 08ef890
- KVM: PPC: Book3S HV: remove extraneous asterisk from
rm_host_ipi_action() comment (bsc#1065729).
- KVM: PPC: Book3S HV: Don't take kvm->lock around
kvm_for_each_vcpu (bsc#1065729).
- KVM: PPC: Book3S: Use new mutex to synchronize access to rtas
token list (bsc#1065729).
- Refresh patches.suse/KVM-PPC-Book3S-Fix-H_RTAS-rets-buffer-overflow.patch
- KVM: PPC: Book3S: Only report KVM_CAP_SPAPR_TCE_VFIO on powernv
machines (bsc#1065729).
- KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE (bsc#1065729).
- KVM: PPC: Inform the userspace about TCE update failures
(bsc#1065729).
- KVM: PPC: Book3S PR: Exiting split hack mode needs to fixup
both PC and LR (bsc#1065729).
- commit ad6fee4
- x86: stop playing stack games in profile_pc() (bsc#1228633
CVE-2024-42096).
- commit 0bc3d2d
- btrfs: send: remove stale code when checking for shared extents
(bsc#1228030).
- btrfs: silence maybe-uninitialized warning in clone_range
(bsc#1228030).
- commit 095e644
- Btrfs: incremental send, fix emission of invalid clone
operations (bsc#1228030).
- commit 88a98fe
- Btrfs: send, improve clone range (bsc#1228030).
- commit 8a72517
- btrfs: remove unused members dir_path from recorded_ref
(bsc#1228030).
- Refresh
patches.suse/btrfs-incremental-send-fix-invalid-path-for-unlink-commands.patch.
- Refresh
patches.suse/btrfs-send-fix-sending-link-commands-for-existing-fi.patch.
- commit 980e08a
- liquidio: Adjust a NULL pointer handling path in
lio_vf_rep_copy_packet (CVE-2024-39506 bsc#1227729).
- i40e: Fix queues reservation for XDP (CVE-2021-47619
bsc#1226645).
- commit 37ce537
- btrfs: send: remove unused found_type parameter to
lookup_dir_item_inode() (bsc#1228030).
- commit bc238fe
- scsi: qla2xxx: Convert comma to semicolon (bsc#1228850).
- scsi: qla2xxx: Update version to 10.02.09.300-k (bsc#1228850).
- scsi: qla2xxx: Use QP lock to search for bsg (bsc#1228850).
- scsi: qla2xxx: Reduce fabric scan duplicate code (bsc#1228850).
- scsi: qla2xxx: Fix optrom version displayed in FDMI
(bsc#1228850).
- scsi: qla2xxx: During vport delete send async logout explicitly
(bsc#1228850).
- scsi: qla2xxx: Complete command early within lock (bsc#1228850).
- scsi: qla2xxx: Fix flash read failure (bsc#1228850).
- scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for
ELS cmds (bsc#1228850).
- scsi: qla2xxx: Fix for possible memory corruption (bsc#1228850).
- scsi: qla2xxx: validate nvme_local_port correctly (bsc#1228850).
- scsi: qla2xxx: Unable to act on RSCN for port online
(bsc#1228850).
- scsi: qla2xxx: Remove unused struct 'scsi_dif_tuple'
(bsc#1228850).
- scsi: qla2xxx: Fix debugfs output for fw_resource_count
(bsc#1228850).
- scsi: qla2xxx: Drop driver owner assignment (bsc#1228850).
- scsi: qla2xxx: Avoid possible run-time warning with long
model_num (bsc#1228850).
- string.h: Introduce memtostr() and memtostr_pad() (bsc#1228850).
- commit 2402124
- nvme: fixup comment for nvme RDMA Provider Type (git-fixes).
- commit 67b36fc
- IB/core: Implement a limit on UMAD receive List (bsc#1228743 CVE-2024-42145)
- commit 9aa0d29
- Update
patches.suse/Bluetooth-SCO-Fix-not-validating-setsockopt-user-inp.patch
(bsc#1224576 CVE-2024-35966 CVE-2024-35967 bsc#1224587).
- Update
patches.suse/RDMA-mlx5-Add-check-for-srq-max_sge-attribute.patch
(git-fixes CVE-2024-40990 bsc#1227824).
- Update
patches.suse/USB-class-cdc-wdm-Fix-CPU-lockup-caused-by-excessive.patch
(git-fixes CVE-2024-40904 bsc#1227772).
- Update
patches.suse/ocfs2-fix-races-between-hole-punching-and-AIO-DIO.patch
(bsc#1227849 CVE-2024-40943).
- Update
patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch
(git-fixes CVE-2024-26920 bsc#1228237).
- commit 71c68bc
- Update
patches.suse/SUNRPC-Fix-UAF-in-svc_tcp_listen_data_ready.patch
(git-fixes CVE-2023-52885 bsc#1227750).
- commit 4594a5d
- Update
patches.suse/Input-aiptek-properly-check-endpoint-type.patch
(git-fixes CVE-2022-48836 bsc#1227989).
- Update
patches.suse/net-ieee802154-at86rf230-Stop-leaking-skb-s.patch
(git-fixes CVE-2022-48794 bsc#1228025).
- Update
patches.suse/net-packet-fix-slab-out-of-bounds-access-in-packet_r.patch
(CVE-2022-20368 bsc#1202346 CVE-2022-48839 bsc#1227985).
- Update
patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
(bsc#1196018 CVE-2022-28748 CVE-2022-2964 CVE-2022-48805
bsc#1227969).
- commit 55fdbd1
- scsi: qedf: Make qedf_execute_tmf() non-preemptible (CVE-2024-42124 bsc#1228705)
- commit 7bd7589
- media: dvb-frontends: tda10048: Fix integer overflow (CVE-2024-42223 bsc#1228726)
- commit 4d685fd
- drm/amd/display: Skip finding free audio for unknown engine_id (CVE-2024-42119 bsc#1228584)
- commit f0a5549
- drm/amd/display: Check pipe offset before setting vblank (CVE-2024-42120 bsc#1228588)
- commit d85398e
- drm/nouveau/dispnv04: fix null pointer dereference in nv17_tv_get_ld_modes (CVE-2024-41095 bsc#1228662)
- commit bb0cd8f
- btrfs: send: fix sending link commands for existing file paths
(bsc#1228030).
- commit 5a1f564
- net: dsa: mv88e6xxx: Correct check for empty list (CVE-2024-42224 bsc#1228723)
- commit f7ea584
- wifi: cfg80211: wext: add extra SIOCSIWSCAN data check (CVE-2024-41072 bsc#1228626)
- commit c131ba5
- bpf, sockmap: Fix partial copy_page_to_iter so progress can still be made (CVE-2024-41048 bsc#1228565)
- commit 79dff63
- skmsg: Skip zero length skb in sk_msg_recvmsg (CVE-2024-41048 bsc#1228565)
Based on c9c89dcd872e ("bpf, sockmap: Fix partial copy_page_to_iter so
progress can still be made"), previous commit.
Upstream commit 2bc793e3272a13 ("skmsg: Extract __tcp_bpf_recvmsg() and
tcp_bpf_wait_data()") moved the code from net/ipv4/tcp_bpf.c to
net/core/skmsg.c.
- commit 80be5ae
- net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()
(CVE-2024-40995 bsc#1227830).
- commit ee1ce8a
- btrfs: send: introduce recorded_ref_alloc and recorded_ref_free
(bsc#1228030).
- commit 2f5e245
- ppp: reject claimed-as-LCP but actually malformed packets
(CVE-2024-41044 bsc#1228530).
- ibmvnic: Add tx check to prevent skb leak (CVE-2024-41066
bsc#1228640).
- commit 0bdb098
- net/dpaa2: Avoid explicit cpumask var allocation on stack
(CVE-2024-42093 bsc#1228680).
- dpaa2-eth: Refactor xps code (CVE-2024-42093 bsc#1228680).
- commit caf72f9
- drm/nouveau/dispnv04: fix null pointer dereference in (bsc#1228658 CVE-2024-41089)
- commit aec5d0e
- drm/radeon: check bo_va->bo is non-NULL before using it (bsc#1228567 CVE-2024-41060)
- commit 7a28cea
- NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes
(CVE-2022-48829 bsc#1228055).
- NFSD: Fix ia_size underflow (CVE-2022-48828 bsc#1228054).
- NFSD: Fix the behavior of READ near OFFSET_MAX (CVE-2022-48827
bsc#1228037).
- commit 1c127f3
- btrfs: qgroup: fix quota root leak after quota disable failure
(bsc#1228655 CVE-2024-41078).
- commit 263e74a
- wifi: mac80211: Avoid address calculations via out of bounds
array indexing (CVE-2024-41071 bsc#1228625).
- commit be2129f
- powerpc/eeh: avoid possible crash when edev->pdev changes
(CVE-2024-41064 bsc#1228599).
- commit 145d8ea
- btrfs: make sure that WRITTEN is set on all metadata blocks (CVE-2024-35949 bsc#1224700)
Changes: adjust returned error codes to -EUCLEAN and drop definition of
the enum error.
- commit 6dc890d
- ila: block BH in ila_output() (CVE-2024-41081 bsc#1228617)
- commit 9ec349b
- scsi: qedi: Fix crash while reading debugfs attribute
(bsc#1227929 CVE-2024-40978).
- scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
(bsc#1228013 CVE-2022-48792).
- scsi: qedf: Fix refcount issue when LOGO is received during TMF
(bsc#1228045 CVE-2022-48823).
- commit 2a5c419
- blacklist.conf: CVE-2024-41076 bsc#1228649: not applicable
Different code using a local variable, switch to dynamic allocation done
in 1b00ad657997c8 ("NFS: Remove the nfs4_label from the nfs_setattrres")
in 5.16.
- commit ff35317
- ext4: fix uninitialized ratelimit_state->lock access in
__ext4_fill_super() (bsc#1227866 CVE-2024-40998).
- commit 5fe487a
- hfsplus: fix uninit-value in copy_name (bsc#1228561
CVE-2024-41059).
- commit 8d75c30
- usb: musb: da8xx: fix a resource leak in probe() (git-fixes).
- commit bc4c361
- usb: atm: cxacru: fix endpoint checking in cxacru_bind()
(git-fixes).
- commit c9a5140
- USB: class: cdc-wdm: Fix CPU lockup caused by excessive log
messages (git-fixes).
- commit 7c21caa
- blacklist.conf: misattributed
- commit 3e3428a
- drm/amdgpu: fix UBSAN warning in kv_dpm.c (bsc#1228235 CVE-2024-40987)
- commit 60606a5
- drm/vc4: Fix deadlock on DSI device attach error (bsc#1227975 CVE-2022-48826)
- commit bcda77c
- drm/vc4: dsi: Only register our component once a DSI device is (bsc#1227975)
- commit 0a73252
- genirq: Add IRQF_NO_AUTOEN for request_irq/nmi() (bsc#1222625
CVE-2024-27437).
- commit 351bbe3
- ocfs2: add bounds checking to ocfs2_check_dir_entry()
(bsc#1228409 CVE-2024-41015).
- ocfs2: strict bound check before memcmp in
ocfs2_xattr_find_entry() (bsc#1228410).
- ocfs2: add bounds checking to ocfs2_xattr_find_entry()
(bsc#1228410 CVE-2024-41016).
- ocfs2: remove redundant assignment to variable free_space
(bsc#1228409).
- commit 2a658bc
- vfio/pci: Disable auto-enable of exclusive INTx IRQ (bsc#1222625
CVE-2024-27437).
- commit 9829ce8
- Fix reference in patches.suse/ixgbe-Fix-NULL-pointer-dereference-in-ixgbe_xdp_setu.patch (CVE-2021-47399 bsc#1225328)
- commit 7933225
- ocfs2: fix DIO failure due to insufficient transaction credits
(bsc#1216834).
- commit e4fdc60
- Bluetooth: hci_core: cancel all works upon hci_unregister_dev() (CVE-2024-41063 bsc#1228580)
- commit 95070bc
- netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (CVE-2024-42070 bsc#1228470)
- commit d9e81e6
- KVM: PPC: Book3S: Fix some RCU-list locks (git-fixes).
- commit e20a5cb
- KVM: PPC: Book3S HV: Prevent UAF in
kvm_spapr_tce_attach_iommu_group() (bsc#1228581 CVE-2024-41070).
- commit 1cd5894
- HID: usbhid: free raw_report buffers in usbhid_stop (bsc#1225238
CVE-2021-47405).
- commit 67ff2bd
- drm/radeon: fix UBSAN warning in kv_dpm.c (bsc#1227957 CVE-2024-40988)
- commit 4f641c6
- drm/exynos/vidi: fix memory leak in .get_modes() (bsc#1227828 CVE-2024-40932)
- commit d694b72
- ipack: ipoctal: fix module reference leak (bsc#1225241
CVE-2021-47403).
- commit 3f2bac7
- mac80211: fix use-after-free in CCMP/GCMP RX (bsc#1225214
CVE-2021-47388).
- commit 180ca41
- xfs: refactor xfs_verifier_error and xfs_buf_ioerror
(git-fixes).
- Refresh
patches.suse/xfs-don-t-ever-return-a-stale-pointer-from-__xfs_dir.patch.
- commit ac4dc1f
- xfs: remove XFS_WANT_CORRUPTED_RETURN from dir3 data verifiers
(git-fixes).
- commit 5d31a73
- xfs: check that dir block entries don't off the end of the
buffer (git-fixes).
- commit 46f96de
- xfs: add bounds checking to xlog_recover_process_data
(bsc#1228408 CVE-2024-41014).
- commit b3db770
- tun: add missing verification for short frame (CVE-2024-41091
bsc#1228327).
- tap: add missing verification for short frame (CVE-2024-41090
bsc#1228328).
- net: ena: Add validation for completion descriptors consistency
(CVE-2024-40999 bsc#1227913).
- net: mvpp2: clear BM pool before initialization (CVE-2024-35837
bsc#1224500).
- commit 69b68ee
- Update
patches.suse/xhci-Fix-incorrect-tracking-of-free-space-on-transfe.patch.
Fix a backporting mistake which was causing the following warning:
drivers/usb/host/xhci-ring.c: In function 'xhci_queue_intr_tx':
drivers/usb/host/xhci-ring.c:3255:6: warning: unused variable 'trbs_freed' [-Wunused-variable]
- commit 787d888
- xhci: Poll for U0 after disabling USB2 LPM (git-fixes).
- commit c66374c
- blacklist.conf: changes semantics
- commit eaf3cb6
- sit: do not call ipip6_dev_free() from sit_init_net()
(CVE-2021-47588 bsc#1226568).
- commit 9afcbd9
- ipv6: sr: fix incorrect unregister order (git-fixes).
- commit 9f9395f
- Refresh
patches.suse/powerpc-rtas-Prevent-Spectre-v1-gadget-construction-.patch.
- commit af33133
- vt_ioctl: fix array_index_nospec in vt_setactivate
(CVE-2022-48804 bsc#1227968).
- commit ee44df4
- serial: imx: Introduce timeout when waiting on transmitter empty
(CVE-2024-40967 bsc#1227891).
- commit 9b7db88
- kABI: tty: add the option to have a tty reject a new ldisc
(kabi CVE-2024-40966 bsc#1227886).
- tty: add the option to have a tty reject a new ldisc
(CVE-2024-40966 bsc#1227886).
- commit 16b4088
- net-sysfs: add check for netdevice being present to speed_show (CVE-2022-48850 bsc#1228071)
- commit 9fdf37b
- Update
patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_report_tgtpgs.patch
(bsc#1222824 CVE-2021-47219).
Fix incorrect Bug number and incorrect CVE number.
- commit b4dbf5c
- blacklist.conf: kABI
- commit 6f08f5c
- Update
patches.suse/scsi-lpfc-Release-hbalock-before-calling-lpfc_worker_wake_up.patch
(bsc#1225820 CVE-2024-36924).
Fix incorrect CVE number.
- commit cb94423
- Update
patches.suse/nvme-rdma-remove-redundant-reference-between-ib_devi.patch
(bsc#1149446).
Fix bug reference (missing digit).
- commit 4f5320f
- Update patches.suse/ovl-fix-failure-to-fsync-lower-dir.patch
(bsc#1088701).
Fix bug reference (missing digit).
- commit 718aec5
- usb: core: Don't hold the device lock while sleeping in
do_proc_control() (CVE-2021-47582 bsc#1226559).
- commit ff00ceb
- USB: usbfs: fix mmap dma mismatch (CVE-2021-47582 bsc#1226559).
- commit 6c5305a
- usb: add a hcd_uses_dma helper (git-fixes).
- commit f8aa53d
- ssb: Fix potential NULL pointer dereference in
ssb_device_uevent() (CVE-2024-40982 bsc#1227865).
- commit 9fbb468
- isdn: mISDN: Fix sleeping function called from invalid context
(bsc#1225346 CVE-2021-47468).
- commit 34167c4
- mac80211: limit injected vht mcs/nss in
ieee80211_parse_tx_radiotap (bsc#1225326 CVE-2021-47395).
- commit 2fdeaab
- tools lib: Fix builds when glibc contains strlcpy() (git-fixes).
- blacklist.conf: unblaclist it
This commit allows for local builds with newer glibc.
- commit 480e775
- PCI: Fix resource double counting on remove & rescan
(git-fixes).
- commit 68ca613
- ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table()
on failure path (CVE-2022-48810 bsc#1227936).
- commit 7af1a4f
- blacklist.conf: add one pci entry
- commit 0f5e70f
- wifi: ath9k: Fix potential array-index-out-of-bounds read in
ath9k_htc_txstatus() (CVE-2023-52594 bsc#1221045).
- commit d04a718
- sctp: fix kernel-infoleak for SCTP sockets (CVE-2022-48855
bsc#1228003).
- commit 5317e78
- scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs()
(bsc#1226550 CVE-2021-47580).
- commit 72ff240
- ipv6: sr: fix possible use-after-free and null-ptr-deref
(bsc#1222372 CVE-2024-26735).
- commit 5258c5a
- signal: Introduce clear_siginfo (git-fixes).
- commit 276fe89
- Update
patches.suse/scsi-scsi_debug-Fix-type-in-min_t-to-avoid-stack-OOB.patch
(bsc#1226550 CVE-2021-47580).
Fix incorrect bug#
- commit a8e747b
- scsi: bfa: Ensure the copied buf is NUL terminated (bsc#1226786
CVE-2024-38560).
- commit 2623515
- ibmvnic: don't release napi in __ibmvnic_open() (bsc#1227928
CVE-2022-48811).
- commit b1dc7a1
- Update References
patches.suse/Bluetooth-SMP-Fail-if-remote-and-local-public-keys-a.patch
(bsc#1186463, CVE-2021-0129, CVE-2020-26558, bsc#1179610,
CVE-2020-26558).
- commit ef3041a
- gve: Clear napi->skb before dev_kfree_skb_any() (CVE-2024-40937
bsc#1227836).
- net: hns3: fix kernel crash problem in concurrent scenario
(CVE-2024-39507 bsc#1227730).
- ibmvnic: don't release napi in __ibmvnic_open() (CVE-2022-48811
bsc#1227928).
- commit 753a87a
- Refresh
patches.suse/ipv6-sr-fix-missing-sk_buff-release-in-seg6_input_co.patch.
Fix broken patch, which only applys with rapidquilt but not with normal
patch.
- commit 9ba3403
- vmxnet3: disable rx data ring on dma allocation failure
(CVE-2024-40923 bsc#1227786).
- commit 4f3a9e9
- wifi: iwlwifi: mvm: don't read past the mfuart notifcation
(git-fixes CVE-2024-40941 bsc#1227771).
- commit e4b5384
- ethernet: Fix error handling in xemaclite_of_probe (CVE-2022-48860 bsc#1228008)
- commit f50353a
- Bluetooth: RFCOMM: Fix not validating setsockopt user input
(bsc#1224576 CVE-2024-35966).
- commit 68cb9dc
- mISDN: Fix memory leak in dsp_pipeline_build() (CVE-2022-48863
bsc#1228063).
- commit 98e043d
- KVM: Fix a data race on last_boosted_vcpu in kvm_vcpu_on_spin()
(CVE-2024-40953, bsc#1227806).
- commit b18a093
- vmci: prevent speculation leaks by sanitizing event in event_deliver() (CVE-2024-39499 bsc#1227725)
- commit d42ba53
- HID: core: remove unnecessary WARN_ON() in implement() (CVE-2024-39509 bsc#1227733)
- commit fe2364e
- bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set() (CVE-2024-39487 bsc#1227573)
- commit b775587
- blacklist.conf: CVE-2024-35934 bsc#1224641: not applicable
Patch fixing code that does not exist in SLE12-SP5 and there's no
equivalent either. Added by e888a2e8337c96 ("net/smc: introduce list of
pnetids for Ethernet devices").
- commit 4b9f331
- Update
patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_readcap16.patch.
Fix a build warning about using min() vs min_t().
- commit a4b6164
- xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr()
(CVE-2024-40959 bsc#1227884).
- commit 38ba090
- ocfs2: fix races between hole punching and AIO+DIO (CVE-2024-40943 bsc#1227849).
- commit a8b4b50
- net/sched: act_skbmod: prevent kernel-infoleak (CVE-2024-35893 bsc#1224512)
- commit 3a867bb
- ixgbe: Fix NULL pointer dereference in ixgbe_xdp_setup (CVE-2021-47399 1225328)
- commit f559799
- mlxsw: thermal: Fix out-of-bounds memory accesses (CVE-2021-47441 bsc#1225224)
Simplified backport. Upstream patch removes code that does not exist in
SLE12-SP5, the only relevant fix is the bounds checking.
- commit 0b8797d
- cfg80211: call cfg80211_stop_ap when switch from P2P_GO type (CVE-2021-47194 bsc#1222829)
- commit 6cc8bdc
- netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get() (CVE-2024-27020 bsc#1223815)
- commit cfe8cf0
- net: mana: Fix the extra HZ in mana_hwc_send_request (git-fixes).
- net: mana: select PAGE_POOL (git-fixes).
- hv_netvsc: rndis_filter needs to select NLS (git-fixes).
- Drivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj (git-fixes, bsc#1227924, CVE-2022-48775).
- Tools: hv: kvp: eliminate 'may be used uninitialized' warning (git-fixes).
- tools: hv: fix KVP and VSS daemons exit code (git-fixes).
- commit 51c2361
- netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() (CVE-2024-27019 bsc#1223813)
- commit 2fcd5af
- wifi: iwlwifi: mvm: check n_ssids before accessing the ssids
(CVE-2024-40929 bsc#1227774).
- wifi: mac80211: Fix deadlock in
ieee80211_sta_ps_deliver_wakeup() (CVE-2024-40912 bsc#1227790).
- wifi: mac80211: mesh: Fix leak of mesh_preq_queue objects
(CVE-2024-40942 bsc#1227770).
- NFC: port100: fix use-after-free in port100_send_complete
(CVE-2022-48857 bsc#1228005).
- commit 1f497da
- ipv6: fib6_rules: avoid possible NULL dereference in
fib6_rule_action() (CVE-2024-36902 bsc#1225719).
- commit 4cdf9a2
- USB: core: Make do_proc_control() and do_proc_bulk() killable
(CVE-2021-47582 bsc#1226559).
- commit 6d322e2
- net: netlink: af_netlink: Prevent empty skb by adding a check
on len (CVE-2021-47606 bsc#1226555).
- commit 314dfef
- usb: get rid of pointless access_ok() calls (CVE-2021-47582
bsc#1226559).
- commit 6b48efc
- usb: usbfs: correct kernel->user page attribute mismatch
(CVE-2021-47582 bsc#1226559).
- commit d089a07
- USB: usbfs: Always unlink URBs in reverse order (CVE-2021-47582
bsc#1226559).
- commit 2364ecb
- usb: core: devio.c: Fix assignment of 0/1 to bool variables
(CVE-2021-47582 bsc#1226559).
- commit 202a764
- usb: usbfs: only account once for mmap()'ed usb memory usage
(CVE-2021-47582 bsc#1226559).
- commit a282a95
- USB: core: Fix compiler warnings in devio.c (CVE-2021-47582
bsc#1226559).
- commit d3c8045
- usb: core: Replace hardcoded check with inline function from
usb.h (CVE-2021-47582 bsc#1226559).
- commit a0c8b54
- usb: usbfs: use irqsave() in USB's complete callback
(CVE-2021-47582 bsc#1226559).
- commit 89f4a73
- signal: Replace memset(info,...) with clear_siginfo for clarity
(CVE-2021-47582 bsc#1226559).
- commit 10e5b53
- usbdevfs: get rid of field-by-field copyin (CVE-2021-47582
bsc#1226559).
- commit 9053160
- scsi: mpt3sas: Avoid test/set_bit() operating in non-allocated
memory (bsc#1227762 CVE-2024-40901).
- scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up()
(bsc#1225820 CVE-2024-26924).
- scsi: scsi_debug: Fix type in min_t to avoid stack OOB
(bsc#1226560 CVE-2021-47580).
- commit 4de5c4e
- i40e: Fix VF MAC filter removal (CVE-2024-26830 bsc#1223012).
- commit 55935e5
- i40e: Do not allow untrusted VF to remove administratively
set MAC (CVE-2024-26830 bsc#1223012).
- nfp: Fix memory leak in nfp_cpp_area_cache_add() (CVE-2021-47516
bsc#1225427).
- i40e: Fix NULL pointer dereference in i40e_dbg_dump_desc
(CVE-2021-47501 bsc#1225361).
- commit e2ee4f5
- drivers: core: synchronize really_probe() and dev_uevent()
(CVE-2024-39501 bsc#1227754).
- commit 1b7df5b
- ice: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2023-52743 bsc#1225003)
- commit 0b6d94a
- net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() (CVE-2021-47542 bsc#1225455)
- commit ce2e7bb
- ipv6: prevent NULL dereference in ip6_output() (CVE-2024-36901 bsc#1225711)
- commit ab46189
- i40e: Do not use WQ_MEM_RECLAIM flag for workqueue (CVE-2024-36004 bsc#1224545)
- commit de141a1
- nbd: null check for nla_nest_start (CVE-2024-27025 bsc#1223778)
- commit b887966
- btrfs: use latest_dev in btrfs_show_devname (CVE-2021-47599 bsc#1226571)
Simplified backport, keep mutex protection and only remove WARN_ON.
- commit 2ee6fb6
- net: prevent mss overflow in skb_segment() (CVE-2023-52435
bsc#1220138).
- commit 63a8256
- tipc: Check the bearer type before calling
tipc_udp_nl_bearer_add() (CVE-2024-26663 bsc#1222326).
- commit 91299f0
- inet_diag: fix kernel-infoleak for UDP sockets
(CVE-2021-47597 bsc#1226553).
- commit 5ef7515
- ipv6: sr: fix missing sk_buff release in seg6_input_core
(bsc#1227626 CVE-2024-39490).
- net: openvswitch: fix overwriting ct original tuple for ICMPv6
(bsc#1226783 CVE-2024-38558).
- net/smc: fix illegal rmb_desc access in SMC-D connection dump
(bsc#1220942 CVE-2024-26615).
- commit ee46311
- Bluetooth: SCO: Fix not validating setsockopt user input
(bsc#1224576 CVE-2024-35966).
- commit d80abbf
- Update
patches.suse/SUNRPC-Fix-loop-termination-condition-in-gss_free_in.patch
(git-fixes CVE-2024-36288 bsc#1226834).
- Update
patches.suse/arm64-asm-bug-Add-.align-2-to-the-end-of-__BUG_ENTRY.patch
(git-fixes CVE-2024-39488 bsc#1227618).
- Update
patches.suse/ax25-fix-use-after-free-bugs-caused-by-ax25_ds_del_t.patch
(CVE-2024-35887 bzg#1224663 bsc#1224663).
- Update
patches.suse/net-mlx5e-nullify-cq-dbg-pointer-in-mlx5_debug_cq_re.patch
(bsc#1225229 CVE-2021-47438 CVE-2021-47197 bsc#1222776).
- Update
patches.suse/nfs-Handle-error-of-rpc_proc_register-in-nfs_net_ini.patch
(git-fixes CVE-2024-36939 bsc#1225838).
- Update
patches.suse/scsi-lpfc-Move-NPIV-s-transport-unregistration-to-after-resource-clean-up.patch
(bsc#1225898 CVE-2024-36592 CVE-2024-36952).
- Update
patches.suse/scsi-scsi_debug-Fix-out-of-bound-read-in-resp_readcap16.patch
(bsc#122286 CVE-2021-47191 bsc#1222866).
- Update
patches.suse/soc-fsl-qbman-Always-disable-interrupts-when-taking-.patch
(bsc#1224683 CVE-2024-35819 CVE-2024-35806 bsc#1224699).
- commit 81c691f
- pstore/ram: Fix crash when setting number of cpus to an odd number (bsc#1221618, CVE-2023-52619).
- commit 03ca866
- Fix build warning
Refresh
patches.suse/PM-hibernate-x86-Use-crc32-instead-of-md5-for-hibernation-.patch.
- commit 33d6e41
- xhci: Fix incorrect tracking of free space on transfer rings
(CVE-2024-26659 bsc#1222317).
- commit 985549c
- xhci: process isoc TD properly when there was a transaction
error mid TD (CVE-2024-26659 bsc#1222317).
- commit 1966e44
- xhci: store TD status in the td struct instead of passing it
along (CVE-2024-26659 bsc#1222317).
- commit dba92cd
- xhci: Add a separate debug message for split transaction errors
(CVE-2024-26659 bsc#1222317).
- commit 93897b0
- usb: xhci: Remove ep_trb from finish_td() (CVE-2024-26659
bsc#1222317).
- commit 75b9c07
- usb: xhci: Remove ep_trb from xhci_cleanup_halted_endpoint()
(CVE-2024-26659 bsc#1222317).
- Refresh
patches.suse/xhci-remove-extra-loop-in-interrupt-context.patch.
- commit 93f2e51
- usb: xhci: remove unused variable ep_ring (CVE-2024-26659
bsc#1222317).
- commit 25ab80d
- xhci: remove extra loop in interrupt context (CVE-2024-26659
bsc#1222317).
- commit 58c6482
- Bluetooth: Fix memory leak in hci_req_sync_complete()
(bsc#1224571 CVE-2024-35978).
- commit 0071ef8
- xhci: get isochronous ring directly from endpoint structure
(CVE-2024-26659 bsc#1222317).
- commit 1c8c540
- crypto: s390/aes - Fix buffer overread in CTR mode
(CVE-2023-52669 bsc#1224637).
- commit bc65b53
- hwrng: core - Fix page fault dead lock on mmap-ed hwrng
(CVE-2023-52615 bsc#1221614).
- commit c3d2ac9
- blacklist.conf: 55e78c933d74 mm: zswap: increase reject_compress_poor but not reject_compress_fail if compression returns ENOSPC
bsc#1221616, CVE-2023-52612 required backport of
commit 744e1885922a ("crypto: scomp - fix req->dst buffer overflow"),
for which there is the subsequent commit 55e78c933d74 ("mm: zswap:
increase reject_compress_poor but not reject_compress_fail if
compression returns ENOSPC") referencing it from the Fixes tag.
That latter commit fixes a debugfs counter stat (reject_compress_fail),
which got introduced only with commit cb61dad80fdc ("zswap: export
compression failure stats"). Thus, it's not needed, blacklist it.
- commit 6bbc535
- ACPI: CPPC: Fix access width used for PCC registers (bsc#1224557
CVE-2024-35995).
- commit 33ff733
- ACPI: CPPC: Fix bit_offset shift in MASK_VAL() macro
(bsc#1224557 CVE-2024-35995).
- commit ae6202b
- SUNRPC: Fix a suspicious RCU usage warning (CVE-2023-52623
bsc#1222060).
- commit ffa9576
- ACPI: CPPC: Use access_width over bit_width for system memory
accesses (bsc#1224557 CVE-2024-35995).
- commit ef057c5
- ACPI: CPPC: Drop redundant local variable from cpc_read()
(bsc#1224557 CVE-2024-35995).
- commit 73812cd
- Update
patches.suse/scsi-bnx2fc-Remove-spin_lock_bh-while-releasing-resources-after-upload.patch
(bsc#1225767 CVE-2024-36919).
fix incorrect bug number
- commit d503d18
- crypto: scomp - fix req->dst buffer overflow (CVE-2023-52612
bsc#1221616).
- commit 3b5d943
- xhci: handle isoc Babble and Buffer Overrun events properly
(CVE-2024-26659 bsc#1222317).
- commit 98fde6e
- net_sched: fix a missing refcnt in tcindex_init() (bsc#1224975).
- commit 45da465
- net_sched: add a temporary refcnt for struct tcindex_data
(bsc#1224975).
- Refresh
patches.suse/net-sched-tcindex-update-imperfect-hash-filters-resp.patch.
- commit b3f881b
- net_sched: fix a memory leak in cls_tcindex (bsc#1224975).
- Refresh
patches.suse/net_sched-fix-an-OOB-access-in-cls_tcindex.patch.
- Refresh
patches.suse/net_sched-keep-alloc_hash-updated-after-hash-allocat.patch.
- commit 98c1fbb
- net: sched: fix memory leak in tcindex_partial_destroy_work (CVE-2021-47295 bsc#1224975)
- commit 280e278
- net_sched: hold rtnl lock in tcindex_partial_destroy_work() (bsc#1224975)
- commit 6f5da00
- blacklist.conf: convert entry to Alt-commit:
Refresh patches.suse/net_sched-fix-a-race-condition-in-tcindex_destroy.patch.
- commit 4a1ea17
- Fix spurious WARNING caused by a qxl driver patch (bsc#1227213,bsc#1227191)
Refresh patches.suse/drm-qxl-fix-UAF-on-handle-creation.patch
- commit 55a7bf6
- ACPI: video: check for error while searching for backlight
device parent (bsc#1224686 CVE-2023-52693).
- commit aafdad5
- ACPI: LPIT: Avoid u32 multiplication overflow (bsc#1224627
CVE-2023-52683).
- commit 57dc5ae
- x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK (git-fixes).
- commit 90918cd
- netfilter: nft_set: preserve kabi (bsc#1215420 CVE-2023-4244).
- commit 4994a14
- netfilter: take a reference when looking up nft_sets
(bsc#1215420 CVE-2023-4244).
- commit 3f2e165
- netfilter: Implement reference counting for nft_sets
(bsc#1215420 CVE-2023-4244).
- commit b5c850d
- Fix the warning:
* return makes pointer from integer without a cast [enabled by default] in ../drivers/infiniband/hw/mlx5/srq.c in mlx5_ib_create_srq
../drivers/infiniband/hw/mlx5/srq.c: In function 'mlx5_ib_create_srq':
../drivers/infiniband/hw/mlx5/srq.c:259:3: warning: return makes pointer from integer without a cast [enabled by default]
- commit d292fa8
- x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK (git-fixes).
- commit 29d18ef
- fbdev: savage: Handle err return when savagefb_check_var failed (bsc#1227435 CVE-2024-39475)
- commit 3cf493f
- kgdb: Move the extern declaration kgdb_has_hit_break() to generic kgdb.h (git-fixes).
- commit 4c96601
- kgdb: Add kgdb_has_hit_break function (git-fixes).
- commit 096e8f7
- x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git-fixes).
- commit 51d4d78
- blacklist.conf: Blacklist unapplicable commit
- commit 8985317
- x86/numa: Use cpumask_available instead of hardcoded NULL check (git-fixes).
- commit 53fc2d1
- x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes (git-fixes).
- commit 4cbd29b
- x86/fpu: Return proper error codes from user access functions (git-fixes).
- commit 16cc345
- x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs (git-fixes).
- commit 530272a
- blacklist.conf: We don't support clang so black list related commit
- commit 0b88169
- x86/boot/e820: Fix typo in e820.c comment (git-fixes).
- commit 3e224a7
- x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys (git-fixes).
- commit f7c83aa
- x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 (git-fixes).
- commit fe70714
- PM: hibernate: x86: Use crc32 instead of md5 for hibernation e820 integrity check (git-fixes).
- commit 63895f5
- can: pch_can: pch_can_rx_normal: fix use after free (bsc#1225431
CVE-2021-47520).
- commit 0efd10b
- wifi: nl80211: don't free NULL coalescing rule (bsc#1225835 CVE-2024-36941).
- commit 6927c00
- powerpc/rtas: Prevent Spectre v1 gadget construction in
sys_rtas() (bsc#1227487).
- commit 564651d
- SUNRPC: Fix loop termination condition in
gss_free_in_token_pages() (git-fixes).
- sunrpc: fix NFSACL RPC retry on soft mount (git-fixes).
- SUNRPC: Fix gss_free_in_token_pages() (git-fixes).
- nfs: Handle error of rpc_proc_register() in nfs_net_init()
(git-fixes).
- commit 823e515
- btrfs: do not BUG_ON in link_to_fixup_dir (bsc#1222005
CVE-2021-47145).
- commit fb0f08c
- soc: fsl: qbman: Use raw spinlock for cgr_lock (bsc#1224683
CVE-2024-35819).
- commit 4f6a315
- soc: fsl: qbman: Add CGR update function (bsc#1224683
CVE-2024-35819).
- commit 3b2ce3f
- soc: fsl: qbman: Add helper for sanity checking cgr ops
(bsc#1224683 CVE-2024-35819).
- commit b33b9fc
- soc: fsl: qbman: Always disable interrupts when taking cgr_lock
(bsc#1224683 CVE-2024-35819).
- commit 99e6ba5
- drm/amdgpu/debugfs: fix error code when smc register accessors are NULL (git-fixes).
- commit a2420fb
- blacklist.conf: Add c7fcb99877f9 sched/rt: Fix sysctl_sched_rr_timeslice intial value
- commit 71427f6
- blacklist.conf: Add a57415f5d1e4 sched/deadline: Fix sched_dl_global_validate()
- commit b39262b
- sched/deadline: Fix BUG_ON condition for deboosted tasks
(bsc#1227407).
- commit 58fafac
- dyndbg: fix old BUG_ON in >control parser (bsc#1224647
CVE-2024-35947).
- commit 52ffbf7
- net: tulip: de4x5: fix the problem that the array 'lp->phy'
may be out of bound (bsc#1225505 CVE-2021-47547).
- commit 605a3ba
- drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL (CVE-2023-52817 bsc#1225569).
- commit d2e5a64
- blacklist.conf: cd90511557fd drm/amdgpu/vkms: fix a possible null pointer dereference
- commit d0def0c
- blacklist.conf: 80285ae1ec87 drm/amdgpu: Fix potential null pointer derefernce
- commit 95c5571
- blacklist.conf: 406e8845356d drm/amd: check num of link levels when update pcie param
- commit f93c72c
- drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga (CVE-2023-52819 bsc#1225532).
- commit d196cd8
- drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 (CVE-2023-52818 bsc#1225530).
- commit d67dcd9
- blacklist.conf: 282c1d793076 drm/amdkfd: Fix shift out-of-bounds issue
- commit cc813e8
- drm/amd/display: Avoid NULL dereference of timing generator (CVE-2023-52753 bsc#1225478).
- commit f316fd9
- blacklist.conf: 31729e8c21ec drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11
- commit 785f136
- blacklist.conf: add 2a19b28f7929866e1cec92a3619f4de9f2d20005.
- commit a4c7fa2
- drm/arm/malidp: fix a possible null pointer dereference (CVE-2024-36014 bsc#1225593).
- commit 3f35223
- llc: make llc_ui_sendmsg() more robust against bonding changes
(CVE-2024-26636 bsc#1221659).
- commit 727fec1
- llc: Drop support for ETH_P_TR_802_2 (CVE-2024-26635
bsc#1221656).
- commit 4792924
- wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()
(bsc#1224622 CVE-2024-35828).
- commit 9f39e76
- nfc: nci: assert requested protocol is valid (bsc#1220833, CVE-2023-52507).
- commit 78bd01e
- md: fix resync softlockup when bitmap size is less than array
size (CVE-2024-38598, bsc#1226757).
- commit e578184
- dm snapshot: fix lockup in dm_exception_table_exit (bsc#1224743,
CVE-2024-35805).
- dm: call the resume method on internal suspend (bsc#1223188,
CVE-2024-26880).
- dm rq: don't queue request to blk-mq during DM suspend
(bsc#1225357, CVE-2021-47498).
- bcache: avoid oversized read request in cache missing code path
(bsc#1224965, CVE-2021-47275).
- bcache: remove bcache device self-defined readahead
(bsc#1224965, CVE-2021-47275).
- commit 0df91b9
- net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() (bsc#1225229 CVE-2021-47438)
- commit dd90392
- net/mlx5e: Fix memory leak in mlx5_core_destroy_cq() error path (bsc#1225229 CVE-2021-47438)
- commit eebb92a
- usb-storage: alauda: Check whether the media is initialized
(CVE-2024-38619 bsc#1226861).
- commit 8f69e1a
- iavf: free q_vectors before queues in iavf_disable_vf
(CVE-2021-47201 bsc#1222792).
- commit 5fa75c2
- blacklist.conf: 9cb46b31f3d0 drm/xe/xe_migrate: Cast to output precision before multiplying operands
- commit 6d5246f
- ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
(CVE-2024-26641 bsc#1221654).
- commit 785d6bf
- hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021
CVE-2024-26863).
- net: hsr: fix placement of logical operator in a multi-line
statement (bsc#1223021).
- hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021
CVE-2024-26863).
- net: hsr: fix placement of logical operator in a multi-line
statement (bsc#1223021).
- commit bea7af4
- ip6_tunnel: fix NEXTHDR_FRAGMENT handling in
ip6_tnl_parse_tlv_enc_lim() (CVE-2024-26633 bsc#1221647).
- commit 6bed746
- blacklist.conf: ecedd99a9369 drm/amd/display: Skip on writeback when it's not applicable
- commit 7f9ee16
- net: sock: preserve kabi for sock (bsc#1221010 CVE-2021-47103).
- commit 00f2734
- inet: fully convert sk->sk_rx_dst to RCU rules (bsc#1221010
CVE-2021-47103).
- commit 955aaf2
- watchdog: cpu5wdt.c: Fix use-after-free bug caused by
cpu5wdt_trigger (bsc#1226908 CVE-2024-38630).
- commit 4e6b95e
- Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
(bsc#1224177 CVE-2024-27399).
- commit f1f5272
- ACPI: processor_idle: Fix memory leak in
acpi_processor_power_exit() (bsc#1223043 CVE-2024-26894).
- commit 69014d4
- scsi: bnx2fc: Remove spin_lock_bh while releasing resources
after upload (bsc#1224767 CVE-2024-36919).
- scsi: lpfc: Move NPIV's transport unregistration to after
resource clean up (bsc#1225898 CVE-2024-36592).
- scsi: bnx2fc: Remove spin_lock_bh while releasing resources
after upload (bsc#1224767 CVE-2024-36919).
- scsi: lpfc: Move NPIV's transport unregistration to after
resource clean up (bsc#1225898 CVE-2024-36592).
- commit 011e140
- selinux: fix double free of cond_list on error paths
(bsc#1226699 CVE-2022-48740).
- commit c27761a
- fs/9p: fix uninitialized values during inode evict (bsc#1225815
CVE-2024-36923).
- commit fccda1c
- btrfs: fix crash on racing fsync and size-extending write into
prealloc (bsc#1227101 CVE-2024-37354).
- btrfs: add helper to truncate inode items when logging inode
(bsc#1227101 CVE-2024-37354).
- btrfs: don't set the full sync flag when truncation does not
touch extents (bsc#1227101 CVE-2024-37354).
- btrfs: fix misleading and incomplete comment of btrfs_truncate()
(bsc#1227101 CVE-2024-37354).
- btrfs: make btrfs_truncate_inode_items take btrfs_inode
(bsc#1227101 CVE-2024-37354).
- commit 25e24a4
- blacklist.conf: kABI
- commit 2c68edf
- usb: typec: tcpm: Skip hard reset when in error recovery
(git-fixes).
- commit 74f41bf
- blacklist.conf: false positive
- commit b55e7fd
- bpf, scripts: Correct GPL license name (git-fixes).
- commit d41908e
- Update
patches.suse/0006-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch
(git-fixes CVE-2021-47600 bsc#1226575).
- Update
patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch
(git-fixes CVE-2021-47617 bsc#1226614).
- Update
patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch
(git-fixes CVE-2022-48760 bsc#1226712).
- Update
patches.suse/audit-improve-robustness-of-the-audit-queue-handling.patch
(bsc#1204514 CVE-2021-47603 bsc#1226577).
- Update
patches.suse/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
(CVE-2022-22942 bsc#1195065 CVE-2022-48771 bsc#1226732).
- Update patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch
(git-fixes CVE-2021-47589 bsc#1226557).
- Update
patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch
(bsc#1191958 CVE-2021-43389 CVE-2021-4439 bsc#1226670).
- Update
patches.suse/net-ieee802154-ca8210-Stop-leaking-skb-s.patch
(git-fixes CVE-2022-48722 bsc#1226619).
- Update
patches.suse/netfilter-complete-validation-of-user-input.patch
(git-fixes CVE-2024-35896 bsc#1224662 CVE-2024-35962
bsc#1224583).
- Update patches.suse/phylib-fix-potential-use-after-free.patch
(bsc#1119113 FATE#326472 CVE-2022-48754 bsc#1226692).
- Update
patches.suse/ring-buffer-Fix-a-race-between-readers-and-resize-checks.patch
(bsc#1222893 CVE-2024-38601 bsc#1226876).
- Update
patches.suse/scsi-bnx2fc-Flush-destroy_work-queue-before-calling-bnx2fc_interface_put
(git-fixes CVE-2022-48758 bsc#1226708).
- Update patches.suse/scsi-bnx2fc-Make-bnx2fc_recv_frame-mp-safe
(git-fixes CVE-2022-48715 bsc#1226621).
- Update
patches.suse/scsi-libfc-Fix-potential-NULL-pointer-dereference-in-fc_lport_ptp_setup.patch
(git-fixes CVE-2023-52809 bsc#1225556).
- Update
patches.suse/scsi-qla2xxx-Fix-off-by-one-in-qla_edif_app_getstats.patch
(git-fixes CVE-2024-36025 bsc#1225704).
- Update
patches.suse/scsi-scsi_debug-Sanity-check-block-descriptor-length-in-resp_mode_select
(git-fixes CVE-2021-47576 bsc#1226537).
- Update
patches.suse/scsi-target-core-Add-TMF-to-tmr_list-handling.patch
(bsc#1223018 CVE-26845 CVE-2024-26845).
- Update
patches.suse/tipc-improve-size-validations-for-received-domain-re.patch
(bsc#1195254 CVE-2022-0435 CVE-2022-48711 bsc#1226672).
- commit c2edf0b
- tcp: do not accept ACK of bytes we never sent (CVE-2023-52881
bsc#1225611).
- commit d93d95b
- usb: port: Don't try to peer unused USB ports based on location
(git-fixes).
- commit c96b5c5
- blacklist.conf: logging only
- commit b17cfa5
- x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
(bsc#1222015 bsc#1226962).
- commit c9f769c
- iommu/vt-d: Allocate local memory for page request queue
(git-fixes).
- commit 541ce64
- iommu/amd: Fix sysfs leak in iommu init (git-fixes).
- commit cdae1dd
- KVM: x86: Handle SRCU initialization failure during page track
init (CVE-2021-47407, bsc#1225306).
- commit 61b3e37
- xen/events: close evtchn after mapping cleanup (CVE-2024-26687,
bsc#1222435).
- commit c56fe01
- net/9p: fix uninit-value in p9_client_rpc() (CVE-2024-39301 bsc#1226994).
- commit 1a033be
- media: lgdt3306a: Add a check against null-pointer-def
(CVE-2022-48772 bsc#1226976).
- commit 79e986b
- fpga: manager: add owner module and take its refcount
(CVE-2024-37021 bsc#1226950).
- commit 580ed12
- fpga: region: add owner module and take its refcount
(CVE-2024-35247 bsc#1226948).
- commit 75fbd8f
- fpga: bridge: add owner module and take its refcount
(CVE-2024-36479 bsc#1226949).
- commit 410068f
- enic: Validate length of nl attributes in enic_set_vf_port
(CVE-2024-38659 bsc#1226883).
- net: fec: remove .ndo_poll_controller to avoid deadlocks
(CVE-2024-38553 bsc#1226744).
- net/mlx5e: Fix netif state handling (CVE-2024-38608
bsc#1226746).
- eth: sungem: remove .ndo_poll_controller to avoid deadlocks
(CVE-2024-38597 bsc#1226749).
- net: amd-xgbe: Fix skb data length underflow (CVE-2022-48743
bsc#1226705).
- net: systemport: Add global locking for descriptor lifecycle
(CVE-2021-47587 bsc#1226567).
- commit 6fa5a1e
- usb: xhci-plat: fix crash when suspend if remote wake enable
(CVE-2022-48761 bsc#1226701).
- commit 6918857
- virtio-blk: fix implicit overflow on virtio_max_dma_size
(bsc#1225573 CVE-2023-52762).
- commit 630807b
- btrfs: fix use-after-free after failure to create a snapshot
(bsc#1226718 CVE-2022-48733).
- commit bc8f6e2
- vfio/platform: Create persistent IRQ handlers (bsc#1222809
CVE-2024-26813).
- commit a912042
- Update to fix a compiling error,
patches.suse/raid1-fix-use-after-free-for-original-bio-in-raid1_-fcf3.patch.
- commit 4738bf0
- s390/ap: Fix crash in AP internal function modify_bitmap()
(CVE-2024-38661 bsc#1226996 git-fixes).
- commit 642fe77
- block: fix overflow in blk_ioctl_discard() (bsc#1225770
CVE-2024-36917).
- commit fb1867c
- epoll: be better about file lifetimes (bsc#1226610
CVE-2024-38580).
- commit da86de7
- KVM: allow KVM_BUG/KVM_BUG_ON to handle 64-bit cond (git-fixes).
- commit 63ce06d
- drm/nouveau: fix off by one in BIOS boundary checking (bsc#1226716 CVE-2022-48732)
- commit bed5212
- Update references tag
patches.suse/Bluetooth-Disconnect-if-E0-is-used-for-Level-4.patch
(bsc#1171988 CVE-2020-10135 bsc#1218148 CVE-2023-24023).
- commit b41c397
- mm: Avoid overflows in dirty throttling logic (bsc#1222364
CVE-2024-26720).
- commit 6f98632
- media: stk1160: fix bounds checking in stk1160_copy_video()
(CVE-2024-38621 bsc#1226895).
- commit 617f122
- dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
(CVE-2024-38780 bsc#1226886).
- commit 0a1e3b6
- nvmet: fix ns enable/disable possible hang (git-fixes).
- commit 128ca3f
- ecryptfs: Fix buffer size for tag 66 packet (bsc#1226634, CVE-2024-38578).
- commit 41891c0
- stm class: Fix a double free in stm_register_device()
(CVE-2024-38627 bsc#1226857).
- commit b4ea481
- blacklist.conf: kABI
- commit 516146e
- crypto: bcm - Fix pointer arithmetic (bsc#1226637
CVE-2024-38579).
- commit be1545d
- drm/amd/display: Fix potential index out of bounds in color (bsc#1226767 CVE-2024-38552)
- commit fdaaa54
- drm/mediatek: Add 0 size check to mtk_drm_gem_obj (bsc#1226735 CVE-2024-38549)
- commit b67d29d
- drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable (bsc#1226698 CVE-2022-48756)
- commit bd95a05
- net: usb: rtl8150 fix unintiatilzed variables in
rtl8150_get_link_ksettings (git-fixes).
- commit 996e5c4
- RDMA/hns: Fix UAF for cq async event (bsc#1226595 CVE-2024-38545)
- commit 68cd4b9
- RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt (bsc#1226597 CVE-2024-38544)
- commit da8c605
- RDMA/mlx5: Add check for srq max_sge attribute (git-fixes)
- commit 6ee55be
- drm: vc4: Fix possible null pointer dereference (CVE-2024-38546
bsc#1226593).
- commit f5c6e94
- wifi: carl9170: add a proper sanity check for endpoints
(CVE-2024-38567 bsc#1226769).
- rpmsg: char: Fix race between the release of rpmsg_ctrldev
and cdev (CVE-2022-48759 bsc#1226711).
- commit 1d933f6
- wifi: ar5523: enable proper endpoint verification
(CVE-2024-38565 bsc#1226747).
- commit 7f113b6
- mac80211: track only QoS data frames for admission control
(CVE-2021-47602 bsc#1226554).
- commit 6d84852
- ALSA: timer: Set lower bound of start tick time (CVE-2024-38618
bsc#1226754).
- commit ea3c02c
- blacklist.conf: Add 7af443ee16976 sched/core: Require cpu_active() in select_task_rq(), for user tasks
- commit 35a10db
- bsc#1225894: Fix build warning
Fix the following build warning.
* unused-variable (i) in ../drivers/gpu/drm/amd/amdkfd/kfd_device.c in kgd2kfd_resume
../drivers/gpu/drm/amd/amdkfd/kfd_device.c: In function 'kgd2kfd_resume':
../drivers/gpu/drm/amd/amdkfd/kfd_device.c:621:11: warning: unused variable 'i' [-Wunused-variable]
- commit e16e5ba
- bsc#1225894: Fix patch references
- commit 7b4670a
- net/mlx5: Properly link new fs rules into the tree (bsc#1224588
CVE-2024-35960).
- commit 14f14ea
- net/mlx5e: fix a double-free in arfs_create_groups (bsc#1224605
CVE-2024-35835).
- commit 2cc5781
- firmware: arm_scpi: Fix string overflow in SCPI genpd driver (bsc#1226562 CVE-2021-47609)
- commit 4642449
- Fix compilation
- commit 3f5119e
- net: ena: Fix incorrect descriptor free behavior (bsc#1224677
CVE-2024-35958).
- commit 8f4768d
- bonding: stop the device in bond_setup_by_slave() (bsc#1224946
CVE-2023-52784).
- commit da74b6f
- blacklist.conf: bsc#1225555 CVE-2023-52808
patches code not present
- commit 35c5de8
- blacklist.conf: bsc#1223013 CVVE-2024-26482
does not apply
- commit c785e5a
- blacklist.conf: bsc#1222879 CVE-2021-47193
breaks kABI
- commit 5ac2f95
- blacklist.conf: bsc#1225559 CVE-2023-5281
Does not apply cleanly at all, and addresses
a corner case that it knows is rare.
- commit 66930cf
- scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
(bsc#1224651 CVE-2024-35930).
- scsi: target: core: Add TMF to tmr_list handling (bsc#1223018
CVE-26845).
- scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()
(bsc#122286 CVE-2021-47191).
- commit 3100b52
- usb: fix various gadget panics on 10gbps cabling (CVE-2021-47267
bsc#1224993).
- commit 3336e4a
- amd/amdkfd: sync all devices to wait all processes being evicted (bsc#1225872 CVE-2024-36949)
- commit aa91737
- drm/amdkfd: Rework kfd_locked handling (bsc#1225872)
- commit 030a69d
- drm/vmwgfx: Fix invalid reads in fence signaled events (bsc#1225872 CVE-2024-36960)
- commit fe8da4d
- nfsd: optimise recalculate_deny_mode() for a common case
(bsc#1217912).
- commit 90c611c
- NFSv4: Always clear the pNFS layout when handling ESTALE
(bsc#1221791).
- NFSv4: nfs_set_open_stateid must not trigger state recovery
for closed state (bsc#1221791).
- PNFS for stateid errors retry against MDS first (bsc#1221791).
- commit fcd364d
- block: prevent division by zero in blk_rq_stat_sum()
(bsc#1224661 CVE-2024-35925).
- commit 7fd346a
- ext4: fix corruption during on-line resize (bsc#1224735
CVE-2024-35807).
- commit 8431549
- fat: fix uninitialized field in nostale filehandles (git-fixes
CVE-2024-26973 bsc#1223641).
- commit 8b4f3fd
- ext4: avoid online resizing failures due to oversized flex bg
(bsc#1222080 CVE-2023-52622).
- commit a81bee5
- net/smc: Fix NULL pointer dereferencing in smc_vlan_by_tcpsk()
(CVE-2021-47559 bsc#1225396).
- commit ca251c9
- nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
(CVE-2021-47518 bsc#1225372).
- commit d0fabf7
- net_sched: fix NULL deref in fifo_set_limit()
(CVE-2021-47418 bsc#1225337).
- commit 54048d4
- net: validate lwtstate->data before returning from skb_tunnel_info()
(CVE-2021-47309 bsc#1224967).
- commit 2b76537
- net: fix uninit-value in caif_seqpkt_sendmsg
(CVE-2021-47297 bsc#1224976).
- commit 39164d4
- net/sched: act_skbmod: Skip non-Ethernet packets
(CVE-2021-47293 bsc#1224978).
- commit aedefe0
- netrom: Decrease sock refcount when sock timers expire
(CVE-2021-47294 bsc#1224977).
- commit 44bce11
- ipv6: Fix infinite recursion in fib6_dump_done() (CVE-2024-35886
bsc#1224670).
- commit 5d20998
- tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
(CVE-2024-36016 bsc#1225642).
- commit f5c4f31
- net: macb: fix use after free on rmmod (CVE-2021-47372
bsc#1225184).
- commit 5bb5ee7
- btrfs: use correct compare function of dirty_metadata_bytes (git-fixes)
- commit d51a7ff
- Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() (git-fixes)
- commit 4b455f0
- btrfs: fix describe_relocation when printing unknown flags (git-fixes)
- commit a147519
- btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (git-fixes)
- commit 0487247
- btrfs: fix crash when trying to resume balance without the resume flag (git-fixes)
- commit f0fa7bc
- Btrfs: clean up resources during umount after trans is aborted (git-fixes)
- commit c78d131
- Btrfs: bail out on error during replay_dir_deletes (git-fixes)
- commit 7a8f6ce
- Btrfs: fix NULL pointer dereference in log_dir_items (git-fixes)
- commit 02cab92
- Btrfs: send, fix issuing write op when processing hole in no data mode (git-fixes)
- Refresh
patches.suse/btrfs-send-fix-incorrect-file-layout-after-hole-punching-beyond-eof.patch.
- commit f710800
- Btrfs: fix unexpected EEXIST from btrfs_get_extent (git-fixes)
- commit 82c1e6b
- btrfs: tree-check: reduce stack consumption in check_dir_item (git-fixes)
- commit 36aca35
- btrfs: fix false EIO for missing device (git-fixes)
- Refresh
patches.suse/btrfs-ensure-that-a-dup-or-raid1-block-group-has-exactly-two-stripes.patch
- commit 01544ea
- USB: serial: option: add Quectel EG912Y module support
(git-fixes).
- commit a8d3e25
- blacklist.conf: pure cleanup
- commit c59c78d
- USB: serial: option: add Quectel RM500Q R13 firmware support
(git-fixes).
- commit b3dedc2
- USB: serial: option: add Foxconn T99W265 with new baseline
(git-fixes).
- commit 51f747d
- net: usb: smsc95xx: fix changing LED_SEL bit value updated
from EEPROM (git-fixes).
- commit d6ed297
- ocfs2: fix sparse warnings (bsc#1219224).
- ocfs2: speed up chain-list searching (bsc#1219224).
- ocfs2: adjust enabling place for la window (bsc#1219224).
- ocfs2: improve write IO performance when fragmentation is high
(bsc#1219224).
- commit d862a97
- smb: client: fix use-after-free bug in
cifs_debug_data_proc_show() (bsc#1225487, CVE-2023-52752).
- commit b2bff17
- blkcg: Fix multiple bugs in blkcg_activate_policy()
(CVE-2021-47379 bsc#1225203).
- blkcg: blkcg_activate_policy() should initialize ancestors first
(CVE-2021-47379 bsc#1225203).
- commit 5e6941f
- blacklist.conf: bsc#1225047 CVE-2021-47328: breaks kABI
Also, does not apply.
- commit 55744fb
- blk-cgroup: fix UAF by grabbing blkcg lock before destroying
blkg pd (CVE-2021-47379 bsc#1225203).
- commit 26f8206
- blacklist.conf: Blacklist 618f003199c61
- commit f552be9
- atl1c: Work around the DMA RX overflow issue (CVE-2023-52834
bsc#1225599).
- commit c880bf0
- btrfs: lock the inode in shared mode before starting fiemap
(bsc#1225484 CVE-2023-52737).
- commit e4a79d3
- ext4: correct offset of gdb backup in non meta_bg group to
update_backups (bsc#1224735 CVE-2024-35807).
- commit 57ba8ce
- raid1: fix use-after-free for original bio in raid1_write_request()
(bsc#1221097, bsc#1224572, CVE-2024-35979).
- commit daf8372
- fs/9p: only translate RWX permissions for plain 9P2000
(bsc#1225866 CVE-2024-36964).
- commit 7cf061b
- media: imon: fix access to invalid resource for the second
interface (CVE-2023-52754 bsc#1225490).
- commit 0f818a4
- firewire: ohci: mask bus reset interrupts between ISR and
bottom half (CVE-2024-36950 bsc#1225895).
- commit 342de59
- pinctrl: core: delete incorrect free in pinctrl_enable()
(CVE-2024-36940 bsc#1225840).
- commit 6103cd4
- staging: rtl8192e: Fix use after free in
_rtl92e_pci_disconnect() (CVE-2021-47571 bsc#1225518).
- commit 9243acc
- media: gspca: cpia1: shift-out-of-bounds in set_flicker
(CVE-2023-52764 bsc#1225571).
- wifi: mac80211: don't return unset power in
ieee80211_get_tx_power() (CVE-2023-52832 bsc#1225577).
- commit 74cf739
- Bluetooth: qca: add missing firmware sanity checks
(CVE-2024-36880 bsc#1225722).
- commit 1f313de
- drm/msm: Fix null pointer dereference on pointer edp (bsc#1225261 CVE-2021-47445)
- commit 7365fdb
- rpm/kernel-obs-build.spec.in: Add iso9660 (bsc#1226212)
Some builds don't just create an iso9660 image, but also mount it during
build.
- commit aaee141
- llc: verify mac len before reading mac header
(CVE-2023-52843 bsc#1224951).
- commit 048fdd1
- drm/sched: Avoid data corruptions (bsc#1225140 CVE-2021-47354)
- commit 735d57e
- nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
(CVE-2024-36915 bsc#1225758).
- commit d2aa3fc
- rpm/kernel-obs-build.spec.in: Add networking modules for docker
(bsc#1226211)
docker needs more networking modules, even legacy iptable_nat and _filter.
- commit 415e132
- Bluetooth: Add more enc key size check (bsc#1218148
CVE-2023-24023).
- commit 8b7d4c7
- rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
(CVE-2024-36017 bsc#1225681).
- commit eee2828
- netfilter: complete validation of user input
(git-fixes CVE-2024-35896 bsc#1224662).
- commit bd2bc6c
- tcp: fix page frag corruption on page fault
(CVE-2021-47544 bsc#1225463).
- commit 0c69f93
- netfilter: validate user input for expected length
(CVE-2024-35896 bsc#1224662).
- commit d09d89a
- Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt
(bsc#1218148 CVE-2023-24023).
- commit be61b35
- arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
(git-fixes).
- commit a33c0aa
- fbmon: prevent division by zero in fb_videomode_from_videomode() (bsc#1224660 CVE-2024-35922)
- commit 9990cdc
- bna: ensure the copied buf is NUL terminated (CVE-2024-36934
bsc#1225760).
- commit 5e5c793
- tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
(CVE-2023-52845 bsc#1225585).
- commit 28beea5
- blacklist.conf: Add 1971d13ffa84a "af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc()."
- commit 9ab8e4f
- HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent
lock-up (bsc#1224552 CVE-2024-35997).
- commit 31522d3
- wifi: nl80211: reject iftype change with mesh ID change
(CVE-2024-27410 bsc#1224432).
- commit 18882c6
- fix compat handling of FICLONERANGE, FIDEDUPERANGE and
FS_IOC_FIEMAP (bsc#1225848).
- blacklist.conf:
- fs: make fiemap work from compat_ioctl (bsc#1225848).
- commit e6c580c
- perf/core: Bail out early if the request AUX area is out of
bound (bsc#1225602 CVE-2023-52835).
- commit 0b197bf
- powerpc/imc-pmu: Add a null pointer check in
update_events_in_group() (bsc#1224504 CVE-2023-52675).
- commit 5ed0541
- blacklist.conf: CVE-2024-35956 bsc#1224674: not applicable bsc#1225945
Quoting bsc#1225945#c11:
"So the upstream 6.5 kernel commit (1b53e51a4a8f ("btrfs: don't commit
transaction for every subvol create")
) was never backported to SLE, so that fix eb96e221937a ("btrfs: fix
unwritten extent buffer after snapshotting a new subvolume") was never
backported."
- commit 13b6119
- usb: gadget: f_fs: Fix race between aio_cancel() and AIO
request complete (CVE-2024-36894 bsc#1225749).
- commit 66229f2
- proc/vmcore: fix clearing user buffer by properly using
clear_user() (CVE-2021-47566 bsc#1225514).
- commit 4f35255
- usb: dwc2: fix possible NULL pointer dereference caused by
driver concurrency (CVE-2023-52855 bsc#1225583).
- commit 304ea43
- Refresh patches.kabi/net-preserve-kabi-for-sk_buff.patch.
- commit fa7929b
- net: preserve kabi for sk_buff (CVE-2024-26921 bsc#1223138).
- commit 726f363
- inet: inet_defrag: prevent sk release while still in use
(CVE-2024-26921 bsc#1223138).
- commit 7846939
- xhci: Fix commad ring abort, write all 64 bits to CRCR register
(CVE-2021-47434 bsc#1225232).
- commit d92fac3
- xhci: Fix command ring pointer corruption while aborting a
command (CVE-2021-47434 bsc#1225232).
- blacklist.conf: taken so that the correct fix applies
- commit ea90837
- xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
(bsc#1224575 CVE-2024-35976).
- commit 641c7c4
- usb: fix various gadgets null ptr deref on 10gbps cabling
(CVE-2021-47270 bsc#1224997).
- commit 00c58e2
- usb: udc: remove warning when queue disabled ep (CVE-2024-35822
bsc#1224739).
- commit dcaf30a
- blacklist.conf: add cleanup fix that breaks kABI
- commit cae1961
- bpf, skmsg: Fix NULL pointer dereference in
sk_psock_skb_ingress_enqueue (bsc#1225761 CVE-2024-36938).
- commit 24fab08
- drm/client: Fully protect modes with dev->mode_config.mutex (CVE-2024-35950 bsc#1224703).
- commit f0cb811
- smb: client: fix potential deadlock when releasing mids
(bsc#1225548, CVE-2023-52757).
- commit 00dc86e
- smb: client: fix potential UAF in is_valid_oplock_break()
(bsc#1224763, CVE-2024-35863).
- commit be79366
- smb: client: fix potential UAF in cifs_stats_proc_write()
(bsc#1224678, CVE-2024-35868).
- commit 7c5946d
- smb: client: fix potential UAF in cifs_stats_proc_show()
(bsc#1224664, CVE-2024-35867).
- commit adb391f
- smb: client: fix potential UAF in cifs_debug_files_proc_show()
(bsc#1223532, CVE-2024-26928).
- commit 92bb153
- smb: client: fix UAF in smb2_reconnect_server() (bsc#1224672,
CVE-2024-35870).
- commit 4eabe16
- smb: client: fix potential UAF in smb2_is_valid_lease_break()
(bsc#1224765, CVE-2024-35864).
- commit 688ad5f
- smb: client: fix potential UAF in smb2_is_network_name_deleted()
(bsc#1224764, CVE-2024-35862).
- commit 6bbd54b
- smb3: fix lock ordering potential deadlock in
cifs_sync_mid_result (bsc#1224549, CVE-2024-35998).
- commit fbe7cb6
- smb: client: fix potential UAF in smb2_is_valid_oplock_break()
(bsc#1224668, CVE-2024-35865).
- commit 77a46ab
- nvme-tcp: fix UAF when detecting digest errors (CVE-2022-48686 bsc#1223948).
Update blacklist.conf: remove entry
- commit f159215
- nvme-loop: fix memory leak in nvme_loop_create_ctrl() (CVE-2021-47074 bsc#1220854).
Update blacklist.conf: remove entry
- commit 5f6a5df
- nvme-rdma: destroy cm id before destroy qp to avoid use after
free (CVE-2021-47378 bsc#1225201).
- commit 599a36a
- nvmet: fix a use-after-free (CVE-2022-48697 bsc#1223922).
Update blacklist.conf: drop entry from it
- commit 5e496a4
- nvme-fc: do not wait in vain when unloading module
(CVE-2024-26846 bsc#1223023).
- commit 365a6dd
- blacklist.conf: add d380ce70058a4ccddc3e5f5c2063165dc07672c6
netrom: Fix data-races around sysctl_net_busy_read
(CVE-2024-27419 bsc#1224759)
- commit 9b21914
- net/tls: Fix flipped sign in tls_err_abort() calls
(CVE-2021-47496 bsc#1225354)
- commit af28ae7
- Update
patches.suse/0004-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch
(git-fixes bsc#1225247 CVE-2021-47435).
- Update
patches.suse/0022-dm-btree-remove-assign-new_root-only-when-removal-su.patch
(git fixes bsc#1225155 CVE-2021-47343).
- Update
patches.suse/0066-virtio-blk-Fix-memory-leak-among-suspend-resume-procedure.patch
(git-fixes bsc#1225054 CVE-2021-47319).
- Update
patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch
(git-fixes bsc#1207186 bsc#1225303 CVE-2021-47404).
- Update
patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch
(git-fixes bsc#1225438 CVE-2021-47523).
- Update
patches.suse/IB-mlx5-Fix-initializing-CQ-fragments-buffer.patch
(git-fixes bsc#1224954 CVE-2021-47261).
- Update
patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch
(git-fixes bsc#1224904 CVE-2021-47485).
- Update
patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch
(git-fixes bsc#1225318 CVE-2021-47391).
- Update
patches.suse/RDMA-cma-Fix-rdma_resolve_route-memory-leak.patch
(git-fixes bsc#1225157 CVE-2021-47345).
- Update
patches.suse/SUNRPC-Fix-RPC-client-cleaned-up-the-freed-pipefs-de.patch
(git-fixes bsc#1225008 CVE-2023-52803).
- Update
patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch
(bsc#1191452 bsc#1225193 CVE-2021-47375).
- Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch
(git-fixes bsc#1225256 CVE-2021-47456).
- Update
patches.suse/cifs-Fix-use-after-free-in-rdata-read_into_pages-.patch
(bsc#1190317 bsc#1225479 CVE-2023-52741).
- Update
patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch
(bsc#1185902 bsc#1224961 CVE-2021-47307).
- Update
patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch
(git-fixes bsc#1224968 CVE-2021-47305).
- Update
patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch
(git-fixes bsc#1224982 CVE-2021-47280).
- Update
patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch
(git-fixes bsc#1224966 CVE-2021-47276).
- Update patches.suse/gfs2-ignore-negated-quota-changes.patch
(git-fixes bsc#1225560 CVE-2023-52759).
- Update
patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch
(bsc#1101816 FATE#325147 FATE#325149 bsc#1225367
CVE-2021-47424).
- Update
patches.suse/igb-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224916 CVE-2021-47301).
- Update
patches.suse/igc-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224917 CVE-2021-47302).
- Update
patches.suse/ipv4-ipv6-Fix-handling-of-transhdrlen-in-__ip-6-_app.patch
(git-fixes bsc#1220928 CVE-2023-52527).
- Update
patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch
(git-fixes bsc#1224987 CVE-2021-47284).
- Update
patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch
(bsc#1194591 bsc#1225198 CVE-2021-47478).
- Update
patches.suse/kprobes-Fix-possible-use-after-free-issue-on-kprobe-registration.patch
(git-fixes bsc#1224676 CVE-2024-35955).
- Update
patches.suse/l2tp-pass-correct-message-length-to-ip6_append_data.patch
(git-fixes bsc#1222667 CVE-2024-26752).
- Update
patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch
(git-fixes bsc#1225143 CVE-2021-47356).
- Update
patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch
(git-fixes bsc#1224922 CVE-2021-47344).
- Update
patches.suse/net-USB-Fix-wrong-direction-WARNING-in-plusb.c.patch
(git-fixes bsc#1225482 CVE-2023-52742).
- Update
patches.suse/net-hns3-do-not-allow-call-hns3_nic_net_open-repeate.patch
(git-fixes bsc#1225329 CVE-2021-47400).
- Update
patches.suse/net-mdiobus-Fix-memory-leak-in-__mdiobus_register.patch
(git-fixes bsc#1225189 CVE-2021-47472).
- Update
patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch
(git-fixes bsc#1225453 CVE-2021-47541).
- Update
patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch
(git-fixes bsc#1224981 CVE-2021-47285).
- Update patches.suse/net-qcom-emac-fix-UAF-in-emac_remove.patch
(git-fixes bsc#1225010 CVE-2021-47311).
- Update patches.suse/net-ti-fix-UAF-in-tlan_remove_one.patch
(git-fixes bsc#1224959 CVE-2021-47310).
- Update
patches.suse/net-usb-kalmia-Don-t-pass-act_len-in-usb_bulk_msg-er.patch
(git-fixes bsc#1225549 CVE-2023-52703).
- Update
patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch
(git-fixes bsc#1225058 CVE-2021-47320).
- Update
patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch
(git-fixes bsc#1225404 CVE-2021-47506).
- Update
patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch
(bsc#1190795 bsc#1225251 CVE-2021-47460).
- Update
patches.suse/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
(bsc#1197760 bsc#1225252 CVE-2021-47458).
- Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes
bsc#1225336 CVE-2021-47416).
- Update
patches.suse/ppdev-Add-an-error-check-in-register_device.patch
(git-fixes bsc#1225640 CVE-2024-36015).
- Update
patches.suse/s390-dasd-protect-device-queue-against-concurrent-access.patch
(git-fixes bsc#1217519 bsc#1225572 CVE-2023-52774).
- Update
patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list
(git-fixes bsc#1225164 CVE-2021-47369).
- Update
patches.suse/s390-qeth-fix-deadlock-during-failing-recovery
(bsc#1206213 LTC#200742 bsc#1225207 CVE-2021-47382).
- Update
patches.suse/scsi-core-Fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid
(git-fixes bsc#1224926 CVE-2021-47337).
- Update
patches.suse/scsi-core-Put-LLD-module-refcnt-after-SCSI-device-is-released
(git-fixes bsc#1225322 CVE-2021-47480).
- Update
patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch
(bsc#1188616 bsc#1224963 CVE-2021-47308).
- Update
patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test
(git-fixes bsc#1225384 CVE-2021-47565).
- Update
patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els
(git-fixes bsc#1225192 CVE-2021-47473).
- Update
patches.suse/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
(bsc#1221977 CVE-2021-47162 bsc#1225764 CVE-2024-36954).
- Update
patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch
(git-fixes bsc#1224990 CVE-2021-47274).
- Update
patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch
(git-fixes CVE-2024-26920).
- Update
patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
(bsc#1222619 CVE-2023-52880).
- Update
patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch
(git-fixes bsc#1225084 CVE-2021-47330).
- Update
patches.suse/udf-Fix-NULL-pointer-dereference-in-udf_symlink-func.patch
(bsc#1206646 bsc#1225128 CVE-2021-47353).
- Update
patches.suse/usb-config-fix-iteration-issue-in-usb_get_bos_descri.patch
(git-fixes bsc#1225092 CVE-2023-52781).
- Update
patches.suse/usb-dwc2-check-return-value-after-calling-platform_g.patch
(git-fixes bsc#1225330 CVE-2021-47409).
- Update
patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch
(git-fixes bsc#1224996 CVE-2021-47269).
- Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch
(git-fixes bsc#1225244 CVE-2021-47436).
- Update patches.suse/usbnet-sanity-check-for-maxpacket.patch
(git-fixes bsc#1225351 CVE-2021-47495).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch
(git-fixes bsc#1225060 CVE-2021-47321).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch
(git-fixes bsc#1225030 CVE-2021-47324).
- Update
patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch
(git-fixes bsc#1225026 CVE-2021-47323).
- Update
patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
(git-fixes bsc#1225177 CVE-2021-47347).
- commit 8975a47
- powerpc/pseries/lparcfg: drop error message from guest name
lookup (bsc#1187716 ltc#193451 git-fixes).
- commit 62b0891
- blacklist.conf: PPC fsl_msi is not used
- commit bbad33b
- netfilter: nft_compat: explicitly reject ERROR and standard
target (git-fixes).
- commit 46fdab6
- netfilter: x_tables: set module owner for icmp(6) matches
(git-fixes).
- commit 8835e2a
- netfilter: nf_queue: augment nfqa_cfg_policy (git-fixes).
- commit d5734cd
- rds: avoid unenecessary cong_update in loop transport
(git-fixes).
- commit 758da4a
- cls_rsvp: check user supplied offsets (CVE-2023-42755
bsc#1215702).
- commit b722f7c
- l2tp: pass correct message length to ip6_append_data
(git-fixes).
- commit 5edafdb
- net: 9p: avoid freeing uninit memory in p9pdu_vreadf
(git-fixes).
- commit fdb6a12
- wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
- commit 58724e2
- ipv4, ipv6: Fix handling of transhdrlen in
__ip{,6}_append_data() (git-fixes).
- commit 7f0cb3d
- rxrpc: Fix a memory leak in rxkad_verify_response() (git-fixes).
- commit 301026e
- wifi: radiotap: fix kernel-doc notation warnings (git-fixes).
- commit a96badd
- net: tcp: fix unexcepted socket die when snd_wnd is 0
(git-fixes).
- commit 66b602a
- tcp: tcp_make_synack() can be called from process context
(git-fixes).
- commit 1171bb0
- net/smc: fix fallback failed while sendmsg with fastopen
(git-fixes).
- commit 85612f4
- nfc: change order inside nfc_se_io error path (git-fixes).
- commit 92d40f5
- ila: do not generate empty messages in
ila_xlat_nl_cmd_get_mapping() (git-fixes).
- commit bd4b08a
- rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp
(git-fixes).
- commit 30e8bf8
- rxrpc: Work around usercopy check (git-fixes).
- commit f1a8d7a
- rxrpc: Don't put crypto buffers on the stack (git-fixes).
- commit d4118f5
- rxrpc: Provide a different lockdep key for call->user_mutex
for kernel calls (git-fixes).
- commit 256d44f
- rxrpc: The mutex lock returned by rxrpc_accept_call() needs
releasing (git-fixes).
- commit 56d0a26
- net: atlantic: eliminate double free in error handling logic
(CVE-2023-52664 bsc#1224747).
- ipvlan: add ipvlan_route_v6_outbound() helper (CVE-2023-52796
bsc#1224930).
- net/mlx5e: Fix page reclaim for dead peer hairpin
(CVE-2021-47246 bsc#1224831).
- commit e8481e2
- ceph: blocklist the kclient when receiving corrupted snap trace
(bsc#1225222 CVE-2023-52732).
- commit afa0bf6
- btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() (CVE-2024-35936 bsc#1224644)
- commit 7904756
- btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() (CVE-2024-35936 bsc#1224644)
- commit 64d6920
- ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array (bsc#1225506 CVE-2021-47548)
- commit e4002ca
- mmc: sdhci-msm: pervent access to suspended controller (bsc#1225708 CVE-2024-36029)
- commit 0915583
- llc: call sock_orphan() at release time
(CVE-2024-26625 bsc#1221086)
- commit 1715209
- blacklist.conf: not affected by CVE-2024-35984
- commit 19bc954
- virtio-net: Add validation for used length (CVE-2021-47352
bsc#1225124).
- commit 91c03a8
- calipso: fix memory leak in netlbl_calipso_add_pass()
(CVE-2023-52698 bsc#1224621)
- commit 008f52c
- blacklist.conf: Add c5b0a7eefc70 sched/fair: Remove sysctl_sched_migration_cost condition
- commit dbc3425
- ppdev: Add an error check in register_device (git-fixes).
- commit d524561
- drm/amdgpu: fix gart.bo pin_count leak (CVE-2021-47431 bsc#1225390).
- commit 1e38f4d
- btrfs: send: handle path ref underflow in header iterate_inode_ref() (CVE-2024-35935 bsc#1224645)
- commit 0b2d17e
- cifs: fix underflow in parse_server_interfaces() (bsc#1223084,
CVE-2024-26828).
- commit 7164147
- drm/nouveau/debugfs: fix file release memory leak (CVE-2021-47423 bsc#1225366).
- commit 5f7b5c9
- drm/radeon: fix a possible null pointer dereference (CVE-2022-48710 bsc#1225230).
- commit ee59a3e
- nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
(bsc#1225355 CVE-2021-47497).
- commit 30121bc
- drm/vc4: don't check if plane->state->fb == state->fb (CVE-2024-35932 bsc#1224650).
- commit 4fdcf5e
- iio: mma8452: Fix trigger reference couting (bsc#1225360
CVE-2021-47500).
- commit a0d87d5
- PCI/PM: Drain runtime-idle callbacks before driver removal
(CVE-2024-35809 bsc#1224738).
- commit 9f4d35b
- tty: Fix out-of-bound vmalloc access in imageblit
(CVE-2021-47383 bsc#1225208).
- commit a21c750
- ALSA: pcm: oss: Fix negative period/buffer sizes (CVE-2021-47511
bsc#1225411).
- commit 748d8c1
- ALSA: pcm: oss: Limit the period size to 16MB (CVE-2021-47509
bsc#1225409).
- commit 8f92260
- x86/mm/pat: fix VM_PAT handling in COW mappings (bsc#1224525
CVE-2024-35877).
- commit d228bf6
- batman-adv: Avoid infinite loop trying to resize local TT
(CVE-2024-35982 bsc#1224566)
- commit 4f15041
- ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
(CVE-2024-35969 bsc#1224580)
- commit bcaf17a
- cloud-regionsrv-client
-
- Update to 10.3.4
+ Modify the message when network access over a specific IP version does
not work. This is an informational message and should not look like
an error
+ Inform the user that LTSS registration takes a little longer
+ Add fix-for-sles12-no-trans_update.patch
+ SLE 12 family has no products with transactional-update we do not
need to look for this condition
- From 10.3.3 (bsc#1229472)
+ Handle changes in process structure to properly identify the running
zypper parent process and only check for 1 PID
- From 10.3.2
+ Remove rgnsrv-clnt-fix-docker-setup.patch included upstream
- From 10.3.1 (jsc#PCT-400)
+ Add support for LTSS registration
+ Add fix-for-sles12-disable-registry.patch
~ No container support in SLE 12
- Add rgnsrv-clnt-fix-docker-setup.patch (bsc#1229137)
+ The entry for the update infrastructure registry mirror was written
incorrectly causing docker daemon startup to fail.
- Update to version 10.3.0 (bsc#1227308, bsc#1222985)
+ Add support for sidecar registry
Podman and rootless Docker support to set up the necessary
configuration for the container engines to run as defined
+ Add running command as root through sudoers file
- Update to version 10.2.0 (bsc#1223571, bsc#1224014, bsc#1224016)
+ In addition to logging, write message to stderr when registration fails
+ Detect transactional-update system with read only setup and use
the transactional-update command to register
+ Handle operation in a different target root directory for credentials
checking
- wicked
-
- Update to version 0.6.76
- compat-suse: warn user and create missing parent config of
infiniband children (gh#openSUSE/wicked#1027)
- client: fix origin in loaded xml-config with obsolete port
references but missing port interface config, causing a
no-carrier of master (bsc#1226125)
- ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
- wireless: add frequency-list in station mode (jsc#PED-8715)
- client: fix crash while hierarchy traversing due to loop in
e.g. systemd-nspawn containers (bsc#1226664)
- man: add supported bonding options to ifcfg-bonding(5) man page
(gh#openSUSE/wicked#1021)
- arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019)
- man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018)
- client: warn on interface wait time reached (gh#openSUSE/wicked#1017)
- compat-suse: fix dummy type detection from ifname to not cause
conflicts with e.g. correct vlan config on dummy0.42 interfaces
(gh#openSUSE/wicked#1016)
- compat-suse: fix infiniband and infiniband child type detection
from ifname (gh#openSUSE/wicked#1015)
- Removed patches included in the source archive:
[- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
[- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]
- arp: increase arp-send retry value to avoid address configuration
failure due to ENOBUF reported by kernel while duplicate address
detection with underlying bonding in 802.3ad mode reporting link
"up & running" too early (bsc#1218668, gh#openSUSE/wicked#1020,
gh#openSUSE/wicked#1022).
[+ 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]
- openssl-1_1
-
- Security fix: [bsc#1227138, CVE-2024-5535]
* SSL_select_next_proto buffer overread
* Add openssl-CVE-2024-5535.patch
- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
security vulnerability. Calling the function SSL_free_buffers()
potentially caused memory to be accessed that was previously
freed in some situations and a malicious attacker could attempt
to engineer a stituation where this occurs to facilitate a
denial-of-service attack. [CVE-2024-4741, bsc#1225551]
- Security fix: [bsc#1222548, CVE-2024-2511]
* Fix unconstrained session cache growth in TLSv1.3
* Add openssl-CVE-2024-2511.patch
- xen
-
- bsc#1228574 - VUL-0: CVE-2024-31145: xen: error handling in x86
IOMMU identity mapping (XSA-460)
xsa460.patch
- bsc#1228575 - VUL-0: CVE-2024-31146: xen: PCI device pass-through
with shared resources (XSA-461)
xsa461.patch
- Drop xsa458.patch in favor of upstream version (bsc#1227355)
669662ea-x86-IRQ-avoid-double-unlock-in-map_domain_pirq.patch
- Upstream bug fixes (bsc#1027519)
6672c847-x86-CPUID-XSAVE-dynamic-leaves.patch
66a8b8ac-bunzip2-rare-failure.patch
- bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86
guest IRQ handling (XSA-458)
xsa458.patch
- Upstream bug fixes (bsc#1027519)
6627a4ee-vRTC-UIP-set-for-longer-than-expected.patch
663a383c-libxs-open-xenbus-fds-as-O_CLOEXEC.patch
663eaa27-libxl-XenStore-error-handling-in-device-creation.patch
66450627-x86-respect-mapcache_domain_init-failing.patch
- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
History Injection (XSA-456)
Corrections to the following patches
661560bd-x86-spec-ctrl-BHB-clearing-sequences.patch
661560be-x86-spec-ctrl-wire-up-native-BHI-sequences.patch
- curl
-
- Security fix: [bsc#1230093, CVE-2024-8096]
* curl: OCSP stapling bypass with GnuTLS
* Add curl-CVE-2024-8096.patch
- Security fix: [bsc#1228535, CVE-2024-7264]
* curl: ASN.1 date parser overread
* Add curl-CVE-2024-7264.patch
- python-urllib3
-
- Add CVE-2024-37891.patch (bsc#1226469, CVE-2024-37891)