- augeas
-
- add augeas-sysctl_parsing.patch (bsc#1197443)
* backport original patch and rebase.
- binutils
-
- Add binutils-revert-rela.diff to revert back to old behaviour
of not ignoring the in-section content of to be relocated
fields on x86-64, even though that's a RELA architecture.
Compatibility with buggy object files generated by old tools.
[bsc#1198422]
- containerd
-
- Update to containerd v1.6.6 to fix CVE-2022-31030 and meet the requirements
of Docker v20.10.17-ce. bsc#1200145
- Remove upstreamed patches:
- bsc1200145-Limit-the-response-size-of-ExecSync.patch
[ This patch was only released in SLES and Leap. ]
- Backport patch to fix GHSA-5ffw-gxpp-mxpf CVE-2022-31030. bsc#1200145
+ bsc1200145-Limit-the-response-size-of-ExecSync.patch
- Update to containerd v1.5.12. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.5.12>
- Update to containerd v1.5.11 to fix CVE-2022-24769. bsc#1197517
- Remove upstreamed patch:
- CVE-2022-23648.patch
[ This patch was only released in SLES and Leap. ]
- Add patch for CVE-2022-23648. bsc#1196441
+ CVE-2022-23648.patch
- Update to containerd v1.4.12 for Docker 20.10.11-ce. bsc#1192814
bsc#1193273 CVE-2021-41190
- curl
-
- Security fix: [bsc#1200735, CVE-2022-32206]
* HTTP compression denial of service
* Add curl-CVE-2022-32206.patch
- Security fix: [bsc#1200737, CVE-2022-32208]
* FTP-KRB bad message verification
* Add curl-CVE-2022-32208.patch
- Securiy fix: [bsc#1199223, CVE-2022-27781]
* CERTINFO never-ending busy-loop
* Add curl-CVE-2022-27781.patch
- Securiy fix: [bsc#1199224, CVE-2022-27782]
* TLS and SSH connection too eager reuse
* Add curl-CVE-2022-27782.patch
- Security fix: [bsc#1198766, CVE-2022-27776]
* Auth/cookie leak on redirect
* Add backported curl-CVE-2022-27776.patch
- Security fix: [bsc#1198614, CVE-2022-22576]
* OAUTH2 bearer bypass in connection re-use
* Add curl-CVE-2022-22576.patch
- dhcp
-
- bsc#1198657: properly handle DHCRELAY(6)_OPTIONS.
- docker
-
- Update to Docker 20.10.17-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#201017>. bsc#1200145
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
* 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
- Add patch to update golang.org/x/crypto for CVE-2021-43565 and CVE-2022-27191.
bsc#1193930 bsc#1197284
* 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Update to Docker 20.10.14-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#201014>. bsc#1197517
CVE-2022-24769
- dracut
-
- fix kernel name parsing in purge-kernels script (bsc#1199453)
- e2fsprogs
-
- libext2fs-add-sanity-check-to-extent-manipulation.patch: libext2fs: add
sanity check to extent manipulation (bsc#1198446 CVE-2022-1304)
- gcc11
-
- Update to the GCC 11.3.0 release.
* includes SLS hardening backport on x86_64. [bsc#1195283]
- Update to gcc-11 branch head (691af15031e00227ba6d5935c), git1635
* includes gcc11-pr104931.patch
* includes fix for Firefox ICE [gcc#105256]
- Add provides/conflicts to glibc crosses since only one GCC version
for the same target can be installed at the same time.
- Add provides/conflicts to libgccjit.
- Update to gcc-11 branch head (6a1150d1524aeda3381b21717), git1406
* includes change to adjust gnats idea of the target, fixing
the build of gprbuild. [bsc#1196861]
- Add gcc11-pr104931.patch to fix miscompile of embedded premake
in 0ad on i586. [bsc#1197065]
- drop armv5tel, merge arm and armv6hl
- use --with-cpu rather than specifying --with-arch/--with-tune
to Recoomends.
- Remove sys/rseq.h from include-fixed
- Update to gcc-11 branch head (d4a1d3c4b377f1d4acb), git1173
* Fix D memory corruption in -M output.
* Fix ICE in is_this_parameter with coroutines. [boo#1193659]
- Enable the cross compilers also on i586
- Enable some cross compilers also in rings
- Remove cross compilers for i386 target
- Update to gcc-11 branch head (7510c23c1ec53aa4a62705f03), git1018
* fixes issue with debug dumping together with -o /dev/null
* fixes libgccjit issue showing up in emacs build [boo#1192951]
- Package mwaitintrin.h
- Remove spurious exit from change_spec.
- Enable the full cross compiler, cross-aarch64-gcc11 and
cross-riscv64-gcc11 now provide a fully hosted C (and C++)
cross compiler, not just a freestanding one. I.e. with a cross
glibc. They don't yet support the sanitizer libraries.
Part of [jsc#OBS-124].
- glib2
-
- Add glib2-CVE-2021-28153.patch: fix CREATE_REPLACE_DESTINATION
with symlinks (boo#1183533 glgo#GNOME/glib#2325 CVE-2021-28153).
- grub2
-
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
* 0001-video-Remove-trailing-whitespaces.patch
* 0002-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
* 0003-video-readers-jpeg-Catch-files-with-unsupported-quan.patch
* 0004-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch
* 0005-video-readers-jpeg-Don-t-decode-data-before-start-of.patch
* 0006-misc-Format-string-for-grub_error-should-be-a-litera.patch
* 0007-loader-efi-chainloader-Simplify-the-loader-state.patch
* 0008-commands-boot-Add-API-to-pass-context-to-loader.patch
- Fix CVE-2022-28736 (bsc#1198496)
* 0009-loader-efi-chainloader-Use-grub_loader_set_ex.patch
* 0010-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
* 0011-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
* 0012-video-readers-png-Refuse-to-handle-multiple-image-he.patch
- Fix CVE-2021-3695 (bsc#1191184)
* 0013-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
- Fix CVE-2021-3696 (bsc#1191185)
* 0014-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
* 0015-video-readers-png-Sanity-check-some-huffman-codes.patch
* 0016-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
* 0017-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
* 0018-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
- Fix CVE-2021-3697 (bsc#1191186)
* 0019-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
* 0020-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
- Fix CVE-2022-28733 (bsc#1198460)
* 0021-net-ip-Do-IP-fragment-maths-safely.patch
* 0022-net-netbuff-Block-overly-large-netbuff-allocs.patch
* 0023-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
* 0024-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
* 0025-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
* 0026-net-tftp-Avoid-a-trivial-UAF.patch
* 0027-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
- Fix CVE-2022-28734 (bsc#1198493)
* 0028-net-http-Fix-OOB-write-for-split-http-headers.patch
- Fix CVE-2022-28734 (bsc#1198493)
* 0029-net-http-Error-out-on-headers-with-LF-without-CR.patch
* 0030-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
* 0031-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
* 0032-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
* 0033-Use-grub_loader_set_ex-for-secureboot-chainloader.patch
- Update SBAT security contact (boo#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused by
0001-ieee1275-implement-FCP-methods-for-WWPN-and-LUNs.patch, when
the root LV is completely in the boot LUN (bsc#1197948)
* 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
- gzip
-
- Add hardening for zgrep (CVE-2022-1271, bsc#1198062)
* bsc1198062-2.patch
- kernel-default
-
- Revert "/net/mlx5: Fix auto group size calculation (git-fixes)."/
This reverts commit b079f3521c00edccd6945f2e30562a049f4e8875.
I have to be sure that it's safe to modify mlx5 (KABI breakage)
- commit 0f9878e
- Revert "/net/mlx5e: Replace reciprocal_scale in TX select queue function"/
This reverts commit d5b41e7c4ddab05e45b493d6b8ed03c1b40281a0.
I have to be sure that it's safe to modify mlx5
- commit 37c02b5
- x86/kexec: Disable RET on kexec (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit b5316fa
- CVE Mitigation for CVE-2022-29900 and CVE-2022-29901
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 594c7f1
- ibmvnic: Properly dispose of all skbs during a failover
(bsc#1200925).
- commit 0f02acf
- x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 8e56414
- KVM: x86: Trace the original requested CPUID function in
kvm_cpuid() (git-fixes).
- commit ca28b57
- x86/cpu/amd: Enumerate BTC_NO (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 0f78721
- x86/common: Stamp out the stepping madness (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit ef0778a
- x86/speculation: Remove x86_spec_ctrl_mask (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit cce4286
- x86/speculation: Use cached host SPEC_CTRL value for guest
entry/exit (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit bd05ee9
- x86/speculation: Fix SPEC_CTRL write on SMT state change
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 6c7f2f9
- x86/speculation: Fix firmware entry SPEC_CTRL handling
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 3a4c15c
- x86/cpu/amd: Add Spectral Chicken (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 739064a
- Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag
(git-fixes).
- commit 75c6284
- blacklist.conf: exclusive to an unsupported architecture
- commit 2b062b1
- Input: omap4-keypad - fix pm_runtime_get_sync() error checking
(git-fixes).
- commit 66d1de0
- Input: elan_i2c - fix regulator enable count imbalance after
suspend/resume (git-fixes).
- commit 8dddf8b
- Input: elan_i2c - move regulator_[en|dis]able() out of
elan_[en|dis]able_power() (git-fixes).
- commit bdb6893
- x86/bugs: Do IBPB fallback check only once (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit ce4a75d
- x86/bugs: Add retbleed=ibpb (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit b64e2f2
- intel_idle: Disable IBRS during long idle (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 24132fd
- x86/bugs: Report Intel retbleed vulnerability (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 98205eb
- x86/bugs: Split spectre_v2_select_mitigation() and
spectre_v2_user_select_mitigation() (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 899b6e2
- x86/speculation: Add spectre_v2=ibrs option to support Kernel
IBRS (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit c97dcea
- x86/bugs: Optimize SPEC_CTRL MSR writes (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 2807530
- x86/entry: Add kernel IBRS implementation (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 6c366af
- x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 5b948ee
- x86/bugs: Enable STIBP for JMP2RET (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 4af828d
- x86/bugs: Add AMD retbleed= boot parameter (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- Update config files.
- commit d021246
- x86/bugs: Report AMD retbleed vulnerability (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 25b1e2a
- x86: Add magic AMD return-thunk (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit c23e13d
- x86: Use return-thunk in asm code (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 24e2d3e
- x86/sev: Avoid using __x86_return_thunk (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit a639386
- x86/vsyscall_emu/64: Don't use RET in vsyscall emulation
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit a624aee
- x86/kvm: Fix SETcc emulation for return thunks (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit bfe5a3a
- x86: Undo return-thunk damage (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 6905344
- x86/retpoline: Use -mfunction-return (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 41db50f
- x86/cpufeatures: Move RETPOLINE flags to word 11 (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit f1df027
- x86: Add straight-line-speculation mitigation (bsc#1201050
CVE-2021-26341).
- Update config files.
- Refresh
patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- commit b67585f
- x86: Prepare inline-asm for straight-line-speculation
(bsc#1201050 CVE-2021-26341).
- commit a53fbef
- x86: Prepare asm files for straight-line-speculation
(bsc#1201050 CVE-2021-26341).
- commit 3593ddf
- x86/lib/atomic64_386_32: Rename things (bsc#1201050
CVE-2021-26341).
- commit fa24b57
- net: Rename and export copy_skb_header (bsc#1200762,
CVE-2022-33741, XSA-403).
- commit 5e3ad99
- net: rose: fix UAF bugs caused by timer handler (CVE-2022-2318
bsc#1201251).
- commit 6ad5c1f
- xen/netfront: force data bouncing when backend is untrusted
(bsc#1200762, CVE-2022-33741, XSA-403).
- commit 459e62a
- xen/netfront: fix leaking data in shared pages (bsc#1200762,
CVE-2022-33740, XSA-403).
- commit b225a00
- xen/blkfront: force data bouncing when backend is untrusted
(bsc#1200762, CVE-2022-33742, XSA-403).
- commit 8bcc9cd
- xen/blkfront: fix leaking data in shared pages (bsc#1200762,
CVE-2022-26365, XSA-403).
- commit f3412de
- blacklist.conf: not relevant in the configs of SLE12
- commit 7a87c74
- USB: serial: option: add Quectel BG95 modem (git-fixes).
- commit c1672b3
- PCI/ACPI: Allow D3 only if Root Port can signal and wake from D3
(git-fixes).
- commit 4822675
- blacklist.conf: update
- commit 9b0cda8
- bnxt_en: Remove the setting of dev_port (git-fixes).
- commit b4944bb
- blacklist.conf: update
- commit b981815
- bonding: fix bond_neigh_init() (git-fixes).
- commit bd377d1
- net/mlx5: Fix auto group size calculation (git-fixes).
- commit b079f35
- net/mlx5e: Replace reciprocal_scale in TX select queue function
(git-fixes).
- commit d5b41e7
- net/mlx5: Avoid double free of root ns in the error flow path
(git-fixes).
- commit 847972f
- net: stmmac: update rx tail pointer register to fix rx dma
hang issue (git-fixes).
- commit d50f8cc
- blacklist.conf: update
- commit 6b42a65
- net/mlx5e: Switch to Toeplitz RSS hash by default (git-fixes).
- commit cc111a8
- blacklist.conf: update
- commit def294a
- audit: fix a race condition with the auditd tracking code
(bsc#1197170).
- commit fb844f5
- Update metadata references
- commit 9f48d7c
- md: bcache: check the return value of kzalloc() in
detached_dev_do_request() (git-fixes).
- raid5: introduce MD_BROKEN (git-fixes).
- block: bio-integrity: Advance seed correctly for larger interval
sizes (git-fixes).
- dm crypt: Avoid percpu_counter spinlock contention in
crypt_page_alloc() (git-fixes).
- commit 7b5f638
- sctp: handle kABI change in struct sctp_endpoint (CVE-2022-20154
bsc#1200599).
- commit c46afe6
- sctp: use call_rcu to free endpoint (CVE-2022-20154 bsc#1200599).
- commit 3cb182d
- ext4: make variable "/count"/ signed (bsc#1200820).
- commit 0ad871f
- writeback: Fix inode->i_io_list not be protected by
inode->i_lock error (bsc#1200821).
- commit b9b0ac9
- inotify: show inotify mask flags in proc fdinfo (bsc#1200600).
patches.suse/vfs-add-super_operations-get_inode_dev: Refresh
- commit b58cf61
- blacklist.conf: Blacklist 623af4f538b5, 14362a254179, e730558adffb
- commit 2c2fce2
- blacklist.conf: Blacklist e583b5c472bd
- commit d532d93
- iomap: iomap_write_failed fix (bsc#1200829).
- commit fe41db9
- fs-writeback: writeback_sb_inodes Recalculate 'wrote' according skipped pages
(bsc#1200873).
- commit 32bf312
- ext4: fix bug_on ext4_mb_use_inode_pa (bsc#1200810).
- commit e785aa5
- ext4: fix bug_on in __es_tree_search (bsc#1200809).
- commit cd7168a
- ext4: fix bug_on in ext4_writepages (bsc#1200872).
- commit 6d17248
- blacklist.conf: Blacklist cb8435dc8ba3
- commit b518aff
- ext4: fix race condition between ext4_write and
ext4_convert_inline_data (bsc#1200807).
- commit 514183b
- ext4: fix use-after-free in ext4_rename_dir_prepare
(bsc#1200871).
- commit 895fa7d
- ext4: force overhead calculation if the s_overhead_cluster
makes no sense (bsc#1200870).
- commit 0291865
- ext4: fix overhead calculation to account for the reserved
gdt blocks (bsc#1200869).
- commit 5d9af1f
- ext4: limit length to bitmap_maxbytes - blocksize in punch_hole
(bsc#1200806).
- commit 490eab5
- ext4: fix symlink file size not match to file content
(bsc#1200868).
- commit c9b8c45
- init: Initialize noop_backing_dev_info early (bsc#1200822).
- commit 7ed9bdf
- writeback: Avoid skipping inode writeback (bsc#1200813).
- commit 0cccfea
- ath9k: fix use-after-free in ath9k_hif_usb_rx_cb (CVE-2022-1679
bsc#1199487).
- commit 2c5abda
- Update series.conf
- commit 3724c0a
- powerpc/perf: Fix the threshold compare group constraint for
power9 (bsc#1065729).
- powerpc/idle: Fix return value of __setup() handler
(bsc#1065729).
- commit 9f37a25
- md/raid0: Ignore RAID0 layout if the second zone has only one
device (git-fixes).
- commit 4cc9ba2
- tcp: drop the hash_32() part from the index calculation
(CVE-2022-1012 bsc#1199482).
- tcp: increase source port perturb table to 2^16 (CVE-2022-1012
bsc#1199482).
- tcp: dynamically allocate the perturb table used by source ports
(CVE-2022-1012 bsc#1199482).
Refresh patches.kabi/tcp-fix-race-condition-when-creating-child-sockets-from-syncookies-kABI-fix.patch
- tcp: add small random increments to the source port
(CVE-2022-1012 bsc#1199482).
- tcp: resalt the secret every 10 seconds (CVE-2022-1012
bsc#1199482).
Refresh patches.kabi/kabi-return-type-change-of-secure_ipv-46-_port_ephem.patch
- tcp: use different parts of the port_offset for index and offset
(CVE-2022-1012 bsc#1199482).
- kabi: return type change of secure_ipv_port_ephemeral()
(CVE-2022-1012 bsc#1199482).
- secure_seq: use the 64 bits of the siphash for port offset
calculation (CVE-2022-1012 bsc#1199482).
- commit 8d93613
- exec: Force single empty string when argv is empty
(bsc#1200571).
- commit 4ee3bdd
- powerpc/rtas: Allow ibm,platform-dump RTAS call with null
buffer address (bsc#1200343 ltc#198477).
- commit 1848f62
- KVM: s390: vsie/gmap: reduce gmap_rmap overhead (git-fixes).
- s390/mm: fix VMA and page table handling code in storage key
handling functions (git-fixes).
- s390/mm: validate VMA in PGSTE manipulation functions
(git-fixes).
- s390/gmap: don't unconditionally call pte_unmap_unlock()
in __gmap_zap() (git-fixes).
- s390/gmap: validate VMA in __gmap_zap() (git-fixes).
- s390: fix strrchr() implementation (git-fixes).
- s390/ftrace: fix ftrace_update_ftrace_func implementation
(git-fixes).
- mm: add vma_lookup(), update find_vma_intersection() comments
(git-fixes).
- s390: fix detection of vector enhancements facility 1 vs. vector
packed decimal facility (git-fixes).
- i915_vma: Rename vma_lookup to i915_vma_lookup (git-fixes).
- commit 29454c7
- HID: holtek: fix mouse probing (CVE-2022-20132 bsc#1200619).
- HID: add USB_HID dependancy to hid-prodikeys (CVE-2022-20132
bsc#1200619).
- HID: add USB_HID dependancy to hid-chicony (CVE-2022-20132
bsc#1200619).
- HID: add USB_HID dependancy on some USB HID drivers
(CVE-2022-20132 bsc#1200619).
- HID: check for valid USB device for many HID drivers
(CVE-2022-20132 bsc#1200619).
- HID: add hid_is_usb() function to make it simpler for USB
detection (CVE-2022-20132 bsc#1200619).
- HID: introduce hid_is_using_ll_driver (CVE-2022-20132
bsc#1200619).
- commit fb86cdd
- igmp: Add ip_mc_list lock in ip_check_mc_rcu (bsc#1200604
CVE-2022-20141).
- commit 5040a6d
- certs: Add EFI_CERT_X509_GUID support for dbx entries
(bsc#1177282 CVE-2020-26541).
- Update config files.
- commit 3cf594e
- net: qede: Disable aRFS for NPAR and 100G (git-fixes).
- commit 3550a36
- net: qed: Disable aRFS for NPAR and 100G (git-fixes).
- commit 5318f6c
- platform/chrome: cros_ec_proto: Send command again when timeout
occurs (git-fixes).
- commit 4cd9896
- blacklist.conf: optimization, not bugfix, polling mode works
- commit 9425795
- video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup (bsc#1129770)
- commit 2fedb7a
- SUNRPC: Fix the calculation of xdr->end in
xdr_get_next_encode_buffer() (git-fixes).
- NFS: Further fixes to the writeback error handling (git-fixes).
- NFSD: Fix possible sleep during nfsd4_release_lockowner()
(git-fixes).
- md: fix an incorrect NULL check in md_reload_sb (git-fixes).
- md: fix an incorrect NULL check in does_sb_need_changing
(git-fixes).
- commit ae718ea
- usb: musb: Fix missing of_node_put() in omap2430_probe
(git-fixes).
- commit 3a2cb6a
- USB: storage: karma: fix rio_karma_init return (git-fixes).
- commit 7629407
- usb: usbip: add missing device lock on tweak configuration cmd
(git-fixes).
- commit dc00497
- usb: usbip: fix a refcount leak in stub_probe() (git-fixes).
- commit 5dbe808
- blacklist.conf: cleanup with extensive prerequisites
- commit a84a222
- kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has
architectural PMU (git-fixes).
- commit a1252d0
- KVM: x86/emulator: Defer not-present segment check in
__load_segment_descriptor() (git-fixes).
- commit 99b3a77
- KVM: x86: Fix emulation in writing cr8 (git-fixes).
- commit 8e75ed3
- kvm: fix wrong exception emulation in check_rdtsc (git-fixes).
- commit f2e7348
- KVM: x86: Update vCPU's hv_clock before back to guest when
tsc_offset is adjusted (git-fixes).
- commit 86ddc48
- KVM: x86: Don't force set BSP bit when local APIC is managed
by userspace (git-fixes).
- commit 57ed1a0
- KVM: x86: Migrate the PIT only if vcpu0 is migrated, not any
BSP (git-fixes).
- commit e73c808
- KVM: x86: clflushopt should be treated as a no-op by emulation
(git-fixes).
- commit c8ffffc
- KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic
is hw disabled (git-fixes).
- commit 2e9d5c6
- KVM: x86: Inject #GP if guest attempts to toggle CR4.LA57 in
64-bit mode (git-fixes).
- commit 043f4fa
- kvm: i8254: remove redundant assignment to pointer s
(git-fixes).
- commit afdf86c
- KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce
(git-fixes).
- commit 7924673
- KVM: x86: Allocate new rmap and large page tracking when moving
memslot (git-fixes).
- commit af3a295
- KVM: x86: remove stale comment from struct x86_emulate_ctxt
(git-fixes).
- commit 4941176
- KVM: x86: clear stale x86_emulate_ctxt->intercept value
(git-fixes).
- commit eab5f4b
- KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF
attacks (git-fixes).
- commit 9438453
- KVM: x86: Remove spurious clearing of async #PF MSR (git-fixes).
- commit 7592a55
- KVM: x86: Remove spurious kvm_mmu_unload() from vcpu destruction
path (git-fixes).
- commit 52b7185
- KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails
(git-fixes).
- commit c996e8b
- KVM: x86: Fix potential put_fpu() w/o load_fpu() on MPX platform
(git-fixes).
- commit 9a1420d
- KVM: x86: do not modify masked bits of shared MSRs (git-fixes).
- commit 95ee3f1
- kvm: x86: Improve emulation of CPUID leaves 0BH and 1FH
(git-fixes).
- commit 562c585
- KVM: x86/mmu: Treat invalid shadow pages as obsolete
(git-fixes).
- commit 73ee6fe
- KVM: x86: Manually flush collapsible SPTEs only when toggling
flags (git-fixes).
- commit b8ef0f8
- scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled
(git-fixes).
- scsi: dc395x: Fix a missing check on list iterator (git-fixes).
- scsi: ufs: qcom: Fix ufs_qcom_resume() (git-fixes).
- drbd: fix duplicate array initializer (git-fixes).
- drbd: use bdev_alignment_offset instead of
queue_alignment_offset (git-fixes).
- drbd: use bdev based limit helpers in drbd_send_sizes
(git-fixes).
- drbd: remove assign_p_sizes_qlim (git-fixes).
- target: remove an incorrect unmap zeroes data deduction
(git-fixes).
- commit d98a418
- blacklist.conf: add commit not needed
This commit needs another commmit not present,
and too large to add.
- commit 3afd40c
- blacklist.conf: add commit that breaks kABI
This commit just makes the compiler happy, but
breaks kABI.
- commit e382736
- floppy: disable FDRAWCMD by default (bsc#1198866 CVE-2022-1836).
- Update config files.
- commit 9af4e3a
- tracing: Fix return value of trace_pid_write() (git-fixes).
- commit 0e11fd3
- KVM: x86: set ctxt->have_exception in x86_decode_insn()
(git-fixes).
- commit dc27a5e
- KVM: x86: always stop emulation on page fault (git-fixes).
- commit e9cd420
- KVM: x86: Manually calculate reserved bits when loading PDPTRS
(git-fixes).
- commit b1a2cff
- KVM: x86: Unconditionally call x86 ops that are always
implemented (git-fixes).
update patches.suse/0005-kvm-x86-mmu-Recovery-of-shattered-NX-large-pages.patch
- commit d42160c
- KVM: x86: Fix x86_decode_insn() return when fetching insn
bytes fails (git-fixes).
- commit 3ff57f4
- kvm: x86: skip populating logical dest map if apic is not sw
enabled (git-fixes).
- commit 5dc0bda
- Remove unused variable in fbdev
Fixes the error shown below.
../drivers/video/fbdev/core/fbmem.c: In function 'fb_set_suspend':
../drivers/video/fbdev/core/fbmem.c:1904:6: warning: unused variable 'unused' [-Wunused-variable]
- commit e49f9c6
- KVM: nVMX: reset cache/shadows when switching loaded VMCS (git-fixes).
update patches.suse/kvm-nvmx-move-check_vmentry_postreqs-call-to-nested_vmx_enter_non_root_mode
update patches.suse/kvm-nvmx-don-t-reread-vmcs-agnostic-state-when-switching-vmcs.patch
update patches.suse/kvm-nvmx-skip-ibpb-when-switching-between-vmcs01-and-vmcs02.patch
- commit e121eab
- PCI: Tidy comments (git-fixes).
- Refresh
patches.suse/PCI-AER-Remove-HEST-FIRMWARE_FIRST-parsing-for-AER-o.patch.
- commit e6a6078
- add mainline tag for a pci-hyperv change
- commit 5039771
- netfilter: nf_tables: disallow non-stateful expression in sets
earlier (bsc#1200015).
- commit 1bb9b5b
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- commit 996513e
- Update metadata references
- commit e2a92b4
- powerpc/xive: Add some error handling code to
'xive_spapr_init()' (fate#322438 git-fixes).
- commit 4f26eea
- net: sched: fixed barrier to prevent skbuff sticking in qdisc
backlog (git-fixes).
- commit 1c252cc
- powerpc/numa: Prefer node id queried from vphn (bsc#1199237
bsc#1200173 ltc#198329).
- commit aa6b831
- powerpc/xive: Fix refcount leak in xive_spapr_init (fate#322438
git-fixes).
- commit e0a7e2f
- NFC: netlink: fix sleep in atomic bug when firmware download
timeout (CVE-2022-1975 bsc#1200143).
- commit a8211d8
- nfc: replace improper check device_is_registered() in netlink
related functions (CVE-2022-1974 bsc#1200144).
- commit d539b18
- scsi: qla2xxx: edif: Remove unneeded variable (bsc#1200045).
- scsi: qla2xxx: Remove unneeded flush_workqueue() (bsc#1200045).
- scsi: qla2xxx: Remove free_sg command flag (bsc#1200045).
- scsi: qla2xxx: Fix missed DMA unmap for aborted commands
(bsc#1200045).
- commit 11584e2
- revert scsi: qla2xxx: Changes to support FCP2 Target
(bsc#1198438).
- commit 6f4a9ff
- lpfc: Set default protocol support to FCP only (bsc#1194124
bsc#1198899).
- commit 712c9e0
- lpfc: drop driver update 14.2.0.x
The amount of backport changes necessary for due to the refactoring is
introducing to much code churn and is likely to introduce regressions.
This ends the backport effort to keep the lpfc in sync with mainline.
- commit 38e014b
- powerpc/64s: Add CPU_FTRS_POWER9_DD2_2 to CPU_FTRS_ALWAYS mask (bsc#1061840 git-fixes).
- Refresh patches.suse/powerpc-64s-Remove-POWER9-DD1-support.patch.
- Refresh patches.suse/powerpc-Remove-Power8-DD1-from-cputable.patch.
- commit d40bf50
- usb: dwc3: gadget: Don't send unintended link state change
(git-fixes).
- commit 2385b45
- series: Resort and update meta data
Update meta data:
- patches.suse/powerpc-Enable-the-DAWR-on-POWER9-DD2.3-and-above.patch
- patches.suse/scsi-fnic-Replace-DMA-mask-of-64-bits-with-47-bits
- commit 27ea8c3
- usb: dwc3: core: Only handle soft-reset in DCTL (git-fixes).
- commit 415e104
- powerpc/powernv: Get STF barrier requirements from device-tree
(bsc#1188885 ltc#193722 git-fixes).
- powerpc/powernv: Get L1D flush requirements from device-tree
(bsc#1188885 ltc#193722 git-fixes).
- powerpc/powernv: Remove POWER9 PVR version check for entry
and uaccess flushes (bsc#1188885 ltc#193722 git-fixes).
- commit e5cd72e
- usb: mtu3: fix USB 3.0 dual-role-switch from device to host
(git-fixes).
- commit 0a0f653
- blacklist.conf: relevant only if CONFIG_REGULATOR is set
- commit b1bf5bb
- blacklist.conf: adding 40fdea0284bb20, as it requires 8480ed9c2bbd56
which is not in the SLE12-SP5 kernel
- commit de76d0c
- smp: Fix offline cpu check in flush_smp_call_function_queue()
(git-fixes).
- commit 9088d9f
- blacklist.conf: add cdb07bdea28e, which is not suitable. It is
supposed to be a cleanup patch removing a variable never read,
but this reasoning is wrong in the SLE12-SP5 kernel.
- commit fb2bee4
- mm, page_alloc: fix build_zonerefs_node() (git-fixes).
- commit ae78266
- PCI / ACPI: Mark expected switch fall-through (git-fixes).
- commit a34b722
- btrfs: extent-tree: kill the BUG_ON() in
insert_inline_extent_backref() (CVE-2019-19377 bsc#1158266).
- commit 7762823
- btrfs: extent-tree: kill BUG_ON() in __btrfs_free_extent()
(CVE-2019-19377 bsc#1158266).
- commit fa0dbe1
- KVM: x86/speculation: Disable Fill buffer clear within guests (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 0f0e4c1
- x86/speculation/mmio: Reuse SRBDS mitigation for SBDS (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 5415e79
- x86/speculation/srbds: Update SRBDS mitigation selection (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 8723394
- x86/speculation/mmio: Add sysfs reporting for Processor MMIO Stale Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 9f38802
- x86/speculation/mmio: Enable CPU Fill buffer clearing on idle (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit f7cab5d
- x86/bugs: Group MDS, TAA & Processor MMIO Stale Data mitigations (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit cc5a89b
- Blacklist some git-fixes for arm32 (stm32 and sun4i)
- commit 3b070b0
- x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180). - Refresh patches.suse/powerpc-64s-flush-L1D-after-user-accesses.patch. - Refresh patches.suse/powerpc-64s-flush-L1D-on-kernel-entry.patch.
- commit bb2155d
- crypto: qat - don't cast parameter in bit operations
(git-fixes).
- crypto: ixp4xx - dma_unmap the correct address (git-fixes).
- crypto: virtio: Fix dest length calculation in
__virtio_crypto_skcipher_do_req() (git-fixes).
- crypto: virtio - deal with unsupported input sizes (git-fixes).
- commit 7fb5389
- x86/speculation: Add a common function for MD_CLEAR mitigation update (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 5316230
- x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit bbc94eb
- i40e: Fix MAC address setting for a VF via Host/VM (git-fixes).
- commit fb03aa3
- i40e: always propagate error value in i40e_set_vsi_promisc()
(git-fixes).
- commit 2566276
- i40e: fix return of uninitialized aq_ret in i40e_set_vsi_promisc
(git-fixes).
- commit d2d5567
- i40e: Remove scheduling while atomic possibility (git-fixes).
- commit 3b40ec0
- i40e: Fix the conditional for i40e_vc_validate_vqs_bitmaps
(git-fixes).
- commit 95721a6
- i40e: Fix virtchnl_queue_select bitmap validation (git-fixes).
- commit 93094b6
- i40e: Refactoring VF MAC filters counting to make more reliable
(git-fixes).
- commit 02ed711
- iavf: Fix incorrect adapter get in iavf_resume (git-fixes).
- commit 1d0e0bf
- perf: Fix sys_perf_event_open() race against self
(CVE-2022-1729, bsc#1199507).
- commit fc77f1c
- vxlan: fix memleak of fdb (git-fixes).
- commit 385caa2
- ext4: avoid cycles in directory h-tree (bsc#1198577
CVE-2022-1184).
- commit ec51c1b
- ext4: verify dir block before splitting it (bsc#1198577
CVE-2022-1184).
- commit 97bfb10
- USB: serial: qcserial: add support for Sierra Wireless EM7590
(git-fixes).
- commit 9a26d35
- USB: serial: option: add Fibocom MA510 modem (git-fixes).
- commit 1ba0453
- USB: serial: option: add Fibocom L610 modem (git-fixes).
- commit c12b9bf
- USB: serial: pl2303: add device id for HP LM930 Display
(git-fixes).
- commit cb3a9ba
- blacklist.conf: no support for gadget mode in SLE12
- commit f8ace79
- ACPI: property: Release subnode properties with data nodes
(git-fixes).
- commit c063047
- tpm: ibmvtpm: Correct the return value in tpm_ibmvtpm_probe()
(bsc#1065729).
- commit 2da357e
- scsi: fnic: Replace DMA mask of 64 bits with 47 bits
(bsc#1199631).
- commit e59adf4
- powerpc: Enable the DAWR on POWER9 DD2.3 and above (bsc#1055117
ltc#159753).
- powerpc: Remove Power8 DD1 from cputable (bsc#1055117
ltc#159753).
- Refresh patches.suse/powerpc-64s-Remove-POWER9-DD1-support.patch
- commit 28c0fba
- debug: Lock down kgdb (bsc#1199426 CVE-2022-21499).
- commit 1cd17a0
- cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in
cpuset_init_smp() (bsc#1199839).
- commit 9b6eecc
- crypto: rsa-pkcs1pad - fix buffer overread in
pkcs1pad_verify_complete() (bsc#1197601).
- commit b5cd00f
- KVM: PPC: Propagate errors to the guest when failed instead
of ignoring (bsc#1061840 git-fixes).
- commit c8989fb
- Update patch reference for ACPI fix (CVE-2017-13695 bsc#1055710)
- commit e74f546
- KVM: PPC: Fix TCE handling for VFIO (bsc#1061840 git-fixes).
- commit f0e0eab
- floppy: use a statically allocated error counter (bsc#1199063
CVE-2022-1652).
- commit 7173277
- Export new inet_ehash_nolisten3 symbol (bsc#1199671)
Update:
patches.kabi/tcp-fix-race-condition-when-creating-child-sockets-from-syncookies-kABI-fix.patch
- commit 92e37e7
- media: netup_unidvb: Don't leak SPI master in probe error path
(git-fixes).
- commit baae2da
- blacklist.conf: extremely intrusive prerequisites
- commit 331d415
- media: vim2m: Remove surplus name initialization (git-fixes).
- commit ff43341
- netfilter: nf_conntrack_tcp: re-init for syn packets only
(bsc#1199035).
- commit 7f196b5
- netfilter: nf_conntrack_tcp: preserve liberal flag in tcp
options (bsc#1199035).
- commit f94c482
- netfilter: conntrack: re-init state for retransmitted syn-ack
(bsc#1199035).
- commit dd4faf1
- netfilter: conntrack: move synack init code to helper
(bsc#1199035).
- commit a34ad9a
- netfilter: conntrack: connection timeout after re-register
(bsc#1199035).
- commit 84b725c
- blacklist.conf: ("/watchdog: iTCO_wdt: Account for rebooting on second timeout"/)
Delete
patches.suse/watchdog-iTCO_wdt-Account-for-rebooting-on-second-ti.patch.
This change caused a regression on some systems (watchdog firing up
too fast) and ended up being reverted upstream (bsc#1199526).
- commit 001c898
- blacklist.conf: Add 7d613f9f72ec signal: Remove the bogus sigkill_pending in ptrace_stop
- commit 4730b82
- nfc: nfcmrvl: main: reorder destructive operations in
nfcmrvl_nci_unregister_dev to avoid bugs (CVE-2022-1734
bsc#1199605).
- commit d9ccce0
- SUNRPC: Ensure that the gssproxy client can start in a connected
state (git-fixes).
- Refresh
patches.suse/NFSv4.1-Don-t-rebind-to-the-same-source-port-when-re.patch.
- commit e49922d
- Revert "/SUNRPC: Ensure gss-proxy connects on setup"/ (git-fixes).
- Refresh
patches.suse/NFSv4.1-Don-t-rebind-to-the-same-source-port-when-re.patch.
- commit 7a29594
- btrfs: relocation: Only remove reloc rb_trees if reloc control
has been initialized (bsc#1199399).
- commit d95d9f9
- NFS: limit use of ACCESS cache for negative responses
(bsc#1196570).
- commit ef9d19f
- Fix incorrect back-port, fixing 2 build warnings.
- commit 9439daf
- Input: aiptek - properly check endpoint type (git-fixes).
- commit adce64b
- Input: ti_am335x_tsc - fix STEPCONFIG setup for Z2 (git-fixes).
- commit c0c510c
- Input: ti_am335x_tsc - set ADCREFM for X configuration
(git-fixes).
- commit e4c804c
- Input: spaceball - fix parsing of movement data packets
(git-fixes).
- commit 539174a
- Input: appletouch - initialize work before device registration
(git-fixes).
- commit c34cd8b
- Input: elantench - fix misreporting trackpoint coordinates
(git-fixes).
- commit 7997e49
- blacklist.conf: cosmetic, fixes only a warning building kerneldoc
- commit 6049774
- blacklist.conf: cosmetic cleanup not relevant with our compiler
- commit ba2d5e6
- Input: xpad - add support for another USB ID of Nacon GC-100
(git-fixes).
- commit 2ec4daa
- blacklist.conf: ("/arm64: patch_text: Fixup last cpu should be master"/)
- commit be0ce1e
- arm64/mm: avoid fixmap race condition when create pud mapping (git-fixes)
- commit e712368
- arm64: module: remove (NOLOAD) from linker script (git-fixes)
- commit 18f8665
- arm64: clear_page() shouldn't use DC ZVA when DCZID_EL0.DZP == 1 (git-fixes).
- commit 0999b33
- arm64: fix inline asm in load_unaligned_zeropad() (git-fixes)
- commit 04ca715
- arm64: kdump: update ppos when reading elfcorehdr (git-fixes)
- commit 800afa6
- arm64: Add missing ISB after invalidating TLB in __primary_switch (git-fixes)
- commit 39de1e2
- arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing (git-fixes)
- commit ca97ce7
- arm64 module: set plt* section addresses to 0x0 (git-fixes)
- commit 3d5101e
- arm64: Extend workaround for erratum 1024718 to all versions of (git-fixes)
- commit a87c9dd
- arm64: avoid -Woverride-init warning (git-fixes)
- commit 2129334
- arm64: berlin: Select DW_APB_TIMER_OF (git-fixes)
Update arm64 default config too.
- commit 0ecd431
- arm64: futex: Restore oldval initialization to work around buggy (git-fixes)
- commit aff6d26
- USB: quirks: add STRING quirk for VCOM device (git-fixes).
- commit b3561b8
- USB: quirks: add a Realtek card reader (git-fixes).
- commit 00ce130
- usb: cdc-wdm: fix reading stuck on device close (git-fixes).
- commit 89b73ba
- USB: serial: whiteheat: fix heap overflow in
WHITEHEAT_GET_DTR_RTS (git-fixes).
- commit 59b9eb6
- USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader
(git-fixes).
- commit 17cb6f5
- USB: serial: option: add support for Cinterion MV32-WA/MV32-WB
(git-fixes).
- commit cd550fd
- USB: serial: option: add Telit 0x1057, 0x1058, 0x1075
compositions (git-fixes).
- commit de2ee2e
- xhci: stop polling roothubs after shutdown (git-fixes).
- commit 7a8d134
- bpf: fix panic due to oob in bpf_prog_test_run_skb (bsc#1197219,
CVE-2021-39711).
- commit 51bae76
- scsi: sr: Do not leak information in ioctl (git-fixes).
- scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()
(git-fixes).
- scsi: virtio-scsi: Eliminate anonymous module_init & module_exit
(git-fixes).
- drbd: fix an invalid memory access caused by incorrect use of
list iterator (git-fixes).
- drbd: Fix five use after free bugs in get_initial_state
(git-fixes).
- scsi: hisi_sas: Change permission of parameter prot_mask
(git-fixes).
- scsi: pm8001: Fix abort all task initialization (git-fixes).
- scsi: pm8001: Fix NCQ NON DATA command completion handling
(git-fixes).
- scsi: pm8001: Fix NCQ NON DATA command task initialization
(git-fixes).
- scsi: pm8001: Fix le32 values handling in pm80xx_chip_sata_req()
(git-fixes).
- scsi: pm8001: Fix le32 values handling in
pm80xx_chip_ssp_io_req() (git-fixes).
- scsi: pm8001: Fix payload initialization in
pm80xx_encrypt_update() (git-fixes).
- scsi: pm8001: Fix le32 values handling in
pm80xx_set_sas_protocol_timer_config() (git-fixes).
- scsi: pm8001: Fix payload initialization in
pm80xx_set_thermal_config() (git-fixes).
- scsi: pm8001: Fix command initialization in
pm8001_chip_ssp_tm_req() (git-fixes).
- scsi: pm8001: Fix command initialization in
pm80XX_send_read_log() (git-fixes).
- scsi: fnic: Fix a tracing statement (git-fixes).
- scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe (git-fixes).
- commit 7d2dad7
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on
PTRACE_SEIZE (CVE-2022-30594 bsc#1199505 bsc#1198413).
- commit 26d8e0b
- Add patch reference to seccomp fix (CVE-2022-30594 bsc#1199505 bsc#1198413)
Also shorten the patch file name to standard size
- commit 636bc07
- arm64: csum: Fix handling of bad packets (git-fixes)
- commit f574d06
- arm64: ptrace: Override SPSR.SS when single-stepping is enabled (git-fixes)
- commit 2b0b29d
- arm64: kgdb: Fix single-step exception handling oops (git-fixes)
- commit 2bf8d9a
- KVM: arm64: Fix definition of PAGE_HYP_DEVICE (git-fixes)
- commit d7f377c
- arm64: perf: Report the PC value in REGS_ABI_32 mode (git-fixes)
- commit 9b7c58a
- arm64: hw_breakpoint: Don't invoke overflow handler on uaccess (git-fixes)
- commit 1bcd840
- arm64: fix the flush_icache_range arguments in machine_kexec (git-fixes)
- commit 882df6a
- arm64: hugetlb: avoid potential NULL dereference (git-fixes)
- commit 555706d
- arm64: armv8_deprecated: Fix undef_hook mask for thumb setend (git-fixes)
- commit b96856e
- blacklist.conf: ("/arm64: bcm2835: Drop select of nonexistent HAVE_ARM_ARCH_TIMER"/)
- commit c43d835
- blacklist.conf: ("/arm64: alternative: fix build with clang integrated assembler"/)
- commit 54b996b
- arm64: smp: fix crash_smp_send_stop() behaviour (git-fixes)
- commit 1b169cc
- arm64: smp: fix smp_send_stop() behaviour (git-fixes)
- commit b6d82e4
- arm64: ptrace: nofpsimd: Fail FP/SIMD regset operations (git-fixes)
- commit 1cb7bae
- arm64: cpufeature: Set the FP/SIMD compat HWCAP bits properly (git-fixes)
- commit c507980
- arm64: cpufeature: Fix the type of no FP/SIMD capability (git-fixes)
- commit 254dd7d
- arm64: kbuild: remove compressed images on 'make ARCH=arm64 (git-fixes)
- commit 24f9c76
- arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess (git-fixes)
- commit b66e175
- arm64: hibernate: check pgd table allocation (git-fixes)
- commit d832f17
- blacklist.conf: Add 173ee3962959 of: Add missing exports of node name compare functions
- commit 0dd7ac0
- blacklist.conf: Add 35d2f249ef0 powerpc/64s: Fix copy-paste data exposure into newly created tasks
- commit ed610b6
- blacklist.conf: Add ef0e3b650f8d powerpc/perf: Fix Threshold Event Counter Multiplier width for P10
- commit a1fd7b5
- NFSv4: nfs_atomic_open() can race when looking up a non-regular
file (bsc#1195612 CVE-2022-24448).
- commit dd7b1a9
- media: dib0700: fix undefined behavior in tuner shutdown
(git-fixes).
- commit 161f5d6
- media: dmxdev: fix UAF when dvb_register_device() fails
(git-fixes).
- commit a5f86c7
- media: stk1160: fix control-message timeouts (git-fixes).
- commit a12f4c4
- media: s2255: fix control-message timeouts (git-fixes).
- commit a9c8dfb
- media: pvrusb2: fix control-message timeouts (git-fixes).
- commit 16e2d20
- media: em28xx: fix control-message timeouts.
- commit a04e6eb
- media: cpia2: fix control-message timeouts (git-fixes).
- commit 08eac6f
- media: flexcop-usb: fix control-message timeouts (git-fixes).
- commit 723dad6
- media: redrat3: fix control-message timeouts (git-fixes).
- commit 8ba5db7
- media: mceusb: fix control-message timeouts (git-fixes).
- commit 2cb626b
- media: cx23885: Fix snd_card_free call on null card pointer
(git-fixes).
- commit 00ecca7
- media: mtk-vpu: Fix a resource leak in the error handling path
of 'mtk_vpu_probe()' (git-fixes).
- commit f0a6451
- blacklist.conf: breaks API in a way visible to user space
- commit c6a60a3
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- commit 961a274
- timekeeping: Really make sure wall_to_monotonic isn't (git-fixes)
- commit 09cd25b
- sched/debug: Remove mpol_get/put and task_lock/unlock from (git-fixes)
- commit 604de00
- cputime, cpuacct: Include guest time in user time in (git-fixes)
- commit 50f0114
- sched/core: Add __sched tag for io_schedule() (git-fixes)
- commit 9d87590
- sched/core: Fix comment regarding nr_iowait_cpu() and (git-fixes)
- commit ecffaaa
- Fix kernel-vanilla build issue
Fix:
[ 315s] CC [M] fs/fat/namei_vfat.o
[ 315s] CC kernel/elfcore.o
[ 315s] ../scripts/Makefile.build:302: recipe for target 'kernel/elfcore.o' failed
[ 315s] Cannot find symbol for section 1: .text.
[ 315s] kernel/elfcore.o: failed
[ 315s] make[3]: *** [kernel/elfcore.o] Error 1
due to toolchain updates and the patch missing in the vanilla flavor. So
move it there.
- Fix kernel-vanilla build issue
Fix:
[ 315s] CC [M] fs/fat/namei_vfat.o
[ 315s] CC kernel/elfcore.o
[ 315s] ../scripts/Makefile.build:302: recipe for target 'kernel/elfcore.o' failed
[ 315s] Cannot find symbol for section 1: .text.
[ 315s] kernel/elfcore.o: failed
[ 315s] make[3]: *** [kernel/elfcore.o] Error 1
due to toolchain updates and those two missing in the vanilla flavor. So
move them there.
- commit 23d6a8f
- usb: hub: Fix locking issues with address0_mutex (git-fixes).
- commit 356d15d
- Revert "/SUNRPC: attempt AF_LOCAL connect on setup"/ (git-fixes).
- SUNRPC: Ensure gss-proxy connects on setup (git-fixes).
- NFSv4: Don't invalidate inode attributes on delegation return
(git-fixes).
- commit 68eb601
- Refresh patches.suse/edac-amd64-add-family-ops-for-family-19h-models-00h-0fh.patch.
Fix a mis-backport, see bsc#1199239.
- commit f96a9c6
- veth: Ensure eth header is in skb's linear part (git-fixes).
- commit 6ff2c01
- drivers: net: xgene: Fix regression in CRC stripping
(git-fixes).
- commit 602a1e3
- qed: validate and restrict untrusted VFs vlan promisc mode
(git-fixes).
- commit ad0651e
- qed: display VF trust config (git-fixes).
- commit 9699ef6
- net: bcmgenet: Don't claim WOL when its not available
(git-fixes).
- commit a1f5118
- qed: return status of qed_iov_get_link (git-fixes).
- commit 159f7e9
- net: qlogic: check the return value of dma_alloc_coherent()
in qed_vf_hw_prepare() (git-fixes).
- commit 9c3a46d
- bonding: pair enable_port with slave_arr_updates (git-fixes).
- commit b8799d9
- arm64: kprobes: Recover pstate.D in single-step exception handler (git-fixes)
- commit 08b3135
- arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} (git-fixes)
- commit 0fb13cd
- arm64: compat: Allow single-byte watchpoints on all addresses (git-fixes)
- commit 07a9393
- arm64: entry: SP Alignment Fault doesn't write to FAR_EL1 (git-fixes)
- commit e55d0f7
- blacklist.conf: ("/arm64: kaslr: keep modules inside module region when KASAN is enabled"/)
- commit 1b6c511
- arm64/mm: Inhibit huge-vmap with ptdump (git-fixes).
Refresh patches.suse/arm64-map-FDT-as-RW-for-early_init_dt_scan.patch.
- commit 1547369
- arm64/iommu: handle non-remapped addresses in ->mmap and (git-fixes)
- commit 4d8706c
- crypto: arm64/aes-neonbs - don't access already-freed walk.iv (git-fixes)
- commit fac52ff
- arm64: futex: Avoid copying out uninitialised stack in failed (git-fixes)
- commit 1717208
- arm64: futex: Bound number of LDXR/STXR loops in FUTEX_WAKE_OP (git-fixes)
- commit 684672b
- blacklist.conf: ("/arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value"/)
- commit 94505c7
- arm64: Fix size of __early_cpu_boot_status (git-fixes)
- commit 6601dcf
- arm64: compat: Reduce address limit (git-fixes)
- commit 04e4a55
- arm64: Save and restore OSDLR_EL1 across suspend/resume (git-fixes)
- commit 02dab80
- arm64: Clear OSDLR_EL1 on CPU boot (git-fixes)
- commit 67d23fd
- blacklist.conf: ("/arm64/mm: fix kernel-doc comments"/)
- commit b109706
- arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value (git-fixes)
- commit 60a1549
- arm64: debug: Ensure debug handlers check triggering exception level (git-fixes)
- commit b48e6fb
- arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug (git-fixes)
- commit aa9cc22
- arm64: Fix HCR.TGE status for NMI contexts (git-fixes)
- commit 931dd8d
- arm64: Relax GIC version check during early boot (git-fixes)
- commit 755c19b
- arm64: dts: marvell: Fix A37xx UART0 register size (git-fixes)
- commit 54c508c
- ixgbevf: add disable link state (bsc#1196426 CVE-2021-33061).
- ixgbe: add improvement for MDD response functionality
(bsc#1196426 CVE-2021-33061).
- ixgbe: add the ability for the PF to disable VF link state
(bsc#1196426 CVE-2021-33061).
- commit 7ca9841
- net: mana: Remove unnecessary check of cqe_type in
mana_process_rx_cqe() (bsc#1195651).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- net: mana: Reuse XDP dropped page (bsc#1195651).
- net: mana: Add counter for XDP_TX (bsc#1195651).
- net: mana: Add counter for packet dropped by XDP (bsc#1195651).
- net: mana: Use struct_size() helper in
mana_gd_create_dma_region() (bsc#1195651).
- commit 1c0dbce
- Revert lpfc driver update to 14.2.0.1 (bsc#1198989)
- commit be1f831
- drm/fb-helper: Mark screen buffers in system memory with (bsc#1129770)
- commit 1a3a046
- video: hyperv_fb: Fix validation of screen resolution (bsc#1129770)
- commit b9d0ff6
- video: backlight: Drop maximum brightness override for brightness (bsc#1129770)
- commit 43837e5
- PCI: Do not enable AtomicOps on VFs (bsc#1129770)
- commit c8f8eeb
- ARM: 9110/1: oabi-compat: fix oabi epoll sparse warning (bsc#1129770)
- commit d1ab88b
- fsl/fman: Check for null pointer after calling devm_ioremap
(git-fixes).
- commit a939025
- ppp: ensure minimum packet size in ppp_write() (git-fixes).
- commit df66a4a
- can: gs_usb: fix use of uninitialized variable, detach device
on reception of invalid USB data (git-fixes).
- commit 8660202
- net: ethernet: mtk_eth_soc: fix return values and refactor
MDIO ops (git-fixes).
- commit 0892190
- ieee802154: atusb: fix uninit value in atusb_set_extended_addr
(git-fixes).
- commit 039c504
- i40e: Fix incorrect netdev's real number of RX/TX queues
(git-fixes).
- commit 71ccdfa
- bnx2x: fix napi API usage sequence (bsc#1198217).
- commit 0fdc23e
- powerpc/perf: Fix power9 event alternatives (bsc#1137728,
LTC#178106, git-fixes).
- Revert "/ibmvnic: Add ethtool private flag for driver-defined
queue limits"/ (bsc#1121726 ltc#174633 git-fixes).
- commit e2aedd0
- USB: Fix xhci event ring dequeue pointer ERDP update issue
(git-fixes).
- commit c9dd9d4
- blacklist.conf: Append 'vgacon: Propagate console boot parameters before calling `vc_resize''
- commit 049412f
- blacklist.conf: kABI
- commit 82bdaff
- blacklist.conf: irrelevant in our configs
- commit 56584e8
- blacklist.conf: cleanup, not a fix
- commit d0b397b
- net/x25: Fix null-ptr-deref caused by x25_disconnect
(CVE-2022-1516 bsc#1199012).
- commit 70361a9
- blacklist.conf: Append 'backlight: qcom-wled: Fix off-by-one maximum with default num_strings'
- commit 51cd556
- blacklist.conf: Append 'vt: Fix character height handling with VT_RESIZEX'
- commit f58734a
- video: fbdev: udlfb: properly check endpoint type (bsc#1129770)
- commit 783e7a7
- video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of (bsc#1129770)
- commit 155ebc4
- video: fbdev: sm712fb: Fix crash in smtcfb_read() (bsc#1129770)
- commit 639ac93
- video: fbdev: atari: Atari 2 bpp (STe) palette bugfix (bsc#1129770)
- commit e434e14
- video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() (bsc#1129770)
- commit 344bc32
- video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() (bsc#1129770)
- commit 66c9a63
- video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() (bsc#1129770)
- commit 816cbfa
- parisc/sticon: fix reverse colors (bsc#1129770)
- commit 96cba65
- video: fbdev: chipsfb: use memset_io() instead of memset() (bsc#1129770)
- commit b2ee4b1
- fbmem: don't allow too huge resolutions (bsc#1129770)
- commit 3261ce6
- backlight: pwm_bl: Improve bootloader/kernel device handover (bsc#1129770)
- commit 1e071a0
- Restore kabi after Revert "/NFSv4: Handle the special Linux file
open access mode"/ (git-fixes).
- commit 454c575
- media: em28xx: fix memory leak in em28xx_init_dev (git-fixes).
- commit ae8eb8d
- media: v4l2-ioctl: S_CTRL output the right value (git-fixes).
- commit 1ab34f7
- blacklist.conf: misattributed
- commit 67e9964
- blacklist.conf: irrelevant in our config
- commit b67c63d
- media: dvb-usb: fix ununit-value in az6027_rc_query (git-fixes).
- commit fba8723
- media: stkwebcam: fix memory leak in stk_camera_probe
(git-fixes).
- commit 93825c5
- media: dvb-usb: fix uninit-value in vp702x_read_mac_addr
(git-fixes).
- commit 40501ef
- media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init
(git-fixes).
- commit 451e148
- media: rc-loopback: return number of emitters rather than error
(git-fixes).
- commit cff83f4
- media: uvc: don't do DMA on stack (git-fixes).
- commit c3b7b8e
- media: videobuf2-core: dequeue if start_streaming fails
(git-fixes).
- commit dc1215d
- media: lmedm04: Fix misuse of comma (git-fixes).
- commit fdc42cf
- ovl: fix missing negative dentry check in ovl_rename()
(CVE-2021-20321 bsc#1191647).
- commit 3e23b63
- blacklist.conf: duplicate
- commit cf7be65
- blacklist.conf: cleanup
- commit 41d47c2
- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()
(bsc#1028340 bsc#1198825).
- commit 058dc1f
- rtl8187: fix control-message timeouts (git-fixes).
- commit 79977ac
- ath6kl: fix division by zero in send path (git-fixes).
- commit 4d7c95f
- ath6kl: fix control-message timeout (git-fixes).
- commit 77388d0
- wcn36xx: add proper DMA memory barriers in rx path (git-fixes).
- commit 4a06a7f
- wcn36xx: Fix HT40 capability for 2Ghz band (git-fixes).
- commit 85a369e
- libertas: Fix possible memory leak in probe and disconnect
(git-fixes).
- commit 3b6017c
- libertas_tf: Fix possible memory leak in probe and disconnect
(git-fixes).
- commit 966339e
- ath10k: fix max antenna gain unit (git-fixes).
- commit b33c09d
- ath9k: Fix potential interrupt storm on queue reset (git-fixes).
- commit d0dc5a4
- mwifiex: Send DELBA requests according to spec (git-fixes).
- commit 1fdac31
- mwifiex: Read a PCI register after writing the TX ring write
pointer (git-fixes).
- commit 3308154
- b43: fix a lower bounds test (git-fixes).
- commit 1a2c981
- b43legacy: fix a lower bounds test (git-fixes).
- commit 12ea1d7
- blacklist.conf: optimization that breaks kABI
- commit 0b8cb68
- USB: usb-storage: Fix use of bitfields for hardware data in
ene_ub6250.c (git-fixes).
- commit 8485f85
- USB: serial: pl2303: add IBM device IDs (git-fixes).
- commit e071cd2
- USB: serial: simple: add Nokia phone driver (git-fixes).
- commit 6cdbd34
- blacklist.conf: optimization
- commit efab6ed
- USB: serial: cp210x: add NCR Retail IO box id (git-fixes).
- commit 8306949
- blacklist.conf: no gadget mode in SLE12
- commit 6d57b76
- usb: ulpi: Call of_node_put correctly (git-fixes).
- commit 98c8547
- USB: core: Fix bug in resuming hub's handling of wakeup requests
(git-fixes).
- commit d42a2ba
- USB: Fix "/slab-out-of-bounds Write"/ bug in
usb_hcd_poll_rh_status (git-fixes).
- commit 7c8f2b6
- usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
(git-fixes).
- commit 6c78568
- usb: ulpi: Move of_node_put to ulpi_dev_release (git-fixes).
- usb: hub: Fix usb enumeration issue due to address0 race
(git-fixes).
- commit 62d7e13
- io-64-nonatomic: add io{read|write}64{_lo_hi|_hi_lo} macros
(git-fixes).
- commit 48bc31d
- mxser: fix xmit_buf leak in activate when LSR == 0xff
(git-fixes).
- PCI: iproc: Fix out-of-bound array accesses (git-fixes).
- PCI: Fix overflow in command-line resource alignment requests
(git-fixes).
- PCI: qcom: Make sure PCIe is reset before init for rev 2.1.0
(git-fixes).
- PCI: iproc: Set affinity mask on MSI interrupts (git-fixes).
- PCI: qcom: Change duplicate PCI reset to phy reset (git-fixes).
- Refresh
patches.suse/PCI-qcom-Add-missing-reset-for-ipq806x.patch.
- PCI: Add device even if driver attach failed (git-fixes).
- PCI/switchtec: Read all 64 bits of part_event_bitmap
(git-fixes).
- commit 9f2996c
- SUNRPC: Handle low memory situations in call_status()
(git-fixes).
- NFSv4: fix open failure with O_ACCMODE flag (git-fixes).
- Revert "/NFSv4: Handle the special Linux file open access mode"/
(git-fixes).
- NFSD: prevent underflow in nfssvc_decode_writeargs()
(git-fixes).
- fs/nfs: Use fatal_signal_pending instead of signal_pending
(git-fixes).
- commit 2cecf8b
- Refresh
patches.suse/SUNRPC-avoid-race-between-mod_timer-and-del_timer_sy.patch.
Update git-commit now that it has landed.
- commit 4e48858
- Update
patches.suse/drm-ttm-nouveau-don-t-call-tt-destroy-callback-on-al.patch
(bsc#1175232 bsc#1183723 CVE-2021-20292).
- commit 9708de1
- net-sysfs: call dev_hold if kobject_init_and_add success
(CVE-2019-20811 bsc#1172456).
- commit 5de8a61
- Update
patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
(bsc#1196018 CVE-2022-28748).
- commit 25ea790
- random: check for signal_pending() outside of need_resched()
check (git-fixes).
- hwrng: atmel - disable trng on failure path (git-fixes).
- hwrng: cavium - HW_RANDOM_CAVIUM should depend on ARCH_THUNDER
(git-fixes).
- char/mwave: Adjust io port register size (git-fixes).
- random: fix data race on crng_node_pool (git-fixes).
- commit 0ec1c9f
- blacklist.conf: blacklist compile fix for test routines
- commit 0cd9e6f
- blacklist.conf: add one ARCH_NOMADIK entry
- commit f5b6eaf
- Update
patches.suse/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
(bsc#1051510 bsc#1084513 CVE-2018-7755).
- commit 371ca37
- drm/vgem: Close use-after-free race in vgem_gem_create (CVE-2022-1419 bsc#1198742)
- commit f3d608f
- drm/vgem: Close use-after-free race in vgem_gem_create (CVE-2022-1419 bsc#1198742)
- commit c2b5f0e
- isdn: cpai: check ctr->cnr to avoid array index out of bound
(bsc#1191958 CVE-2021-43389).
- commit 6296574
- nfc: fix NULL ptr dereference in llcp_sock_getname() after
failed connect (CVE-2021-38208 bsc#1187055).
- commit 54aed86
- Update patch reference for NFC fix (CVE-2021-38208 bsc#1187055)
- commit 01cc4ae
- Update patches.suse/powerpc-pseries-Fix-use-after-free-in-remove_phb_dyn.patch
(bsc#1065729 bsc#1198660 ltc#197803).
- commit e3bcaa0
- af_key: add __GFP_ZERO flag for compose_sadb_supported in
function pfkey_register (CVE-2022-1353 bsc#1198516).
- commit ffb367f
- kABI fix for tcp: fix race condition when creating child
sockets from syncookies (bsc#1197075).
- commit fd09edb
- tcp: Fix potential use-after-free due to double kfree()
(bsc#1197075).
- commit ad52893
- tcp: fix race condition when creating child sockets from
syncookies (bsc#1197075).
- commit 6729a4f
- NFSv4: Fix a regression in nfs_set_open_stateid_locked()
(bsc#1196247).
- kabi fix for NFSv4: Wait for stateid updates after
CLOSE/OPEN_DOWNGRADE (bsc#1196247).
- NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE
(bsc#1196247).
Adjust some kabi fixes to match.
- NFSv4.x recover from pre-mature loss of openstateid (bsc#1196247).
- NFSv4: Handle NFS4ERR_OLD_STATEID in CLOSE/OPEN_DOWNGRADE
(bsc#1196247).
- NFSv4: Don't try to CLOSE if the stateid 'other' field has
changed (bsc#1196247).
- commit 639faa6
- net: stmicro: handle clk_prepare() failure during init (git-fixes).
- commit c63cb9b
- net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send (git-fixes).
- commit 323e981
- net: davinci_emac: Fix incorrect masking of tx and rx error channel (git-fixes).
- commit 9fa453a
- net/mlx5e: Reduce tc unsupported key print level (git-fixes).
- commit ccf2751
- Update
patches.suse/x86-pm-save-the-msr-validity-status-at-context-setup.patch
(bsc#1198400).
- Update
patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch
(bsc#1198400).
- commit b81f481
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on
PTRACE_SEIZE (bsc#1198413).
- commit 9eb132f
- blacklist.conf: Add 460a79e18842 mm/memcontrol: return 1 from cgroup.memory __setup() handler
- commit f836b54
- Update patch references of drm fixes (CVE-2022-1280 bsc#1197914)
- commit b729b95
- Revert "/module, async: async_synchronize_full() on module init
iff async is used"/ (bsc#1197888).
- commit 23e6efe
- i40e: add correct exception tracing for XDP (git-fixes).
- commit 646c060
- drm/ttm/nouveau: don't call tt destroy callback on alloc failure
(CVE-2021-20292 bsc#1183723).
- commit f1a5fa2
- i40e: optimize for XDP_REDIRECT in xsk path (git-fixes).
- commit eba7817
- blacklist.conf: misattributed in upstream
- commit d24b230
- mac80211: mesh: fix potentially unaligned access (git-fixes).
- commit 49769d6
- blacklist.conf: cleanup, not a fix
- commit 7a11af1
- Revert "/USB: serial: ch341: add new Product ID for CH341A"/
(git-fixes).
- commit dc3e8da
- blacklist.conf: depends on intrusive updates
- commit 86c3906
- x86/speculation: Restore speculation related MSRs during S3
resume (bsc#1114648).
- commit 46f1ca5
- scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA
commands (git-fixes).
- commit d81a725
- x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO
(git-fixes).
- commit 3893e26
- fuse: handle kABI change in struct fuse_req (bsc#1197343
CVE-2022-1011).
- fuse: fix pipe buffer lifetime for direct_io (bsc#1197343
CVE-2022-1011).
- commit e67cd7e
- x86/pm: Save the MSR validity status at context setup
(bsc#1114648).
- commit 87c5893
- livepatch: Don't block removal of patches that are safe to
unload (bsc#1071995).
- commit 3b32a28
- fix parallelism for rpc tasks (bsc#1197663).
- Make the xprtiod workqueue unbounded (bsc#1197663).
- commit 8b97258
- Refresh
patches.suse/net-sched-use-Qdisc-rcu-API-instead-of-relying-on-rt.patch.
Fix missplaced qdisc_put()
- commit 883b3be
- xen: fix is_xen_pmu() (git-fixes).
- commit bd40deb
- xen/blkfront: fix comment for need_copy (git-fixes).
- commit 0c99cc8
- xen: detect uninitialized xenbus in xenbus_init (git-fixes).
- commit dd22f66
- xen: don't continue xenstore initialization in case of errors
(git-fixes).
- commit 6a9b916
- blacklist.conf: 1dbd11ca75fe ("/xen: remove gnttab_query_foreign_access()"/)
- commit 37fa08f
- IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() (git-fixes)
- commit c239ab7
- RDMA/rxe: Restore setting tot_len in the IPv4 header (git-fixes)
- commit 986a537
- RDMA/rxe: Use the correct size of wqe when processing SRQ (git-fixes)
- commit dacc35c
- RDMA/rxe: Missing unlock on error in get_srq_wqe() (git-fixes)
- commit f3ecb3d
- Update
patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch
references (add CVE-2022-28356 bsc#1197391).
- commit 658b50e
- net: rtlwifi: properly check for alloc_workqueue() failure
(git-fixes).
- commit 3c2f34d
- blacklist.conf: dependency would break kABI
- commit 0dc5499
- mac80211: fix station rate table updates on assoc (git-fixes).
- commit 7c6c73d
- mt7601u: fix rx buffer refcounting (git-fixes).
- commit f6f3ca9
- cifs: do not skip link targets when an I/O fails (bsc#1194625).
- commit cfcccfb
- arm64: hibernate: Clean the __hyp_text to PoC after resume (git-fixes)
- commit bbc565a
- arm64: hyp-stub: Forbid kprobing of the hyp-stub (git-fixes)
- commit 03dcd08
- arm64: kprobe: Always blacklist the KVM world-switch code (git-fixes)
- commit a917d0c
- arm64: kaslr: ensure randomized quantities are clean also when kaslr (git-fixes)
- commit f170463
- arm64: kaslr: ensure randomized quantities are clean to the PoC (git-fixes)
- commit b039486
- blacklist.conf: ("/arm64: defconfig: Re-enable bcm2835-thermal driver"/)
- commit e6a130b
- arm64: cmpxchg: Use "/K"/ instead of "/L"/ for ll/sc immediate constraint (git-fixes)
- commit 7722c1f
- arm64: relocatable: fix inconsistencies in linker script and options (git-fixes)
- commit 64d186d
- arm64: drop linker script hack to hide __efistub_ symbols (git-fixes)
- commit 310ed92
- arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ (git-fixes)
- commit 2bbad05
- arm64: fix for bad_mode() handler to always result in panic (git-fixes)
- commit 14351ce
- arm64: only advance singlestep for user instruction traps (git-fixes)
- commit cf205ee
- crypto: arm64/aes-ce-cipher - move assembler code to .S file (git-fixes)
- commit 3a20ee6
- qed: Enable automatic recovery on error condition (bsc#1196964).
- commit 2fdc961
- pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()
(git-fixes CVE-2021-4157 bnc#1194013).
- commit 957ab2c
- blacklist.conf: Add c420644c0a8f powerpc: Use mm_context vas_windows
counter to issue CP_ABORT
- commit e9d175b
- libfastjson
-
- update to 0.99.8:
* make build under gcc7 with strict settings (warning==error)
* bugfix: constant key names not properly handled
* fix potentially invalid return value of fjson_object_iter_begin
* fix small potential memory leak in json_tokener
- update to 0.99.7:
* add option for case-insensitive comparisons
* Remove userdata and custom-serialization functions
- update to 0.99.6:
* fixes for platforms other than GNU/Linux
- update to 0.99.5:
* fix floating point representation when fractional part is missing
* m4: fix detection of atomics
* add fjson_object_dump() and fjson_object_write() functions
- libtirpc
-
- fix memory leak in params.r_addr assignement (bsc#1198752)
- add 0001-fix-parms.r_addr-memory-leak.patch
- libxml2
-
- Security fix: [bsc#1069689, CVE-2017-16932]
* parser.c in libxml2 before 2.9.5 does not prevent infinite
recursion inparameter entities.
* Add libxml2-CVE-2017-16932.patch
- Sync and fix changelog entries between libxml2 and
python-libxml2.
- Security fix: [bsc#1199132, CVE-2022-29824]
* Integer overflow leading to out-of-bounds write in buf.c
(xmlBuf*) and tree.c (xmlBuffer*)
* Add libxml2-CVE-2022-29824.patch
* Add libxml2-CVE-2022-23308.patch
* Add libxml2-CVE-2021-3541.patch
- Version update to 2.9.7 release:
* Bug Fixes:
+ xmlcatalog: restore ability to query system catalog easily
+ Fix comparison of nodesets to strings
* Improvements:
+ Add Makefile rules to rebuild HTML man pages
+ Remove generated file python/setup.py from version control
+ Fix mixed decls and code in timsort.h
+ Rework handling of return values in thread tests
+ Fix unused variable warnings in testrecurse
+ Fix -Wimplicit-fallthrough warnings
+ Upgrade timsort.h to latest revision
+ Fix a couple of warnings in dict.c and threads.c
+ Fix unused variable warnings in nanohttp.c
+ Don't include winsock2.h in xmllint.c
+ Use __linux__ macro in generated code
* Portability:
+ Add declaration for DllMain
+ Fix preprocessor conditional in threads.h
+ Fix macro redefinition warning
+ many Windows specific improvements
* Documentation:
+ xmlcatalog: refresh man page wrt. quering system catalog easily
- Includes bug fixes from 2.9.6:
* Fix XPath stack frame logic
* Report undefined XPath variable error message
* Fix regression with librsvg
* Handle more invalid entity values in recovery mode
* Fix structured validation errors
* Fix memory leak in LZMA decompressor
* Set memory limit for LZMA decompression
* Handle illegal entity values in recovery mode
* Fix debug dump of streaming XPath expressions
* Fix memory leak in nanoftp
* Fix memory leaks in SAX1 parser
- Drop libxml2-bug787941.patch
* upstreamed in 3157cf4e53c03bc3da604472c015c63141907db8
- Update package summaries and RPM groups. Trim descriptions for
size on secondary subpackages. Replace install call by a
commonly-used macro.
- Add patch to fix TW integration:
* libxml2-bug787941.patch
- Version update to 2.9.5 release:
* Merged all the previous cve fixes that were patched in
* Few small tweaks
- Remove merged patches:
* libxml2-CVE-2016-4658.patch
* libxml2-CVE-2017-0663.patch
* libxml2-CVE-2017-5969.patch
* libxml2-CVE-2017-9047.patch
* libxml2-CVE-2017-9048.patch
* libxml2-CVE-2017-9049.patch
* libxml2-2.9.4-fix_attribute_decoding.patch
- Added libxml2-CVE-2016-4658.patch: Disallow namespace nodes in
XPointer ranges. Namespace nodes must be copied to avoid
use-after-free errors. But they don't necessarily have a physical
representation in a document, so simply disallow them in XPointer
ranges [bsc#1005544] [CVE-2016-4658]
- Remove obsolete patches libxml2-2.9.1-CVE-2016-3627.patch,
0001-Add-missing-increments-of-recursion-depth-counter-to.patch,
and libxml2-2.9.3-bogus_UTF-8_encoding_error.patch.
- add libxml2-2.9.3-bogus_UTF-8_encoding_error.patch to fix XML
push parser that fails with bogus UTF-8 encoding error when
multi-byte character in large CDATA section is split across
buffer [bnc#962796]
- temporarily reverting libxml2-CVE-2014-0191.patch until there is a fix
that doesn't break other applications
- buildignore python to avoid build cycle
- fix version
- renamed to python-libxml2 to follow python naming expectations
- do not require python but let rpm figure it out
- buildrequire python-xml to fix build
- libyajl
-
- add libyajl-CVE-2022-24795.patch (CVE-2022-24795, bsc#1198405)
- mozilla-nss
-
- Mozilla NSS 3.68.4 (bsc#1200027)
* Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
(bmo#1767590)
- openldap2
-
- bsc#1199240 - CVE-2022-29155 - Resolve sql injection in back-sql
* 0225-ITS-9815-slapd-sql-escape-filter-values.patch
- bsc#1198383 - Resolve issue with SASL init
* 0224-ITS-8648-init-SASL-library-in-global-init.patch
- openssl-1_0_0
-
- Added openssl-1_0_0-Fix-file-operations-in-c_rehash.patch
* bsc#1200550
* CVE-2022-2068
* Fixed more shell code injection issues in c_rehash
- Fixed error in openssl-CVE-2022-1292.patch resulting in misnamed
variable.
- Security fix: [bsc#1199166, CVE-2022-1292]
* Added: openssl-CVE-2022-1292.patch
* properly sanitise shell metacharacters in c_rehash script.
- openssl-1_1
-
- Encrypt the sixteen bytes that were unencrypted in some circumstances
on 32-bit x86 platforms.
* [bsc#1201099, CVE-2022-2097]
* added openssl-CVE-2022-2097.patch
- Added openssl-1_1-Fix-file-operations-in-c_rehash.patch
* bsc#1200550
* CVE-2022-2068
* Fixed more shell code injection issues in c_rehash
- Added openssl-update_expired_certificates.patch
* Openssl failed tests because of expired certificates.
* bsc#1185637
* Sourced from https://github.com/openssl/openssl/pull/18446/commits
- Security fix: [bsc#1199166, CVE-2022-1292]
* Added: openssl-CVE-2022-1292.patch
* properly sanitise shell metacharacters in c_rehash script.
- pcre
-
- Added pcre-8.45-bsc1199232-unicode-property-matching.patch
* bsc#1199232
* CVE-2022-1586
* Fixes unicode property matching issue
- psmisc
-
* Add a fallback if the system call name_to_handle_at() is
not supported by the used file system.
- Add patch psmisc-22.21-semaphores.patch
* Replace the synchronizing over pipes of the sub process for the
stat(2) system call with mutex and conditions from pthreads(7)
(bsc#1194172)
- Add patch psmisc-22.21-statx.patch
* Use statx(2) or SYS_statx system call to replace the stat(2)
system call and avoid the sub process at all (bsc#1194172)
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
- python
-
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- python-base
-
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- python3
-
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
on s390x.
- drop PYTHONSTARTUP hooks that cause spurious startup errors
(bsc#1070738, bsc#1199441), as the relevant feature (REPL
history) is now built into Python itself.
- python3-base
-
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
on s390x.
- drop PYTHONSTARTUP hooks that cause spurious startup errors
(bsc#1070738, bsc#1199441), as the relevant feature (REPL
history) is now built into Python itself.
- python36
-
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- Rename support-expat-245.patch to
support-expat-CVE-2022-25236-patched.patch to unify the patch
with other packages.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
on s390x.
- rsyslog
-
- (CVE-2022-24903) fix potential heap buffer overflow in modules for TCP
syslog reception (bsc#1199061)
* add CVE-2022-24903.patch
- Upgrade to rsyslog 8.2106.0 (bsc#1188039)
* remove obsolete patches:
0001-Fix-race-condition-related-to-libfastjson-when-using.patch
0001-core-action-if-commitTransaction-fails-try-individua.patch
0001-core-bugfix-memory-leak-when-internal-messages-not-p.patch
0001-core-fix-sequence-error-in-msg-object-deserializer.patch
0001-imfile-multiline-timeout-does-not-work-after-rsyslog.patch
0001-imptcp-fix-Segmentation-Fault-when-octet-count-is-to.patch
0001-imudp-bugfix-potential-segfault-in-ratelimiting.patch
0001-omfile-bugfix-file-handle-leak.patch Deleted
0001-omfile-bugfix-race-file-when-async-writing-is-enable.patch
0002-core-action-bugfix-100-CPU-utilization-on-suspension.patch
pmaixforwardedfrom-bugfix-potential-misadressing.patch Deleted
pmcisconames-bugfix-potential-misadressing.patch Deleted
rsyslog-flush-dyn-file.patch Deleted
rsyslog-unit.patch Deleted
* update changelog with changes from newer version
- Upgrade to rsyslog 8.2106.0:
* NOTE: the prime new feature is support for TLS and non-TLS connections
via imtcp in parallel. Furthermore, most TLS parameters can now be overriden
at the input() level. The notable exceptions are certificate files, something
that is due to be implemented as next step.
* 2021-06-14: new global option "/parser.supportCompressionExtension"/
This permits to turn off rsyslog's single-message compression extension
when it interferes with non-syslog message processing (the parser
subsystem expects syslog messages, not generic text)
closes https://github.com/rsyslog/rsyslog/issues/4598
* 2021-05-12: imtcp: add more override config params to input()
It is now possible to override all module parameters at the input() level. Module
parameters serve as defaults. Existing configs need no modification.
* 2021-05-06: imtcp: add stream driver parameter to input() configuration
This permits to have different inputs use different stream drivers
and stream driver parameters.
closes https://github.com/rsyslog/rsyslog/issues/3727
* 2021-04-29: imtcp: permit to run multiple inputs in parallel
Previously, a single server was used to run all imtcp inputs. This
had a couple of drawsbacks. First and foremost, we could not use
different stream drivers in the varios inputs. This patch now
provides a baseline to do that, but does still not implement the
capability (in this sense it is a staging patch).
Secondly, we now ensure that each input has at least one exclusive
thread for processing, untangling the performance of multiple
inputs from each other.
see also: https://github.com/rsyslog/rsyslog/issues/3727
* 2021-04-27: tcpsrv bugfix: potential sluggishnes and hang on shutdown
tcpsrv is used by multiple other modules (imtcp, imdiag, imgssapi, and,
in theory, also others - even ones we do not know about). However, the
internal synchornization did not properly take multiple tcpsrv users
in consideration.
As such, a single user could hang under some circumstances. This was
caused by improperly awaking all users from a pthread condition wait.
That in turn could lead to some sluggish behaviour and, in rare cases,
a hang at shutdown.
Note: it was highly unlikely to experience real problems with the
officially provided modules.
* 2021-04-22: refactoring of syslog/tcp driver parameter passing
This has now been generalized to a parameter block, which makes it much cleaner and
also easier to add new parameters in the future.
* 2021-04-22: config script: add re_match_i() and re_extract_i() functions
This provides case-insensitive regex functionality.
closes https://github.com/rsyslog/rsyslog/issues/4429
- Upgrade to rsyslog 8.2104.0:
* rainerscript: call getgrnam_r repeatedly to get all group members
(bsc#1178490)
* new contributed module imhiredis
* new built-in function get_property() to access property vars
* mmdblookup: add support for mmdb DB reload on HUP
* script bugfix: empty array in foreach() improperly handled
* imjournal bugfixes (handle leak, empty file)
* new contributed function module fmunflatten
* test bugfix: some tests did not work with newer TLS library versions
* some improvements to project CI
- update remote.conf example file to new 'Address' and 'Port' notation
(bsc#1182653)
- HTTPS URLs used for source
- Upgrade to rsyslog 8.2102.0:
* omfwd: add stats counter for sent bytes
* omfwd: add error reporting configuration option
* action stats counter bugfix: failure count was not properly incremented
* action stats counter bugfix: resume count was not incremented
* omfwd bugfix: segfault or error if port not given
* lookup table bugfix: data race on lookup table reload
* testbench modernization
* testbench: fix invalid sequence of kafka tests runs
* testbench: fix kafkacat issues
* testbench: fix year-dependendt clickhouse test
- Upgrade to rsyslog 8.2012.0:
* testbench bugfix: some tests did not work in make distcheck
* immark: rewrite with many improvements
* usability: re-phrase error message to help users better understand cause
* add new system property $now-unixtimestamp
* omfwd: add new rate limit option
* omfwd bug: param "/StreamDriver.PermitExpiredCerts"/ is not "/off"/ by default
- prepare usrmerge (boo#1029961)
- fix location and naming of journald dropin (bsc#1178288)
- remove legacy stuff from specfile
* sysvinit is not supported anymore, so remove all tests
related to systemv in the specfile
- Upgrade to rsyslog 8.2010.0:
* gnutls TLS subsystem bugfix: handshake error handling
* core/msg bugfix: memory leak
* core/msg bugfix: segfault in jsonPathFindNext() when <root> not an object
* openssl TLS subsystem: improvments of error and status messages
* add 'exists()' script function to check if variable exists
* core bugfix: do not create empty JSON objects on non-existent key access
* gnutls subsysem bugfix: potential hang on session closure
* core/network bugfix: obey net.enableDNS=off when querying local hostname
* core bugfix: potential segfault on query of PROGRAMNAME property
* imtcp bugfix: broken connection not necessariy detected
* new module: imhttp - http input
* mmdarwin bugfix: potential zero uuid when reusing existing one
* imdocker bugfix: build issue on some platforms
* omudpspoof bugfix: make compatbile with Solaris build
* testbench fix: python 3 incompatibility
* core bugfix: segfault if disk-queue file cannot be created
* cosmetic: fix dummy module name in debug output
* config bugfix: intended warning emitted as error
- Upgrade to rsyslog 8.2008.0
Way too many changes since 8.39.0 to be listed here.
- Added custom unit file rsyslog.service because
systemd service file was removed from upstream project
- Removed obsolete patches:
* 0001-satisfy-gcc-flag-fno-common.patch
* rsyslog-pgsql-pkg-config.patch
* rsyslog-unit.patch
- fix race in async writer (bsc#1179089)
- fix potential misaddressing in pmcisconames (CVE-2019-17042,
bsc#1153459)
- fix potential misaddressing in pmaixforwardedfrom (CVE-2019-17041,
bsc#1153451)
- omfile bugfix: FlushOnTXEnd does not work reliably with dynafiles
(bsc#1084682)
- Use systemd_ordering instead of requiring to make rsyslog useable
in containers.
- Fix the URL for bug reporting, should not point to novell.com
(bsc#1173433)
- Add support for omkafka which is now in Factory, and 15.x repos
- avoid build error with gcc flag -fno-common (bsc#1160414)
* add 0001-satisfy-gcc-flag-fno-common.patch
- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
firewalld, see [1].
[1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html
- Add rsyslog-pgsql-pkg-config.patch: use pkgconfig to find the
right libraries/directories for postgresql. According to pgsql
upstream, pg_config must only be used to buildpgsql modules.
- Upgrade to rsyslog 8.39.0
* imfile: improve truncation detection
* imjournal: work around journald excessive reloading behavior
* errmsg: remove no longer needed code
* queue bugfix: invalid error message on queue startup
* bugfix imrelp: regression with legacy configuration startup fail
* bugfix imudp: stall of connection and/or potential segfault
* bugfix gcry crypto driver: small memleak
* fix potential misadressing in encryption subsystem
* ksi subsystem changes
* bugfix core: regex compile error messages could be incorrect
* bugfix core: potential hang on rsyslog termination
* bugfix imkafka: system hang when backgrounded
* bugfix imfile: file change was not reliably detected
* bugfix imrelp: do not fail build if librelp does not have relpSrvSetLstnAddr
* bugfix queue subsystem: DA queue did ignore encryption settings
* bugfix KSI: lmsig-ksils12 module skips signing the last block
* bugfix fmhash: function hash64mod sometimes returned wrong result
* bugfix core/debug: data written to random fd 2 under some debug settings
- rsyslog configuration cleanup by filter rules in separate files (bug#1102720)
* add parsing of additional filter rules in /etc/rsyslog.d/*.frule
* add acpid.frule, firewall.frule, NetworkManager.frule
- Enable ForwardToSyslog for journald to get syslog messages
[bsc#1110456]
- Update to rsyslog 8.38.0:
* imfile: support for endmsg.regex
* omhttp: new contribued module
* imrelp: add support for seting address to bind to (#894)
* ommysql: support mysql unix domain socket
* omusrmsg: do not fall back to max username length of 8
* various bug fixes and minor updates to other modules and core
* various fixes for memory leaks
- remove references to obsolete SYSLOG_REQUIRES_NETWORK
variable (bsc#1101642)
- rsyslog 8.36.0:
* Liblogging-stdlog deprecated
* OpenSSL based TLS driver added in addition to GnuTLS
* GnuTLS TLS driver: support intermediate certificates
* imptcp: add ability to configure socket backlog
* fmhash: new hash function module
* updates and fixes to various modules
* omfwd: add support for bind-to-address for UDP
* mmkubernetes: new module
- updates and fixes to various modules
- rsyslog 8.33.1:
* devcontainer: use some more sensible defaults
* auto-detect if running inside a container (as pid 1)
* config: add include() script object
* template: add option to generate json "/container"/
* core/template: add format jsonf to constant template entries
* config: add ability to disable config parameter ("/config.enable"/)
* script: permit to use environment variables during configuration
* new global config parameter "/shutdown.enable.ctlc"/
* config optimizer: detect totally empty "/if"/ statements and optimize them out
* template: constant entry can now also be formatted as json field
* omstdout: support for new-style configuration parameters added
* core: set TZ on startup if not already set
* imjournal bugfix: file handle leak during journal rotation
* lmsig_ksils12 bugfix: dirOwner and dirGroup config was not respected
* script bugfix: replace() function worked incorrectly in some cases
* core bugfix: misadressing in external command parser
* core bugfix: small memory leak in external command parser
* core bugfix: string not properly terminated when RFC5424 MSGID is used
* bugfix: strndup() compatibility layer func copies too much
- the upstream systemd unit file was changed to no longer write the
rsyslog pid, as it is no longer required for tracking under
systemd (-iNONE). Adjust rsyslog-unit.patch to match.
- Use %license instead of %doc [bsc#1082318]
- fix includes for apparmor profile (bsc#1080238) (bsc#901418)
- rsyslog 8.32.0
* libfastjson 0.99.8 required
* libczmq >= 3.0.2 is now required for omczmq
* libcurl is now needed for rsyslog core
* rsyslogd: add capability to specify that no pid file shall be written
* core improvements and bug fixes
* RainerScript improvements and bug fixes
* build fixes, including gcc7 fixes
drop 0001-imgssapi-fix-compiler-warnings.patch
* various bug fixes in multiple modules
* imudp: fix segfault in ratelimit code (bsc#1149094)
- remove build dependency on libee
- Disable news by default, we don't need to clobber all systems
with this for the very few remaining news servers
- Replace references to /var/adm/fillup-templates with new
%_fillupdir macro (boo#1069468)
- Ensure user "/news"/ exists - bsc#1068678
- rsyslog 8.30.0
* changed behaviour: all variables are now case-insensitive by default
* core: handle (JSON) variables in case-insensitive way
* imjournal: made switching to persistent journal in runtime possible
* mmanon: complete refactor and enhancements
* imfile: add "/fileoffset"/ metadata
* RainerScript: add ltrim and rtrim functions
* core: report module name when suspending action
* core: add ability to limit number of error messages going to stderr
* tcpsrv subsystem: improvate clarity of some error messages
* imptcp: include module name in error msg
* imtcp: include module name in error msg
* tls improvement: better error message if certificate file cannot be read
* omfwd: slightly improved error messages during config parsing
* ommysql improvements
* ommysql bugfix: do not duplicate entries on failed transaction
* imtcp bugfix: parameter priorityString was ignored
* template/bugfix: invalid template option conflict detection
* core/actions: fix handling of data-induced errors
* core/action bugfix: no "/action suspended"/ message during retry processing
* core/action: if commitTransaction fails, try individual messages (bsc#1152760)
* core/ratelimit bugfix: race can lead to segfault
* core bugfix: rsyslog aborts if errmsg is generated in early startup
* core bugfix: informational messages was logged with error severity
* core bugfix: --enable-debugless build was broken
* queue bugfix: file write error message was incorrect
* omrelp bugfix: segfault when rebindinterval parameter is used
* omkafka bugfix: invalid load of failedmsg file on startup if disabled
* kafka bugfix: problem on invalid kafka configuration values
* imudp bugfix: UDP oversize message not properly handled
* core bugfix: memory corruption during configuration parsing
* core bugfix: race on worker thread termination during shutdown
* omelasticsearch: avoid ES5 warnings while sending json in bulkmode
* omelasticsearch bugfix: incompatibility with newer ElasticSearch version
* imptcp bugfix: invalid mutex addressing on some platforms
* imptcp bugfix: do not accept missing port in legacy listener definition
- build requirements:
* libfastjson 0.99.7 is now mandatory
* libsystemd-journal >= 234 is now recommended
- packaging:
* add upstream build fix 0001-imgssapi-fix-compiler-warnings.patch
- rsyslog 8.29.0:
* imptcp: add experimental parameter "/multiline"/
* imptcp: framing-related error messages now also indicate remote peer
* imtcp: framing-related error messages now also indicate remote peer
* imptcp: add session statistics conunter
* imtcp: add ability to specify GnuTLS priority string
* impstats: add new ressoure counter "/openfiles"/
* pmnormalize: new parser module
* core/queue: provide informational messages on thread startup and shutdown
* omfwd/udp: improve error reporting, depricate maxerrormessages parameter
* core: add parameters debug.file and debug.whitelist
* core/net.c: improve UDP socket creation error messages
* omfwd/udp: add "/udp.sendbuf"/ parameter
* core: make rsyslog internal message rate-limiter configurable
* omelasticsearch bugfixes and changed ES5 API support
+ avoid 404 during health check
+ avoid ES5 warnings while sending json
+ bugfix for memomry leak while writing error file
* imfile bugfix: wildcard detection issue on path wildcards
* omfwd bugfix: always give reason for suspension
* omfwd bugfix: configured compression level was not properly used
* imptcp bugfix: potential socket leak on session shutdown
* omfwd/omudpspoof bugfix: switch udp client sockets to nonblocking mode
* imklog: fix permitnonkernelfacility not working
* impstats bugfix: impstats does not handle HUP
* core bugfix: segfault after configuration errors
* core/queue bugfixes
* lmsig_ksi: removed pre-KSI_LS12 components
Version 8.28.0 [v8-stable] 2017-06-27
* omfwd: add parameter "/tcp_frameDelimiter"/
* omkafka: large refactor of kafka subsystem
* imfile: improved handling of atomically renamed file (w/ wildcards)
* imfile: add capability to truncate oversize messages or split into multiple
* mmdblookup fixes and extensions
* bugfix: fixed multiple memory leaks
* imptcp: add new parameter "/flowControl"/
* imrelp: add "/maxDataSize"/ config parameter
* multiple modules: gtls: improve error if certificate file can't be opened
* omsnare: allow different tab escapes
* omelasticsearch: converted to use libfastjson instead of json-c
* imjournal: _PID fallback
* added fallback for _PID proprety when SYSLOG_PID is not available
* introduced new option "/usepid"/ which sets which property should
rsyslog use, it has 3 states system|syslog|both, default is both
* deprecated "/usepidfromsystem"/ option, still can be used
and override the "/usepid"/
* it is possible to revert previous default with usepid="/syslog"/
* multiple modules: add better error messages when regcomp is failing
* omhiredis: fix build warnings
* imfile bugfix: files mv-ed in into directory were not handled
* omprog bugfix: execve() incorrectly called
* imfile bugfix: multiline timeout did not work if state file exists
* lmsig_ksi-ls12 bugfix: build problems on some platforms
* core bugfix: invalid object type assertion
* regression fix: local hostname was not always detected properly...
* bugfix: format security issues in zmq3 modules (bsc#1051798)
* bugfix build system: add libksi only to those binaries that need it
* bugfix KSI ls12 components: invalid tree height calculation
* bugfix imfile: fix multiline timeout code (bsc#1133847)
- Drop module-guardtime package
* Upstream libgt died and it does not work with new openssl
Version 8.27.0 [v8-stable] 2017-05-16
- imkafka: add module
- imptcp enhancements:
* optionally emit an error message if incoming messages are truncated
* optionally emit connection tracking message (on connection create and
close)
* add "/maxFrameSize"/ parameter to specify the maximum size permitted
in octet-counted mode
* add parameter "/discardTruncatedMsg"/ to permit truncation of
oversize messages
* improve octect-counted mode detection: if the octet count is larger
then the set frame size (or overly large in general), it is now
assumed that octet-stuffing mode is used. This probably solves a
number of issues seen in real deployments.
- imtcp enhancements:
* add parameter "/discardTruncatedMsg"/ to permit truncation of
oversize messages
* add "/maxFrameSize"/ parameter to specify the maximum size permitted
in octet-counted mode
- imfile bugfix: "/file not found error"/ repeatedly being reported
for configured non-existing file. In polling mode, this message
appeared once in each polling cycle, causing a potentially very large
amout of error messages. Note that they were usually emitted too
infrequently to trigger the error message rate limiter, albeit often
enough to be a major annoance.
- imfile: in inotify mode, add error message if configured file cannot
be found
- imfile: add parameter "/fileNotFoundError"/ to optinally disable
"/file not found"/ error messages
- core: replaced gethostbyname() with getaddrinfo() call
Gethostbyname() is generally considered obsolete, is not reentrant and
cannot really work with IPv6. Changed the only place in rsyslog where
this call remained.
Thanks to github user jvymazal for the patch
- omkafka: add "/origin"/ field to stats output
See also https://github.com/rsyslog/rsyslog/issues/1508
Thanks to Yury Bushmelev for providing the patch.
- imuxsock: rate-limiting also uses process name
both for the actual limit procesing as well as warning messages emitted
see also https://github.com/rsyslog/rsyslog/pull/1520
Thanks to github user jvymazal for the patch
- Added new module: KSI log signing ver. 1.2 (lmsig_ksi_ls12)
- rsylsog base functionality now builds on osx (Mac)
Thanks to github user hdatma for his help in getting this done.
- build now works on solaris again
- imfile: fix cross-platform build issue
see also https://github.com/rsyslog/rsyslog/issues/1494
Thanks to Felix Janda for bug report and solution suggestion.
- bugfix core: segfault when no parser could parse message
- core bugfix: memory leak when internal messages not processed
internally (bsc#1190483)
- VUL-0: CVE-2018-16881: rsyslog: imptcp: integer overflow when Octet-Counted
TCP Framing is enabled (bsc#1123164)
- rsyslog 8.26.0:
* liblognorm 2.0.3 is required for mmnormalize
* enable internal error messages at all times
* core: added logging name of source of rate-limited messages
* omfwd: omfwd: add support for network namespaces
* imrelp: honor input name if provided when submitting to impstats
* imptcp: add ability to set owner/group/access perms for uds
* mmnormalize: add ability to load a rulebase from action() parameter
* pmrfc3164 improvements
+ permit to ignore leading space in MSG
+ permit to use at-sign in host names
+ permit to require tag to end in colon
* add new global parameter "/umask"/
* core: make use of -T command line option more secure
* omfile: add error if both file and dynafile are set
* bugfix: build problem on MacOS (not a supported platform)
* regression fix: in 8.25, str2num() returned error on empty string
* bugfix omsnmp: improper handling of new-style configuration parameters
* bugfix: rsyslog identifies itself as "/liblogging-stdlog"/ in internal messages
* bugfix imfile: wrong files were monitored when using multiple imfile inputs
* bugfix: setting net.aclResolveHostname/net.acladdhostnameonfail segfaults
* bugfix: immark emitted error messages with text "/imuxsock"/
* bugfix tcpflood: build failed if RELP was disabled
* fix gcc6 compiler warnings
* the output module array passing interface has been removed
- use 8.25.0 documentation tarball
- rsyslog 8.25.0:
* imfile: add support for wildcards in directory names
* add new global option "/parser.PermitSlashInProgramname"/
* mmdblookup: fix build issues, code cleanup
* improved debug output for queue corruption cases
* an error message is now displayed when a directory owner cannot be set
* rainerscript: add new function ipv42num
* rainerscript: add new function num2ipv4
* bugfix: ratelimiter does not work correctly is time is set back
* core: fix potential message loss in old-style transactional interface
* bugfix queue subsystem: queue corrupted if certain msg props are used
* bugfix imjournal: fixed situation when time goes backwards
* bugfix: bFlushOnTxEnd == 0 not honored when writing w/o async writer
* bugfix core: str2num mishandling empty strings
* bugfix rainerscript: set/unset statement do not check variable name validity
* bugfix mmrm1stspace: last character of rawmsg property was doubled
* bugfix imtcp: fix very small (cosmetic) memory leak
* However, the leak breaks memleak checks in the testbench.
* fix segfault in libc (bsc#1156499)
- runc
-
- Update to runc v1.1.3. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.3.
(Includes a fix for bsc#1200088.)
* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing).
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
intended; this fix does not affect runc binary itself but is important for
libcontainer users such as Kubernetes.
* Inability to compile with recent clang due to an issue with duplicate
constants in libseccomp-golang.
* When using systemd cgroup driver, skip adding device paths that don't exist,
to stop systemd from emitting warnings about those paths.
* Socket activation was failing when more than 3 sockets were used.
* Various CI fixes.
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
* runc static binaries are now linked against libseccomp v2.5.4.
- Remove upstreamed patches:
- bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
- Backport <https://github.com/opencontainers/runc/pull/3474> to fix issues
with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565
+ bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
- Add ExcludeArch for s390 (not s390x) since we've never supported it.
- Update to runc v1.1.2. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.2.
CVE-2022-29162 bsc#1199460
* A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
CVE-2022-29162. bsc#1199460
* `runc spec` no longer sets any inheritable capabilities in the created
example OCI spec (`config.json`) file.
- Update to runc v1.1.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.1.
* runc run/start can now run a container with read-only /dev in OCI spec,
rather than error out. (#3355)
* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
libcontainer systemd v2 manager no longer errors out if one of the files
listed in /sys/kernel/cgroup/delegate do not exist in container's
cgroup. (#3387, #3404)
* Loosen OCI spec validation to avoid bogus "/Intel RDT is not supported"/
error. (#3406)
* libcontainer/cgroups no longer panics in cgroup v1 managers if stat
of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)
- Update to runc v1.1.0. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.0.
- libcontainer will now refuse to build without the nsenter package being
correctly compiled (specifically this requires CGO to be enabled). This
should avoid folks accidentally creating broken runc binaries (and
incorrectly importing our internal libraries into their projects). (#3331)
- Update to runc v1.1.0~rc1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.
+ Add support for RDMA cgroup added in Linux 4.11.
* runc exec now produces exit code of 255 when the exec failed.
This may help in distinguishing between runc exec failures
(such as invalid options, non-running container or non-existent
binary etc.) and failures of the command being executed.
+ runc run: new --keep option to skip removal exited containers artefacts.
This might be useful to check the state (e.g. of cgroup controllers) after
the container hasexited.
+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
(the latter is just an alias for SCMP_ACT_KILL).
+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
users to create sophisticated seccomp filters where syscalls can be
efficiently emulated by privileged processes on the host.
+ checkpoint/restore: add an option (--lsm-mount-context) to set
a different LSM mount context on restore.
+ intelrdt: support ClosID parameter.
+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup
to use for the process being executed.
+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
run/exec now adds the container to the appropriate cgroup under it).
+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
behaviour.
+ mounts: add support for bind-mounts which are inaccessible after switching
the user namespace. Note that this does not permit the container any
additional access to the host filesystem, it simply allows containers to
have bind-mounts configured for paths the user can access but have
restrictive access control settings for other users.
+ Add support for recursive mount attributes using mount_setattr(2). These
have the same names as the proposed mount(8) options -- just prepend r
to the option name (such as rro).
+ Add runc features subcommand to allow runc users to detect what features
runc has been built with. This includes critical information such as
supported mount flags, hook names, and so on. Note that the output of this
command is subject to change and will not be considered stable until runc
1.2 at the earliest. The runtime-spec specification for this feature is
being developed in opencontainers/runtime-spec#1130.
* system: improve performance of /proc/$pid/stat parsing.
* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
the ownership of certain cgroup control files (as per
/sys/kernel/cgroup/delegate) to allow for proper deferral to the container
process.
* runc checkpoint/restore: fixed for containers with an external bind mount
which destination is a symlink.
* cgroup: improve openat2 handling for cgroup directory handle hardening.
runc delete -f now succeeds (rather than timing out) on a paused
container.
* runc run/start/exec now refuses a frozen cgroup (paused container in case of
exec). Users can disable this using --ignore-paused.
- Update version data embedded in binary to correctly include the git commit of
the release.
- Drop runc-rpmlintrc because we don't have runc-test anymore.
bsc#1193436
- samba
-
- Revert NIS support removal; (bsc#1199247);
- Add missing samba-client requirement to samba-winbind package;
(bsc#1198255);
- Update to 4.15.7
* Share and server swapped in smbget password prompt; (bso#14831);
* Durable handles won't reconnect if the leased file is written
to; (bso#15022);
* rmdir silently fails if directory contains unreadable files and
hide unreadable is yes; (bso#15023);
* SMB2_CLOSE_FLAGS_FULL_INFORMATION fails to return information
on renamed file handle; (bso#15038);
* vfs_shadow_copy2 breaks "/smbd async dosmode"/ sync fallback;
(bso#14957);
* shadow_copy2 fails listing snapshotted dirs with shadow:fixinodes;
(bso#15035);
* PAM Kerberos authentication incorrectly fails with a clock skew
error; (bso#15046);
* username map - samba erroneously applies unix group memberships
to user account entries; (bso#15041);
* NT_STATUS_ACCESS_DENIED translates into EPERM instead of EACCES
in SMBC_server_internal; (bso#14983);
* Simple bind doesn't work against an RODC (with non-preloaded users);
(bso#13879);
* Crash of winbind on RODC; (bso#14641);
* uncached logon on RODC always fails once; (bso#14865);
* KVNO off by 100000; (bso#14951);
* LDAP simple binds should honour "/old password allowed period"/;
(bso#15001);
* wbinfo -a doesn't work reliable with upn names; (bso#15003);
* Simple bind doesn't work against an RODC (with non-preloaded
users); (bso#13879);
* Uninitialized litemask in variable in vfs_gpfs module; (bso#15027);
* Regression: create krb5 conf = yes doesn't work with a single KDC;
(bso#15016);
- Add provides to samba-client-libs package to fix upgrades from
previous versions; (bsc#1198663);
- Update to 4.15.6
* Renaming file on DFS root fails with
NT_STATUS_OBJECT_PATH_NOT_FOUND; (bso#14169);
* Samba does not response STATUS_INVALID_PARAMETER when opening 2
objects with same lease key; (bso#14737);
* NT error code is not set when overwriting a file during rename
in libsmbclient; (bso#14938);
* Fix ldap simple bind with TLS auditing; (bso#14996);
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server; (bso#14674);
* Problem when winbind renews Kerberos; (bso#14979);
(bsc#1196224);
* pam_winbind will not allow gdm login if password about to
expire; (bso#8691);
* virusfilter_vfs_openat: Not scanned: Directory or special file;
(bso#14971);
* DFS fix for AIX broken; (bso#13631);
* Solaris and AIX acl modules: wrong function arguments;
(bso#14974);
* Function aixacl_sys_acl_get_file not declared / coredump;
(bso#7239);
* Regression: Samba 4.15.2 on macOS segfaults intermittently
during strcpy in tdbsam_getsampwnam; (bso#14900);
* Fix a use-after-free in SMB1 server; (bso#14989);
* smb2_signing_decrypt_pdu() may not decrypt with
gnutls_aead_cipher_decrypt() from gnutls before 3.5.2;
(bso#14968);
* Changing the machine password against an RODC likely destroys
the domain join; (bso#14984);
* authsam_make_user_info_dc() steals memory from its struct
ldb_message *msg argument; (bso#14993);
* Use Heimdal 8.0 (pre) rather than an earlier snapshot;
(bso#14995);
* Samba autorid fails to map AD users if id rangesize fits in the
id range only once; (bso#14967);
- Add missing samba-libs requirement to samba-winbind package;
(bsc#1198255);
- xen
-
- bsc#1199966 - VUL-0: EMBARGOED: CVE-2022-26363,CVE-2022-26364: xen:
Insufficient care with non-coherent mappings
fix xsa402-5.patch
- bsc#1199965 - VUL-0: CVE-2022-26362: xen: Race condition in
typeref acquisition (XSA-401)
xsa401-1.patch
xsa401-2.patch
- bsc#1199966 - VUL-0: CVE-2022-26363,CVE-2022-26364: xen:
Insufficient care with non-coherent mappings (XSA-402)
xsa402-0.patch
xsa402-1.patch
xsa402-2.patch
xsa402-3.patch
xsa402-4.patch
xsa402-5.patch
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
map (AMD-Vi) handling issues (XSA-400)
624ebcef-VT-d-dont-needlessly-look-up-DID.patch
624ebd3b-VT-d-avoid-NULL-deref-on-dcmo-error-paths.patch
624ebd74-VT-d-avoid-infinite-recursion-on-dcmo-error-path.patch
- bsc#1197423 - VUL-0: CVE-2022-26356: xen: Racy interactions
between dirty vram tracking and paging log dirty hypercalls
(XSA-397)
xsa397.patch
- bsc#1197425 - VUL-0: CVE-2022-26357: xen: race in VT-d domain ID
cleanup (XSA-399)
xsa399.patch
- bsc#1197426 - VUL-0: CVE-2022-26358,CVE-2022-26359,
CVE-2022-26360,CVE-2022-26361: xen: IOMMU: RMRR (VT-d) and unity
map (AMD-Vi) handling issues (XSA-400)
xsa400-00.patch
xsa400-01.patch
xsa400-02.patch
xsa400-03.patch
xsa400-04.patch
xsa400-05.patch
xsa400-06.patch
xsa400-07.patch
xsa400-08.patch
xsa400-09.patch
xsa400-10.patch
xsa400-11.patch
- Modified patches as required by XSA-400
5cab2a6b-x86-ACPI-also-parse-AMD-tables-early.patch
5d417ab6-AMD-IOMMU-enable-x2APIC-mode.patch
5d80e857-x86-PCI-read-MSI-X-table-entry-count-early.patch
5d8b72e5-AMD-IOMMU-dont-blindly-alloc-intremap-tables.patch
5d8b7393-AMD-IOMMU-restrict-intremap-table-sizes.patch
5d9ee312-AMD-IOMMU-prefill-all-DTEs.patch
- zypper
-
- Return ZYPPER_EXIT_INF_RPM_SCRIPT_FAILED (107) also if %posttrans
script failed. Requires ZYPPER_ON_CODE12_RETURN_107=1 being set
in the environment (bsc#1198139)
- version 1.13.62
- info: Fix SEGV with not installed PTFs (bsc#1196317)
- version 1.13.61