- bind
-
- Security Fix:
* Previously, sending a specially crafted message over the
control channel could cause the packet-parsing code to run out
of available stack memory, causing named to terminate
unexpectedly. This has been fixed.
[bsc#1215472, CVE-2023-3341, bind-CVE-2023-3341.patch]
- shadow
-
- bsc#1214806 (CVE-2023-4641):
Fix potential password leak
- Add shadow-CVE-2023-4641.patch
- cloud-regionsrv-client
-
- Update to version 10.1.3 (bsc#1214801)
+ Add a warning if we detect a Python package cert bundle for certifi
This will help with debugging and point to potential issues when
using SUSE images in AWS, Azure, and GCE
- Update to version 10.1.2 (bsc#1211282)
+ Properly handle Ipv6 when checking update server responsiveness. If not
available fall back and use IPv4 information
+ Use systemd_ordered to allow use in a container without pulling systemd
into the container as a requirement
- libxml2
-
- Security update:
* [CVE-2023-39615, bsc#1214768] Crafted xml can cause global
buffer overflow
- Added file libxml2-CVE-2023-39615.patch
- wget
-
- Fixed Host name when CONNECT is used
[bsc#1213898, wget-http-specify-Host-when-CONNECT-is-used.patch]
- python-base
-
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
- Allow nis.so for SLE-12.
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
Revert-gh105127-left-tests.patch (as per discussion on
bsc#1210638).
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
partially reverting CVE-2023-27043-email-parsing-errors.patch,
because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API).
- gawk
-
- format-tree-positional-arg.patch: Validate index into argument list
(CVE-2023-4156, bsc#1214025)
- libdb-4_8
-
- Fix incomplete license tag. [bsc#1099695]
- python-configobj
-
- Add CVE-2023-26112.patch (bsc#1210070)
- xen
-
- bsc#1215744 - VUL-0: CVE-2023-34323: xen: xenstored: A
transaction conflict can crash C Xenstored (XSA-440)
xsa440.patch
- bsc#1215746 - VUL-0: CVE-2023-34326: xen: x86/AMD: missing IOMMU
TLB flushing (XSA-442)
xsa442.patch
- bsc#1215747 - VUL-0: CVE-2023-34325: xen: Multiple
vulnerabilities in libfsimage disk handling (XSA-443)
5dd32212-libxl-Introduce-libxl__ev_child_kill_deregister.patch
xsa443-01.patch
xsa443-02.patch
xsa443-03.patch
xsa443-04.patch
xsa443-05.patch
xsa443-06.patch
xsa443-07.patch
xsa443-08.patch
xsa443-09.patch
xsa443-10.patch
xsa443-11.patch
- bsc#1215748 - VUL-0: CVE-2023-34327,CVE-2023-34328: xen: x86/AMD:
Debug Mask handling (XSA-444)
xsa444-1.patch
xsa444-2.patch
- bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional
execution leak via division by zero (XSA-439)
xsa439-01.patch
xsa439-02.patch
xsa439-03.patch
xsa439-04.patch
xsa439-05.patch
xsa439-06.patch
xsa439-07.patch
xsa439-08.patch
xsa439-09.patch
- bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow
reference dropped too early for 64-bit PV guests (XSA-438)
xsa438.patch
- bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed
(XSA-433)
64e5b4ac-x86-AMD-extend-Zenbleed-check.patch
- bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data
Sampling (XSA-435)
xsa435-0-10.patch
xsa435-0-36.patch
xsa435-2.patch
- bsc#1214082 - VUL-0: CVE-2023-20569: xen: x86/AMD: Speculative
Return Stack Overflow (XSA-434)
xsa434-1.patch
xsa434-2.patch
xsa434-3.patch
- bsc#1214083 - VUL-0: CVE-2022-40982: xen: x86/Intel: Gather Data
Sampling (XSA-435)
xsa435-0-01.patch
xsa435-0-02.patch
xsa435-0-03.patch
xsa435-0-04.patch
xsa435-0-05.patch
xsa435-0-06.patch
xsa435-0-07.patch
xsa435-0-08.patch
xsa435-0-09.patch
xsa435-0-10.patch
xsa435-0-11.patch
xsa435-0-12.patch
xsa435-0-13.patch
xsa435-0-14.patch
xsa435-0-15.patch
xsa435-0-16.patch
xsa435-0-17.patch
xsa435-0-18.patch
xsa435-0-19.patch
xsa435-0-20.patch
xsa435-0-21.patch
xsa435-0-22.patch
xsa435-0-23.patch
xsa435-0-24.patch
xsa435-0-25.patch
xsa435-0-26.patch
xsa435-0-27.patch
xsa435-0-28.patch
xsa435-0-29.patch
xsa435-0-30.patch
xsa435-0-31.patch
xsa435-0-32.patch
xsa435-0-33.patch
xsa435-0-34.patch
xsa435-0-35.patch
xsa435-0-36.patch
xsa435-0-37.patch
xsa435-0-38.patch
xsa435-0-39.patch
xsa435-0-40.patch
xsa435-0-41.patch
xsa435-0-42.patch
xsa435-0-43.patch
xsa435-0-44.patch
xsa435-0-45.patch
xsa435-0-46.patch
xsa435-0-47.patch
xsa435-0-48.patch
xsa435-0-49.patch
xsa435-0-50.patch
xsa435-0-51.patch
xsa435-0-52.patch
xsa435-0-53.patch
xsa435-0-54.patch
xsa435-1.patch
xsa435-2.patch
xsa435-3.patch
- Handle potential off-by-one errors in libxc-sr-xg_sr_bitmap.patch
A bit is an index in bitmap, while bits is the allocated size
of the bitmap.
- bsc#1213616 - VUL-0: CVE-2023-20593: xen: x86/AMD: Zenbleed
(XSA-433)
xsa433.patch
- Updated fix for XSA-417 (bsc#1204489)
64ba268b-xenstore-fix-XSA-417.patch
- openssl-1_0_0
-
- Security fix: (bsc#1213853, CVE-2023-3817)
* Fix excessive time spent checking DH q parameter value
(bsc#1213853, CVE-2023-3817). The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it
was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A
correct q value, if present, cannot be larger than the modulus
p parameter, thus it is unnecessary to perform these checks if
q is larger than p. If DH_check() is called with such q parameter
value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
computationally intensive checks are skipped.
* Add openssl-1_0-CVE-2023-3817.patch
- containerd
-
- Update to containerd v1.7.7. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.7>
- Add patch to fix build on SLE-12:
+ 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.6 for Docker v24.0.6-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.6> bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
Kubernetes packages
- Update to containerd v1.6.21 for Docker v23.0.6-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.6.21> bsc#1211578
- Require a minimum Go version explicitly rather than using golang(API).
Fixes the change for bsc#1210298.
[ This was only released in SLE. ]
- suse-module-tools
-
- Update to version 12.13: added blacklist entries in modprobe.conf
* blacklist RNDIS modules (bsc#1205767, jsc#PED-5731, CVE-2023-23559)
* blacklist cls_tcindex module (bsc#1210335, CVE-2023-1829)
* blacklist isst_if_mbox_msr (bsc#1187196)
- python
-
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
- Allow nis.so for SLE-12.
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
- Remove BOTH CVE-2023-27043-email-parsing-errors.patch and
Revert-gh105127-left-tests.patch (as per discussion on
bsc#1210638).
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- IT MEANS THAT bsc#1210638 STILL HAS NOT BEEN FIXED!
- Add Revert-gh105127-left-tests.patch (gh#python/cpython!106941)
partially reverting CVE-2023-27043-email-parsing-errors.patch,
because of the regression in gh#python/cpython#106669.
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API).
- python3
-
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
- (bsc#1214677, CVE-2022-48564) Add
CVE-2022-48564-DoS-read_ints-plistlib.patch fixing
gh#python/cpython#86269 (backport from 3.6), which prevents DoS
when processing malformed Apple Property List files in binary
format.
- Skip test_plistlib.test_identity test on aarch64.
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API).
- Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
gh#python/cpython!99366), fixing bsc#1211158.
- Add stack_overflow_test_endless_recursion.patch to avoid
failing test.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
tarfile.extractall (PEP 706).
CURRENTLY SWITCHED OFF, AS IT IS STILL WIP AND UNDEBUGGED
- Use python3 modules to build the documentation.
- glibc
-
- gai-merge-continue-actions.patch: Simplify allocations and fix merge and
continue actions (CVE-2023-4813, bsc#1215286, BZ #28931)
- s390-nl-current-lc-foo-used.patch: S390: Fix relocation of
_nl_current_LC_CATETORY_used in static build (bsc#1215504, BZ #19860)
- gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)
- runc
-
- Update to runc v1.1.9. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.9>.
- Update to runc v1.1.8. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.8>.
- Update to runc v1.1.7. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.7>.
- Update runc.keyring to upstream version.
- Update to runc v1.1.6. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.6>.
- libX11
-
- U_0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
U_0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
U_0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch
U_0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
U_0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
* CVE-2023-43785 libX11: out-of-bounds memory access in
_XkbReadKeySyms() (boo#1215683)
* CVE-2023-43786 libX11: stack exhaustion from infinite recursion
in PutSubImage() (boo#1215684)
* CVE-2023-43787 libX11: integer overflow in XCreateImage()
leading to a heap overflow (boo#1215685)
- _product:SLES-release
-
n/a
- nghttp2
-
- security update
- added patches
fix CVE-2023-44487 [bsc#1216123], HTTP/2 Rapid Reset Attack
+ nghttp2-CVE-2023-44487.patch
- Fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be
sent, and nghttp2_on_stream_close_callback fails with a fatal error.
[CVE-2023-35945 bsc#1215713]
+ nghttp2-CVE-2023-35945.patch
- util-linux
-
- Add upstream patch util-linux-bash-completion-shell-character-escape-CVE-2018-7738.patch
Fix shell code injection in umount bash-completions (bsc#1213865, CVE-2018-7738)
- util-linux-fix-tests-when-at-symbol-in-path.patch:
Add patch to util-linux-systemd and python3-libmount, as it was
previously only included in util-linux.
- ca-certificates-mozilla
-
- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
Added:
- Atos TrustedRoot Root CA ECC G2 2020
- Atos TrustedRoot Root CA ECC TLS 2021
- Atos TrustedRoot Root CA RSA G2 2020
- Atos TrustedRoot Root CA RSA TLS 2021
- BJCA Global Root CA1
- BJCA Global Root CA2
- LAWtrust Root CA2 (4096)
- Sectigo Public Email Protection Root E46
- Sectigo Public Email Protection Root R46
- Sectigo Public Server Authentication Root E46
- Sectigo Public Server Authentication Root R46
- SSL.com Client ECC Root CA 2022
- SSL.com Client RSA Root CA 2022
- SSL.com TLS ECC Root CA 2022
- SSL.com TLS RSA Root CA 2022
Removed CAs:
- Chambers of Commerce Root
- E-Tugra Certification Authority
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- Hongkong Post Root CA 1
- procps
-
- Update legacy pmap to know about new ProtectionKey in smaps
- Add patch CVE-2023-4016.patch
* CVE-2023-4016: ps buffer overflow (bsc#1214290)
- patterns-sles
-
- Require kmod-compat rather than kmod. It's kmod-compat that has the tools
used by the kernel and scripts (bsc#1215533).
- gcc12
-
- Add gcc12-aarch64-bsc1214052.patch to fix -fstack-protector issues
with variable length stack allocations on aarch64.
Fixes CVE-2023-4039. [bsc#1214052]
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.8 (bsc#1213951)
+ Capture CSP billing adapter config and log (issue#13)
+ Accept upper case Amazon string in DMI table (issue#12)
- python-urllib3
-
- Add CVE-2023-43804.patch (bsc#1215968, CVE-2023-43804)
gh#urllib3/urllib3#3139
* Added the Cookie header to the list of headers to strip from
requests when redirecting to a different host. As before,
different headers can be set via Retry.remove_headers_on_redirect.
- _product:sle-sdk-release
-
n/a
- curl
-
- Security fixes:
* [bsc#1215888, CVE-2023-38545] SOCKS5 heap buffer overflow
* [bsc#1215889, CVE-2023-38546] Cookie injection with none file
* Add curl-CVE-2023-38545.patch curl-CVE-2023-38546.patch
- Security fix: [bsc#1215026, CVE-2023-38039]
* http: return error when receiving too large header
* Add curl-CVE-2023-38039.patch
- zlib
-
- Fix CVE-2023-45853, integer overflow and resultant heap-based buffer
overflow in zipOpenNewFileInZip4_6, bsc#1216378
* CVE-2023-45853.patch
- cups
-
- cups-1.7.5-CVE-2023-4504.patch fixes CVE-2023-4504
"CUPS PostScript Parsing Heap Overflow"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-pf5r-86w9-678h
bsc#1215204
- cups-1.7.5-CVE-2023-32360.patch fixes CVE-2023-32360
"Information leak through Cups-Get-Document operation"
by requiring authentication for CUPS-Get-Document in cupsd.conf
https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913
https://github.com/OpenPrinting/cups/security/advisories/GHSA-7pv4-hx8c-gr4g
bsc#1214254
- cups-1.7.5-additional_policies.patch is an updated version
of cups-1.7-additional_policies.patch that replaces it
to add the 'allowallforanybody' policy to cupsd.conf
after cups-1.7.5-CVE-2023-32360.patch was applied
- cups-1.7.5-CVE-2023-34241.patch fixes CVE-2023-34241
"use-after-free in cupsdAcceptClient()"
https://github.com/OpenPrinting/cups/security/advisories/GHSA-qjgh-5hcq-5f25
bsc#1212230
- samba
-
- CVE-2023-4091: samba: Client can truncate file with read-only
permissions; (bsc#1215904); (bso#15439).
- vim
-
- Updated to version 9.0 with patch level 1894, fixes the following security problems
* Fixing bsc#1214922 (CVE-2023-4738) - VUL-0: CVE-2023-4738: vim: heap-buffer-overflow in vim_regsub_both
* Fixing bsc#1214924 (CVE-2023-4735) - VUL-0: CVE-2023-4735: vim: OOB Write ops.c
* Fixing bsc#1214925 (CVE-2023-4734) - VUL-0: CVE-2023-4734: vim: segmentation fault in function f_fullcommand
* Fixing bsc#1215004 (CVE-2023-4733) - VUL-0: CVE-2023-4733: vim: use-after-free in function buflist_altfpos
* Fixing bsc#1215006 (CVE-2023-4752) - VUL-0: CVE-2023-4752: vim: Heap Use After Free in function ins_compl_get_exp
* Fixing bsc#1215033 (CVE-2023-4781) - VUL-0: CVE-2023-4781: vim: heap-buffer-overflow in function vim_regsub_both
- drop patches: disable-unreliable-tests.patch
ignore-flaky-test-failure.patch
vim-8.1.0297-dump3.patch
- droped %check - most of tests didn't work correctly in OBS
and maitenace burden of this was getting too big
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1632...v9.0.1894
- Fixing bsc#1210738 - L3: gvim rendering corruption with all 9.x versions
* Add: vim-8.2.3607-revert-gtk3-code-removal.patch
* This reverts commit 9459b8d461d6f8345bfa3fb9b3b4297a7950b0bc
- Fixing bsc#1211461 - L3: vim "eats" first character from prompt in xterm
* Add: reorder-exit-raw-mode.patch
* Swaps out_str_t_TE() and cursor_on() during exit to prevent missing characters in xterm prompt on exit.
- Use app icon generated from vimlogo.eps in source tarball; add
higher res icons of sizes 128, 256, and 512px as png sources.
Our current icons deviate from upstream flatpaks for example.
- Updated to version 9.0 with patch level 1632
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1572...v9.0.1632
- Updated to version 9.0 with patch level 1572, fixes the following security problems
* Fixing bsc#1210996 (CVE-2023-2426) - VUL-0: CVE-2023-2426: vim: Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 9.0.1499.
* Fixing bsc#1211256 (CVE-2023-2609) - VUL-1: CVE-2023-2609: vim: NULL Pointer Dereference prior to 9.0.1531
* Fixing bsc#1211257 (CVE-2023-2610) - VUL-1: CVE-2023-2610: vim: Integer Overflow or Wraparound prior to 9.0.1532
* Fixing bsc#1209042 (CVE-2023-1264) - VUL-0: CVE-2023-1264: vim: NULL Pointer Dereference vim prior to 9.0.1392
* Fixing bsc#1209187 (CVE-2023-1355) - VUL-0: CVE-2023-1355: vim: NULL Pointer Dereference prior to 9.0.1402.
* Fixing bsc#1208828 (CVE-2023-1127) - VUL-1: CVE-2023-1127: vim: divide by zero in scrolldown()
- drop vim-8.0-ttytype-test.patch as it changes test_options.vim which we
remove during %prep anyway. And this breaks quilt setup.
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1386...v9.0.1572
- util-linux-systemd
-
- Add upstream patch util-linux-bash-completion-shell-character-escape-CVE-2018-7738.patch
Fix shell code injection in umount bash-completions (bsc#1213865, CVE-2018-7738)
- util-linux-fix-tests-when-at-symbol-in-path.patch:
Add patch to util-linux-systemd and python3-libmount, as it was
previously only included in util-linux.
- grub2
-
- Fix CVE-2023-4692 (bsc#1215935)
- Fix CVE-2023-4693 (bsc#1215936)
* 0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
* 0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
* 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
* 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
* 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
* 0006-fs-ntfs-Make-code-more-readable.patch
- Bump upstream SBAT generation to 4
- grub2-once: Fix 'sh: terminal_output: command not found' error (bsc#1204563)
(bsc#1215382)
- docker
-
- Add a patch to fix apparmor on SLE-12, reverting the upstream removal of
version-specific templating for the default apparmor profile. bsc#1213500
+ 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Update to Docker 24.0.6-ce. See upstream changelong online at
<https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Switch from disabledrun to manualrun in _service.
- Add a docker.socket unit file, but with socket activation effectively
disabled to ensure that Docker will always run even if you start the socket
individually. Users should probably just ignore this unit file. bsc#1210141
- Update to Docker 24.0.5-ce. See upstream changelong online at
<https://docs.docker.com/engine/release-notes/24.0/#2405>. bsc#1213229
- Update to Docker 24.0.4-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2404>. bsc#1213500
- Update to Docker 24.0.3-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2403>. bsc#1213120
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Recommend docker-rootless-extras instead of Require(ing) it, given
it's an additional functionality and not inherently required for
docker to function.
- Add docker-rootless-extras subpackage
(https://docs.docker.com/engine/security/rootless)
- Update to Docker 24.0.2-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2402>. bsc#1212368
* Includes the upstreamed fix for the mount table pollution issue.
bsc#1210797
- Add Recommends for docker-buildx, and add /usr/lib/docker/cli-plugins as
being provided by this package.
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to Docker 23.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2306>. bsc#1211578
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Re-unify packaging for SLE-12 and SLE-15.
- Add patch to fix build on SLE-12 by switching back to libbtrfs-devel headers
(the uapi headers in SLE-12 are too old).
+ 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- Re-numbered patches:
- 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch`
- Update to Docker 23.0.5-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2305>.
- Rebase patches:
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Update to Docker 23.0.4-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074
- Fixes:
* bsc#1214107 - CVE-2023-28840
* bsc#1214108 - CVE-2023-28841
* bsc#1214109 - CVE-2023-28842
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Renumbered patches:
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Remove upstreamed patches:
- 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
- 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be
built without internet access in OBS.
+ cli-0001-docs-include-required-tools-in-source-tree.patch
- openssl-1_1
-
- Security fix: (bsc#1213853, CVE-2023-3817)
* Fix excessive time spent checking DH q parameter value
(bsc#1213853, CVE-2023-3817). The function DH_check() performs
various checks on DH parameters. After fixing CVE-2023-3446 it
was discovered that a large q parameter value can also trigger
an overly long computation during some of these checks. A
correct q value, if present, cannot be larger than the modulus
p parameter, thus it is unnecessary to perform these checks if
q is larger than p. If DH_check() is called with such q parameter
value, DH_CHECK_INVALID_Q_VALUE return flag is set and the
computationally intensive checks are skipped.
* Add openssl-1_1-CVE-2023-3817.patch
- binutils
-
- Update to version 2.41 [PED-5778]:
* The MIPS port now supports the Sony Interactive Entertainment Allegrex
processor, used with the PlayStation Portable, which implements the MIPS
II ISA along with a single-precision FPU and a few implementation-specific
integer instructions.
* Objdump's --private option can now be used on PE format files to display the
fields in the file header and section headers.
* New versioned release of libsframe: libsframe.so.1. This release introduces
versioned symbols with version node name LIBSFRAME_1.0. This release also
updates the ABI in an incompatible way: this includes removal of
sframe_get_funcdesc_with_addr API, change in the behavior of
sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
* SFrame Version 2 is now the default (and only) format version supported by
gas, ld, readelf and objdump.
* Add command-line option, --strip-section-headers, to objcopy and strip to
remove ELF section header from ELF file.
* The RISC-V port now supports the following new standard extensions:
- Zicond (conditional zero instructions)
- Zfa (additional floating-point instructions)
- Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,
Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)
* The RISC-V port now supports the following vendor-defined extensions:
- XVentanaCondOps
* Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
* A new .insn directive is recognized by x86 gas.
* Add SME2 support to the AArch64 port.
* The linker now accepts a command line option of --remap-inputs
<PATTERN>=<FILE> to relace any input file that matches <PATTERN> with
<FILE>. In addition the option --remap-inputs-file=<FILE> can be used to
specify a file containing any number of these remapping directives.
* The linker command line option --print-map-locals can be used to include
local symbols in a linker map. (ELF targets only).
* For most ELF based targets, if the --enable-linker-version option is used
then the version of the linker will be inserted as a string into the .comment
section.
* The linker script syntax has a new command for output sections: ASCIZ "string"
This will insert a zero-terminated string at the current location.
* Add command-line option, -z nosectionheader, to omit ELF section
header.
- Removed obsolete patches: binutils-2.40-branch.diff.gz,
riscv-dynamic-tls-reloc-pie.patch, riscv-pr22263-1.patch,
extensa-gcc-4_3-fix.diff .
- Add binutils-2.41-branch.diff.gz .
- Add binutils-old-makeinfo.diff for SLE-12 and older.
- Rebased aarch64-common-pagesize.patch and binutils-revert-rela.diff .
- Contains fixes for these non-CVEs (not security bugs per upstreams
SECURITY.md):
* bsc#1209642 aka CVE-2023-1579 aka PR29988
* bsc#1210297 aka CVE-2023-1972 aka PR30285
* bsc#1210733 aka CVE-2023-2222 aka PR29936
* bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)
* bsc#1214565 aka CVE-2020-19726 aka PR26240
* bsc#1214567 aka CVE-2022-35206 aka PR29290
* bsc#1214579 aka CVE-2022-35205 aka PR29289
* bsc#1214580 aka CVE-2022-44840 aka PR29732
* bsc#1214604 aka CVE-2022-45703 aka PR29799
* bsc#1214611 aka CVE-2022-48065 aka PR29925
* bsc#1214619 aka CVE-2022-48064 aka PR29922
* bsc#1214620 aka CVE-2022-48063 aka PR29924
* bsc#1214623 aka CVE-2022-47696 aka PR29677
* bsc#1214624 aka CVE-2022-47695 aka PR29846
* bsc#1214625 aka CVE-2022-47673 aka PR29876
- Add binutils-disable-dt-relr.sh for an compatibility problem
caused by binutils-revert-rela.diff in SLE codestreams.
Needed for update of glibc as that would otherwise pick up
the broken relative relocs support. [bsc#1213282, PED-1435]
- This only existed only for a very short while in SLE-15, as the main
variant in devel:gcc subsumed this in binutils-revert-rela.diff.
Hence:
- Remove binutils-disable-dt-relr.sh as subsumed.
- riscv-dynamic-tls-reloc-pie.patch: Backport for PR ld/22263 and PR
ld/25694
- riscv-pr22263-1.patch: Backport for PR ld/22263
- Rebase branch patch (includes fix for PR30281).
- Document fixed CVEs:
* bnc#1208037 aka CVE-2023-25588 aka PR29677
* bnc#1208038 aka CVE-2023-25587 aka PR29846
* bnc#1208040 aka CVE-2023-25585 aka PR29892
* bnc#1208409 aka CVE-2023-0687 aka PR29444
- Enable bpf-none cross target and add bpf-none to the multitarget
set of supported targets.
- Disable packed-relative-relocs for old codestreams. They generate
buggy relocations when binutils-revert-rela.diff is active.
[bsc#1206556]
- Disable ZSTD debug section compress by default.
- Enable zstd compression algorithm (instead of zlib)
for debug info sections by default.
- Pack libgprofng only for supported platforms.
- Remove upstreamed patch binutils-maxpagesize.diff.
- Rebase binutils-2.40-branch.diff.gz as it includes fix for PR30043.
- Move libgprofng-related libraries to the proper locations (packages).
- Add --without=bootstrap for skipping of bootstrap (faster testing
of the package).
- Remove broken arm32-avoid-copyreloc.patch to fix [gcc#108515]
- Update to version 2.40:
* Objdump has a new command line option --show-all-symbols which will make it
display all symbols that match a given address when disassembling. (Normally
only the first symbol that matches an address is shown).
* Add --enable-colored-disassembly configure time option to enable colored
disassembly output by default, if the output device is a terminal. Note,
this configure option is disabled by default.
* DCO signed contributions are now accepted.
* objcopy --decompress-debug-sections now supports zstd compressed debug
sections. The new option --compress-debug-sections=zstd compresses debug
sections with zstd.
* addr2line and objdump --dwarf now support zstd compressed debug sections.
* The dlltool program now accepts --deterministic-libraries and
- -non-deterministic-libraries as command line options to control whether or
not it generates deterministic output libraries. If neither of these options
are used the default is whatever was set when the binutils were configured.
* readelf and objdump now have a newly added option --sframe which dumps the
SFrame section.
* Add support for Intel RAO-INT instructions.
* Add support for Intel AVX-NE-CONVERT instructions.
* Add support for Intel MSRLIST instructions.
* Add support for Intel WRMSRNS instructions.
* Add support for Intel CMPccXADD instructions.
* Add support for Intel AVX-VNNI-INT8 instructions.
* Add support for Intel AVX-IFMA instructions.
* Add support for Intel PREFETCHI instructions.
* Add support for Intel AMX-FP16 instructions.
* gas now supports --compress-debug-sections=zstd to compress
debug sections with zstd.
* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
that selects the default compression algorithm
for --enable-compressed-debug-sections.
* Add support for various T-Head extensions (XTheadBa, XTheadBb, XTheadBs,
XTheadCmo, XTheadCondMov, XTheadFMemIdx, XTheadFmv, XTheadInt, XTheadMemIdx,
XTheadMemPair, XTheadMac, and XTheadSync) from version 2.0 of the T-Head
ISA manual, which are implemented in the Allwinner D1.
* Add support for the RISC-V Zawrs extension, version 1.0-rc4.
* Add support for Cortex-X1C for Arm.
* New command line option --gsframe to generate SFrame unwind information
on x86_64 and aarch64 targets.
* The linker has a new command line option to suppress the generation of any
warning or error messages. This can be useful when there is a need to create
a known non-working binary. The option is -w or --no-warnings.
* ld now supports zstd compressed debug sections. The new option
- -compress-debug-sections=zstd compresses debug sections with zstd.
* Add --enable-default-compressed-debug-sections-algorithm={zlib,zstd}
that selects the default compression algorithm
for --enable-compressed-debug-sections.
* Remove support for -z bndplt (MPX prefix instructions).
- Rebased patches: add-ulp-section.diff, ld-relro.diff, binutils-revert-plt32-in-branches.diff,
cross-avr-size.patch.
- Removed patch: binutils-pr29482.diff.
- New patch: extensa-gcc-4_3-fix.diff.
- Includes fixes for these CVEs:
* bnc#1206080 aka CVE-2022-4285 aka PR29699
- Enable by default: --enable-colored-disassembly.
- fix build on x86_64_vX platforms
- lvm2
-
- blkdeactivate calls wrong mountpoint cmd (bsc#1214071)
+ bug-1214071-blkdeactivate_calls_wrong_mountpoint.patch
- krb5
-
- Ensure array count consistency in kadm5 RPC; (bsc#1214054);
(CVE-2023-36054);
- Added patches:
* 0127-Ensure-array-count-consistency-in-kadm5-RPC.patch
- python36
-
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- insserv-compat
-
- remove not needed named entry from insserv.conf (bsc#1052837,
bsc#1212955)
- gpg2
-
- Security Fix: [bsc#1088255, CVE-2018-9234]
* Unenforced configuration allows for apparently valid certifications
actually signed by signing subkeys. GnuPG <= 2.2.5 does not enforce
a configuration in which key certification requires an offline master
Certify key, which results in apparently valid certifications that
occurred only with access to a signing subkey.
* Add gnupg-CVE-2018-9234.patch
- apparmor
-
- Explicitly prefer apache2 instead of apache2-tls13; (bsc#1213941)
- Add samba-fix-log-plugin-denied.patch to fix apparmor profile
denied log messages for samba/winbind; (bsc#1208798).
- openslp
-
- add separate source openslp.logrotate.systemd to use systemctl
reload for logrotate configuration [bnc#1206153]
new file: openslp.logrotate.systemd
- parted
-
- fix dm sector size (bsc#1186371)
- add: libparted-dm-sector-size.patch
- kernel-default
-
- ubi: Refuse attaching if mtd's erasesize is 0 (CVE-2023-31085
bsc#1210778).
- commit 0f8804e
- USB: ene_usb6250: Allocate enough memory for full object
(bsc#1216051 CVE-2023-45862).
- commit 6d3e018
- scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes
bsc#1216514).
- commit 64da298
- s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216513).
- commit 5844864
- sched/fair: Don't balance task to its current running CPU
(git fixes (sched)).
- sched/core: Mitigate race
cpus_share_cache()/update_top_cache_domain() (git fixes
(sched)).
- sched: Reenable interrupts in do_sched_yield() (git fixes
(sched)).
- sched: correct SD_flags returned by tl->sd_flags() (git fixes
(sched)).
- sched: Avoid scale real weight down to zero (git fixes (sched)).
- sched/core: Fix migration to invalid CPU in
__set_cpus_allowed_ptr() (git fixes (sched)).
- sched/rt: Restore rt_runtime after disabling RT_RUNTIME_SHARE
(git fixes (sched)).
- sched/rt: Minimize rq->lock contention in
do_sched_rt_period_timer() (git fixes (sched)).
- commit 913e5fc
- blacklist.conf: Complex dependencies missing, fix only in the event of a customer bug
- commit b83449b
- blacklist.conf: Complex dependencies missing, fix only in the event of a customer bug
- commit 9afb234
- blacklist.conf: Complex dependencies missing, fix only in the event of a customer bug
- commit bb2fa98
- blacklist.conf: Complex dependencies missing, fix only in the event of a customer bug
- commit d6a80de
- blacklist.conf: Complex dependencies missing, fix only in the event of a customer bug
- commit ede2396
- blacklist.conf: KABI hazard, fix only in the event of a customer bug
- commit 8fb5a69
- blacklist.conf: Potentially surprising change in behaviour, fix only in the event of a customer bug
- commit 1100fe5
- blacklist.conf: Potentially surprising change in behaviour, fix only in the event of a customer bug
- commit c026b47
- blacklist.conf: Potentially surprising change in behaviour, fix only in the event of a customer bug
- commit 0f74b6a
- blacklist.conf: Fix only in the event of a customer bug
- commit 17b0259
- blacklist.conf: Mostly cosmetic fix to a build warning
- commit 1af83e7
- blacklist.conf: Fix to experimental feature, fix only in the event of a customer bug
- commit 56273cd
- blacklist.conf: Complex dependencies missing that applies to an extreme corner case, fix only in the event of a customer bug
- commit d67ae17
- blacklist.conf: Complex dependencies missing, fix only in the event of a customer bug
- commit 9b299fd
- blacklist.conf: KABI hazard, fix only in the event of a customer bug
- commit cd58927
- blacklist.conf: Guard against unlikely tuning value, fix only in the event of a customer bug
- commit 166c336
- blacklist.conf: Missing dependencies, fix only in the event of a customer bug
- commit cbebcfe
- blacklist.conf: Sparse warning fix
- commit b199522
- blacklist.conf: Cosmetic, debugging patch for unused config
- commit 22b7a31
- iommu/amd: Set iommu->int_enabled consistently when interrupts
are set up (bsc#1206010).
- commit d889c94
- iommu/amd: Remove useless irq affinity notifier (bsc#1206010).
- Delete patches.kabi/kABI-Fix-kABI-for-struct-amd_iommu.patch.
- commit 2e08e52
- kabi: iommu/amd: Fix IOMMU interrupt generation in X2APIC mode
(bsc#1206010).
- iommu/amd: Fix IOMMU interrupt generation in X2APIC mode
(bsc#1206010).
- commit 422a4d8
- virtio_balloon: fix increment of vb->num_pfns in fill_balloon()
(git-fixes).
- commit 595e0b1
- 9p: virtio: make sure 'offs' is initialized in zc_request
(git-fixes).
- commit 10bf215
- blacklist.conf: add "hwrng: virtio - Fix race on data_avail and actual data"
- commit c5a6489
- virtio_net: Fix error unwinding of XDP initialization
(git-fixes).
- commit 2d8db2e
- vhost-scsi: unbreak any layout for response (git-fixes).
- commit 4eba973
- virtio: Protect vqs list access (git-fixes).
- commit 0445801
- crypto: virtio: Fix use-after-free in
virtio_crypto_skcipher_finalize_req() (git-fixes).
- commit 1c1619c
- vsock/virtio: add transport parameter to the
virtio_transport_reset_no_sock() (git-fixes).
- Refresh
patches.suse/vhost-vsock-accept-only-packets-with-the-right-dst_c.patch.
patches.suse/net-virtio_vsock-Enhance-connection-semantics.patch
- commit b2f8fd4
- virtio_balloon: fix deadlock on OOM (git-fixes).
- commit 55dd88a
- xen-netback: use default TX queue size for vifs (git-fixes).
- commit bcb62a2
- xen/x86: obtain full video frame buffer address for Dom0 also
under EFI (bsc#1215743).
- commit 04d5576
- xen/x86: obtain upper 32 bits of video frame buffer address
for Dom0 (bsc#1215743).
- commit e0fb7ee
- s390/ptrace: fix setting syscall number (git-fixes bsc#1216340).
- commit 46941f7
- usb: typec: altmodes/displayport: fix pin_assignment_show
(git-fixes).
- commit d110fbf
- usb: typec: altmodes/displayport: Fix configure initial pin
assignment (git-fixes).
- commit 849955e
- net: usb: dm9601: fix uninitialized variable use in
dm9601_mdio_read (git-fixes).
- commit f96b2d4
- scripts/CKC: fixed iterating over an array + skip unrecognized options
- 182c5295bfe1 introduced option parsing which unfotunately broke
iterating over the terms since it changed the type of KBC_CHECK_TERMS
from a string (of space separated tokens) to a proper bash array
which requires a different method of iteration.
- With different version of the script flying around it's better to
skip unrecognized options so that they are not mistaken for terms to
search for, one can always force them after '--'.
- commit f0ca120
- scripts/CKC: add -c (--color) and -C (--Color) options
- c turns on colored results unconditionally.
- C turns on colored results if and only if the STDOUT is connected to
the terminal which is useful when piping the output somewhere.
Neither option is the default.
Color mapping:
ok = green
missing = red
partly = yellow
blacklisted = magenta
Example:
./scripts/check-kernel-commit 559089e0a93d -c
- commit 34a9cf5
- xen/events: replace evtchn_rwlock with RCU (bsc#1215745,
xsa-441, cve-2023-34324).
- commit a9545c4
- blacklist.conf: risky backport that doesn't fix any actual bug
- commit 3d04b1a
- s390/vdso: add missing FORCE to build targets (git-fixes
bsc#1216140).
- commit cd866ae
- blacklist.conf: does not really fix any bug
- commit cba9926
- blacklist.conf: changes exported symbol
- commit d468872
- ratelimit: Fix data-races in ___ratelimit() (git-fixes).
- commit 3f2541c
- blacklist.conf: cleanup, not fix
- commit 23ed894
- audit: fix potential double free on error path from
fsnotify_add_inode_mark (git-fixes).
- commit 4086838
- blacklist.conf: irrelevant in our configs
- commit 60908b6
- tools/thermal: Fix possible path truncations (git-fixes).
- commit 012a1c3
- blacklist.conf: build only fix
- commit 9be29dc
- KVM: s390: fix sthyi error handling (git-fixes bsc#1216107).
- commit 1e42611
- blacklist.conf: the codebase changed too much to backport the patch
- commit 79518bf
- netfilter: nfnetlink_osf: avoid OOB read (bsc#1216046
CVE-2023-39189).
- commit 1a88b87
- git_sort: Add ARM KVM repository
- commit 9df3d01
- mm, memcg: reconsider kmem.limit_in_bytes deprecation
(bsc#1208788 bsc#1213705).
- commit 2d13fe0
- memcg: drop kmem.limit_in_bytes (bsc#1208788)
This brings a breaking commit for easier backport, it'll be fixed
differently in a following commit.
- commit f87e772
- blacklist.conf: Add 82b90b6c5b38 cgroup:namespace: Remove unused cgroup_namespaces_init()
- commit 154e29d
- USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs
(git-fixes).
- commit 86ad453
- uas: Add US_FL_NO_REPORT_OPCODES for JMicron JMS583Gen 2
(git-fixes).
- commit 5c6ec60
- net: usb: smsc75xx: Fix uninit-value access in
__smsc75xx_read_reg (git-fixes).
- commit aaff955
- ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes).
- commit 5490bdd
- tracing: Fix race issue between cpu buffer write and swap
(git-fixes).
- commit cd23ed9
- blacklist.conf: Add a not-needed ftrace cleanup
- commit 8f29597
- tracing: Fix memleak due to race between current_tracer and
trace (git-fixes).
- commit 39d6a56
- tracing: Fix cpu buffers unavailable due to 'record_disabled'
missed (git-fixes).
- commit 6f0b300
- scripts/CKC: speedup the script by caching grep patches results
- searching patches seems to be the most expensive operation
- it's done repeatedly for the same arguments (term, branch)
- store results in an associative array and look them up later
$ time ./scripts/check-kernel-commit 1240eb93f0616b21c675416516ff3d74798fdc97
...
Before
real 0m25.595s
user 2m14.772s
sys 0m10.509s
After
real 0m18.022s
user 1m31.260s
sys 0m7.380s
- commit d9efd35
- Update
patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
(bsc#1211592 CVE-2023-2860).
- commit bb891c5
- scripts/CKC: implement option parsing and -g <pattern> or --grep <pattern>
- option parsing can be easily extended in the future
- "-g <pattern>" skips top-level branches not matching the pattern
examples:
CKC -g 'LTSS$' 544f1d62e3e6
CKC 544f1d62e3e6 -g 5-SP4
CKC -g 'stable|ALP' 544f1d62e3e6
- update help message
- add -h or --help option for consistency
- reading config file remains as it is for backwards compatibility
- commit 182c529
- s390/zcrypt: fix reply buffer calculations for CCA replies
(LTC#203322 bsc#1213950).
- commit 877301e
- s390/zcrypt: change reply buffer size offering (LTC#203322
bsc#1213950).
- commit e230ae5
- scsi: zfcp: Defer fc_rport blocking until after ADISC response
(LTC#203327 bsc#1213977 git-fixes).
- commit 1163975
- s390: add z16 elf platform (LTC#203790 bsc#1215954).
- commit 2f5d3f2
- CKC: Clarify usage
- commit 5ea48e1
- net: xfrm: Fix xfrm_address_filter OOB read (CVE-2023-39194
bsc#1215861).
- commit 30ab691
- netfilter: xt_sctp: validate the flag_info count (CVE-2023-39193
bsc#1215860).
- commit bc6f173
- netfilter: xt_u32: validate user space input (CVE-2023-39192
bsc#1215858).
- commit a35eb65
- ipv4: fix null-deref in ipv4_link_failure (CVE-2023-42754
bsc#1215467).
- commit 3bbdd91
- scripts/git-fixes: treat optional first argument as a base-ref
By default, git-fixes script checks commits for fixes based on the
upstream branch, but this does not work very well for two reasons.
1/ There might not be an upstream branch at all.
2/ It's out of sync with what actually needs to be checked.
- use optional first argument as a base-ref instead of upstream branch
- improve error message in case of missing upstream branch
- delete unused "branch" variable from the script
- show number of commits checked in case of PASS (should raise flags
in case of zero commits or some other strange number)
- commit 9e365d0
- KVM: s390: vsie: fix the length of APCB bitmap (git-fixes
bsc#1215898).
- commit fe1e883
- KVM: s390: vsie: Fix the initialization of the epoch extension
(epdx) field (git-fixes bsc#1215897).
- commit 8cf6ae4
- tcp: Reduce chance of collisions in inet6_hashfn()
(CVE-2023-1206 bsc#1212703).
- commit a16b5ec
- blacklist.conf: workqueue: compiler warning on 32-bit systems with
Clang (bsc#1215877)
- commit cdf35f4
- blacklist.conf: printk: cosmetic problem
- commit ba43537
- tracing: Reverse the order of trace_types_lock and event_mutex
(git-fixes bsc#1215634).
- blacklist.conf: Remove the patch
- commit f4d2e9c
- blk-mq: Rerun dispatching in the case of budget contention
(bsc#1214586).
- commit 8383227
- blk-mq: Add blk_mq_delay_run_hw_queues() API call (bsc#1214586).
- commit 85f0c35
- blk-mq: In blk_mq_dispatch_rq_list() "no budget" is a reason
to kick (bsc#1214586).
- commit c307c4a
- drm/client: Fix memory leak in drm_client_target_cloned (bsc#1152446)
Backporting changes:
* move changes to drm_fb_helper.c
* context changes
- commit 2728def
- drm/client: Send hotplug event after registering a client (bsc#1152446)
Backporting changes:
* send hotplug event from drm_client_add()
* remove drm_dbg_kms()
- commit 6137335
- drm/ast: Fix DRAM init on AST2200 (bsc#1152446)
- commit e2e4c86
- NFS/pNFS: Report EINVAL errors from connect() to the server
(git-fixes).
- nfsd: fix change_info in NFSv4 RENAME replies (git-fixes).
- NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
(git-fixes).
- commit fd7ddac
- blacklist.conf: cleanup, not fix
- commit 4145d1c
- blacklist.conf: kABI
- commit a0aa389
- blacklist.conf: kABI
- commit 8946486
- net/mlx5: Fix size field in bufferx_reg struct (git-fixes).
- commit fb53d8d
- blacklist.conf: cleanup, not a fix
- commit 17d3852
- blacklist.conf: irrelevant architectures
- commit 5686dcf
- net: sched: sch_qfq: Fix UAF in qfq_dequeue() (CVE-2023-4921
bsc#1215275).
- commit f1f032e
- USB: serial: option: add FOXCONN T99W368/T99W373 product
(git-fixes).
- commit 80d3da2
- USB: serial: option: add Quectel EM05G variant (0x030e)
(git-fixes).
- commit a512bd6
- net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes).
- commit 1b30310
- x86/srso: Fix srso_show_state() side effect (git-fixes).
- commit 0635685
- x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes).
- commit 73ce555
- x86/srso: Don't probe microcode in a guest (git-fixes).
- commit 3113dcd
- x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes).
- commit 353140c
- net: tap: NULL pointer derefence in dev_parse_header_protocol
when skb->dev is null (git-fixes).
- commit 58c21c4
- net: accept UFOv6 packages in virtio_net_hdr_to_skb (git-fixes).
- commit faf87ea
- net: ensure mac header is set in virtio_net_hdr_to_skb()
(git-fixes).
- commit 6a7c880
- remoteproc: Add missing '\n' in log messages (git-fixes).
- commit 0453dca
- virtio-net: set queues after driver_ok (git-fixes).
- commit d013d91
- virtio-net: fix race between set queues and probe (git-fixes).
- commit 667d4fc
- virtio_net: suppress cpu stall when free_unused_bufs
(git-fixes).
- commit da2e2b7
- virtio-net: execute xdp_do_flush() before napi_complete_done()
(git-fixes).
- commit 5d3f424
- tools/virtio: fix the vringh test for virtio ring changes
(git-fixes).
- commit 66910c1
- vhost/net: Clear the pending messages when the backend is
removed (git-fixes).
- commit 9b65419
- drm/virtio: Fix GEM handle creation UAF (git-fixes).
- commit 85fb064
- vhost: fix range used in translate_desc() (git-fixes).
- commit a845792
- vhost/vsock: Fix error handling in vhost_vsock_init()
(git-fixes).
- commit d808ad4
- virtio_net: fix memory leak inside XPD_TX with mergeable
(git-fixes).
- commit 0582e50
- virtio-gpu: fix a missing check to avoid NULL dereference
(git-fixes).
- commit f24aded
- virtio-net: fix the race between refill work and close
(git-fixes).
- commit fad1dae
- virtio_mmio: Restore guest page size on resume (git-fixes).
- commit d1884a1
- virtio_mmio: Add missing PM calls to freeze/restore (git-fixes).
- commit 72af40d
- virtio-net: fix race between ndo_open() and
virtio_device_ready() (git-fixes).
- commit 1d4eaa6
- vringh: Fix loop descriptors check in the indirect cases
(git-fixes).
- commit aa0f829
- virtio-rng: make device ready before making request (git-fixes).
- commit 9bd916a
- drm/virtio: fix NULL pointer dereference in
virtio_gpu_conn_get_modes (git-fixes).
- commit ab80da2
- vsock/virtio: enable VQs early on probe (git-fixes).
- commit eedc07b
- virtio: acknowledge all features before access (git-fixes).
- commit 3d0d2a3
- blacklist.conf: add "virtio: unexport virtio_finalize_features"
- commit 0ef3496
- virtio-gpu: fix possible memory allocation failure (git-fixes).
- commit dab0c56
- scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir()
(git-fixes).
- scsi: qla2xxx: Use raw_smp_processor_id() instead of
smp_processor_id() (git-fixes).
- commit 42813d6
- virtio_pci: Support surprise removal of virtio pci device
(git-fixes).
- commit 8906f5b
- fuse: nlookup missing decrement in fuse_direntplus_link
(bsc#1215607).
- commit cca74d3
- series: refresh meta data on qla2xxx patches
Refresh:
- patches.suse/Revert-scsi-qla2xxx-Fix-buffer-overrun.patch
- patches.suse/scsi-qla2xxx-Add-logs-for-SFP-temperature-monitoring.patch
- patches.suse/scsi-qla2xxx-Allow-32-byte-CDBs.patch
- patches.suse/scsi-qla2xxx-Error-code-did-not-return-to-upper-laye.patch
- patches.suse/scsi-qla2xxx-Fix-firmware-resource-tracking.patch
- patches.suse/scsi-qla2xxx-Fix-smatch-warn-for-qla_init_iocb_limit.patch
- patches.suse/scsi-qla2xxx-Flush-mailbox-commands-on-chip-reset-6d0b6556.patch
- patches.suse/scsi-qla2xxx-Move-resource-to-allow-code-reuse.patch
- patches.suse/scsi-qla2xxx-Remove-unsupported-ql2xenabledif-option.patch
- patches.suse/scsi-qla2xxx-Remove-unused-variables-in-qla24xx_buil.patch
- patches.suse/scsi-qla2xxx-Update-version-to-10.02.09.100-k.patch
- commit 97d82a0
- vsock/virtio: avoid potential deadlock when vsock device remove
(git-fixes).
- commit bb25376
- VSOCK: handle VIRTIO_VSOCK_OP_CREDIT_REQUEST (git-fixes).
- commit 58985d9
- vsock/virtio: free queued packets when closing socket
(git-fixes).
- commit 364c76d
- vhost: Fix vhost_vq_reset() (git-fixes).
- commit 11c5c4d
- Update
patches.suse/ipv6-raw-Deduct-extension-header-length-in-rawv6_pus.patch
(bsc#1207168 CVE-2023-0394).
(empty commit to synthesize changelog reference)
- commit 5add4b1
- net: check if protocol extracted by virtio_net_hdr_set_proto
is correct (git-fixes).
- commit 2e28a62
- vsock/virtio: update credit only if socket is not closed
(git-fixes).
- commit 4db2ffd
- vhost_net: fix ubuf refcount incorrectly when sendmsg fails
(git-fixes).
- commit 1c25f6d
- vhost: Use vhost_get_used_size() in vhost_vring_set_addr()
(git-fixes).
- commit fc31d1b
- vhost: introduce helpers to get the size of metadata area
(git-fixes).
- Refresh
patches.kabi/kabi-mask-changes-to-vhost_dev_init-and-struct-vhost.patch.
- Refresh
patches.suse/vhost-Don-t-call-access_ok-when-using-IOTLB.patch.
- commit dff33f7
- virtio_ring: Avoid loop when vq is broken in virtqueue_poll
(git-fixes).
- commit 74b72cd
- vhost: missing __user tags (git-fixes).
- commit f5a5b81
- remoteproc: Fix NULL pointer dereference in rproc_virtio_notify
(git-fixes).
- commit 9a37a06
- virtio_balloon: prevent pfn array overflow (git-fixes).
- commit 55ea675
- vhost/test: stop device before reset (git-fixes).
- commit 5483efb
- net: virtio_vsock: Enhance connection semantics (git-fixes).
- commit 9ad5623
- net: do not allow gso_size to be set to GSO_BY_FRAGS
(git-fixes).
- commit 78c9d7f
- virtio_net: add checking sq is full inside xdp xmit (git-fixes).
- commit 689eec4
- virtio_net: separate the logic of checking whether sq is full
(git-fixes).
- commit 61503de
- virtio_net: reorder some funcs (git-fixes).
- commit f621ba2
- idr: fix param name in idr_alloc_cyclic() doc (bsc#1109837).
- commit 2f8b856
- virtio_net: Fix probe failed when modprobe virtio_net
(git-fixes).
- commit 3abdcae
- 9p/trans_virtio: Remove sysfs file on probe failure (git-fixes).
- commit 68a725b
- virtio_net: Remove BUG() to avoid machine dead (git-fixes).
- commit 55a074c
- vhost: Don't call access_ok() when using IOTLB (git-fixes).
- commit 25ceff0
- virtio_pci_modern: Fix the comment of
virtio_pci_find_capability() (git-fixes).
- commit cb1942b
- vhost: vsock: kick send_pkt worker once device is started
(git-fixes).
- commit a9baee2
- xen: remove a confusing comment on auto-translated guest I/O
(git-fixes).
- commit 8b1470e
- arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step (git-fixes)
- commit 2dc199b
- blacklist.conf: ("mm: defer kmemleak object creation of module_alloc()")
- commit bd408b1
- blacklist.conf: ("arm64/fpsimd: Only provide the length to cpufeature for xCR registers")
- commit fa8f4a7
- blacklist.conf: ("arm64: Add missing Set/Way CMO encodings")
- commit 1c6e245
- arm64: insn: Fix ldadd instruction encoding (git-fixes)
- commit 8cc18ed
- firmware: raspberrypi: fix possible memory leak in
rpi_firmware_probe() (git-fixes).
- commit c078a04
- firmware: raspberrypi: Keep count of all consumers (git-fixes).
- Refresh
patches.suse/firmware-raspberrypi-Introduce-devm_rpi_firmware_get.patch.
- commit 12c2932
- af_unix: Fix null-ptr-deref in unix_stream_sendpage()
(CVE-2023-4622 bsc#1215117).
- commit c96e367
- net/sched: sch_hfsc: Ensure inner classes have fsc curve
(CVE-2023-4623 bsc#1215115).
- commit 522fe97
- cec-api: prevent leaking memory through hole in structure
(CVE-2020-36766 bsc#1215299).
- commit 95fe4aa
- patches.suse/ext4-avoid-deadlock-in-fs-reclaim-with-page-writebac.patch:
Fix compiler warning due to unused 'sbi' variable
- commit f8d160b
- fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe (bsc#1154048)
- commit 1fa2e82
- fbdev: imxfb: warn about invalid left/right margin (bsc#1154048)
- commit 31becd0
- fbdev: omapfb: lcd_mipid: Fix an error handling path in (bsc#1154048)
Backporting changes:
* Refresh patch
- commit f0bd08e
- fbcon: Fix null-ptr-deref in soft_cursor (bsc#1154048)
Backporting changes:
* Move code from video/fbdev/core to video/consol
* Refresh patch
- commit a573af9
- fbdev: modedb: Add 1920x1080 at 60 Hz video mode (bsc#1154048)
- commit eb11fbc
- blacklist.conf: Append 'fbdev/ep93xx-fb: Do not assign to struct fb_info.dev'
- commit 7445a36
- blacklist.conf: Append 'backlight/lv5207lp: Compare against struct fb_info.device'
- commit deff103
- blacklist.conf: Append 'backlight/gpio_backlight: Compare against struct fb_info.device'
- commit 5ee6636
- blacklist.conf: Append 'backlight/bd6107: Compare against struct fb_info.device'
- commit 639511f
- blacklist.conf: Append 'fbdev: mmp: fix value check in mmphw_probe()'
- commit 170d70b
- blacklist.conf: Append 'fbdev: stifb: Fix info entry in sti_struct on error path'
- commit 1d87a9e
- blacklist.conf: Append 'fbdev: imsttfb: Release framebuffer and dealloc cmap on error path'
- commit 7e72c90
- blacklist.conf: Append 'fbdev: imsttfb: Fix use after free bug in imsttfb_probe'
- commit 702daba
- blacklist.conf: Append 'parisc/agp: Annotate parisc agp init functions with __init'
- commit c9c8dac
- 9p/xen : Fix use after free bug in xen_9pfs_front_remove due
to race condition (bsc#1215206, CVE-2023-1859).
- commit 4fa7183
- Add a new helper script to drop the number prefix from patch files
strip-number-prefix is a small helper script you can run against patch
files with the number prefix like "0001-foo.patch" to get rid of the
prefix "0001-". There are a few options, e.g. to add the SHA1 ID
suffix automatically for conflicting patch file names, too.
- commit 2f6cda6
- netfilter: nftables: exthdr: fix 4-byte stack OOB write
(CVE-2023-4881 bsc#1215221).
- commit b9ba6b9
- scripts/CKC: Fix some typos
- commit 19e464e
- scripts/check-kernel-commit: Report blacklisted terms
The blacklist hides the commit for tools reporting candidates
for backporting. It might hide commits which might get important
later.
Anyway, the fact that they are blacklisted is interesting and
it would be nice when check-kernel-commit report them.
- commit a2aefc5
- firmware: raspberrypi: Introduce devm_rpi_firmware_get()
(git-fixes).
- commit b0c6851
- Input: xpad - delete a Razer DeathAdder mouse VID/PID entry
(git-fixes).
- commit 2f7bf75
- Input: psmouse - fix OOB access in Elantech protocol
(git-fixes).
- commit c22661c
- Input: raspberrypi-ts - fix refcount leak in rpi_ts_probe
(git-fixes).
- Input: xpad - add constants for GIP interface numbers
(git-fixes).
- commit f16c0ae
- blacklist.conf: kABI
- commit ff64baf
- media: uvcvideo: Increase UVC_CTRL_CONTROL_TIMEOUT to 5 seconds
(git-fixes).
- commit 94ae184
- media: b2c2: Add missing check in flexcop_pci_isr: (git-fixes).
- commit 08d3143
- media: mceusb: return without resubmitting URB in case of
- EPROTO error (git-fixes).
- commit c8383de
- media: flexcop-usb: fix NULL-ptr deref in
flexcop_usb_transfer_init() (git-fixes).
- Refresh
patches.suse/0001-media-flexcop-usb-fix-endpoint-sanity-check.patch.
- commit bad0523
- media: cec: copy sequence field for the reply (git-fixes).
- commit 8765e23
- media: s5p_cec: decrement usage count if disabled (git-fixes).
- commit b1a4e64
- media: cec-notifier: clear cec_adap in cec_notifier_unregister
(git-fixes).
- commit ac5e011
- blacklist.conf: false positive
- commit 6890750
- media: cec: integrate cec_validate_phys_addr() in cec-api.c
(git-fixes).
- commit c1bf95d
- media: cec: make cec_get_edid_spa_location() an inline function
(git-fixes).
- commit 8148e38
- Delete patches.suse/genksyms-add-override-flag.diff.
The override flag is no longer used in kernel-binary.
- commit 3815406
- git_sort: Add tpmdd repository.
- commit a4a15c9
- s390/dasd: fix hanging device after request requeue (LTC#203632
bsc#1215121).
- commit 313a92d
- jbd2: restore t_checkpoint_io_list to maintain kABI
(bsc#1214946).
- commit 9146c38
- rpm/kernel-binary.spec.in: Drop use of KBUILD_OVERRIDE=1
Genksyms has functionality to specify an override for each type in
a symtypes reference file. This override is then used instead of an
actual type and allows to preserve modversions (CRCs) of symbols that
reference the type. It is kind of an alternative to doing kABI fix-ups
with '#ifndef __GENKSYMS__'. The functionality is hidden behind the
genksyms --preserve option which primarily tells the tool to strictly
verify modversions against a given reference file or fail.
Downstream patch patches.suse/genksyms-add-override-flag.diff which is
present in various kernel-source branches separates the override logic.
It allows it to be enabled with a new --override flag and used without
specifying the --preserve option. Setting KBUILD_OVERRIDE=1 in the spec
file is then a way how the build is told that --override should be
passed to all invocations of genksyms. This was needed for SUSE kernels
because their build doesn't use --preserve but instead resulting CRCs
are later checked by scripts/kabi.pl.
However, this override functionality was not utilized much in practice
and the only use currently to be found is in SLE11-SP1-LTSS. It means
that no one should miss this option and KBUILD_OVERRIDE=1 together with
patches.suse/genksyms-add-override-flag.diff can be removed.
Notes for maintainers merging this commit to their branches:
* Downstream patch patches.suse/genksyms-add-override-flag.diff can be
dropped after merging this commit.
* Branch SLE11-SP1-LTSS uses the mentioned override functionality and
this commit should not be merged to it, or needs to be reverted
afterwards.
- commit 4aa02b8
- Update
patches.suse/s390-dasd-fix-hanging-device-after-quiesce-resume.patch
(git-fixes bsc#1214157 bsc#1215122).
- commit 07aca49
- README: Update info about the References tag (jsc#PED-5021).
* Update that JIRA issue IDs should specify an Implementation task and
no longer its Epic.
* Use https:// for the link to the openSUSE abbreviation list.
- commit 0ba0c76
- blacklist.conf: Blacklist b98dba273a
- commit b92c4bc
- jbd2: simplify journal_clean_one_cp_list() (bsc#1215207).
- commit 6f4c470
- usb: typec: altmodes/displayport: Fix pin assignment calculation
(git-fixes).
- commit 4d0c2c0
- usb: typec: altmodes/displayport: Add pin assignment helper
(git-fixes).
- commit 9232606
- blacklist.conf: Blasklist e5cfefa97bccf
- commit 570bb0a
- blacklist.conf: Add ef73dcaa3121 ("powerpc: xmon: remove unused variables")
- commit 79b42a6
- powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
(bsc#1065729).
- powerpc/xics: Remove unnecessary endian conversion
(bsc#1065729).
- word-at-a-time: use the same return type for has_zero regardless
of endianness (bsc#1065729).
- powerpc/64s/exception: machine check use correct cfar for late
handler (bsc#1065729).
- commit 024bdb8
- blacklist.conf: Add eac030b22ea1 ("powerpc/pseries: Rework lppaca_shared_proc() to avoid DEBUG_PREEMPT")
- commit 7c10484
- Drivers: hv: vmbus: Don't dereference ACPI root object handle (git-fixes).
- x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails (git-fixes).
- hv_utils: Fix passing zero to 'PTR_ERR' warning (git-fixes).
- commit 1c1b9d9
- udf: Fix uninitialized array access for some pathnames
(bsc#1214967).
- commit c4327d4
- udf: Fix off-by-one error when discarding preallocation
(bsc#1214966).
- commit e960575
- udf: Fix file corruption when appending just after end of
preallocated extent (bsc#1214965).
- commit 9b4bb47
- udf: Fix extension of the last extent in the file (bsc#1214964).
- commit a800323
- quota: fix warning in dqgrab() (bsc#1214962).
- commit 1c703c8
- quota: Properly disable quotas when add_dquot_ref() fails
(bsc#1214961).
- commit a0acebf
- fs: avoid softlockups in s_inodes iterators (bsc#1215165).
- commit 64a5ec2
- direct-io: allow direct writes to empty inodes (bsc#1215164).
- commit 7c4d7c8
- blacklist.conf: Blacklist 69562eb0bd3e
- commit f13139d
- blacklist.conf: Blacklist 2112f5c1330a
- commit 7d5e43d
- jbd2: remove unused function '__cp_buffer_busy' (bsc#1215162).
- commit 20ed76a
- jbd2: check 'jh->b_transaction' before removing it from
checkpoint (bsc#1214953).
- commit d390fb5
- jbd2: fix checkpoint cleanup performance regression
(bsc#1214952).
- commit eebe7e1
- jbd2: fix a race when checking checkpoint buffer busy (bsc#1214949).
- commit 2a5ddb1
- jbd2: remove t_checkpoint_io_list (bsc#1214946).
- commit 83511a0
- jbd2: recheck chechpointing non-dirty buffer (bsc#1214945).
- commit d58daa9
- ext4: correct inline offset when handling xattrs in inode body
(bsc#1214950).
- commit 032825e
- jbd2: Fix wrongly judgement for buffer head removing while
doing checkpoint (bsc#1214948).
- commit 9167319
- ext4: fix wrong unit use in ext4_mb_clear_bb (bsc#1214943).
- commit bc0cd9a
- ext4: set goal start correctly in ext4_mb_normalize_request
(bsc#1214940).
- commit 8cc1d3d
- s390/zcrypt: don't leak memory if dev_set_name() fails
(git-fixes bsc#1215152).
- commit 6bbbd1c
- scsi: zfcp: reduce flood of fcrscn1 trace records on
multi-element RSCN (git-fixes bsc#1215149).
- commit a1a3484
- patches.suse/btrfs-output-extra-debug-info-if-we-failed-to-find-a.patch:
(bsc#1215136).
- commit edf562a
- scripts/log2: Add support for patch renaming
Add the check of renamed patches and properly log the changes.
They have been ignored until now, and one had to write manually.
- commit e36bcf3
- blacklist.conf: kABI
- commit 57cf107
- blacklist.conf: cleanup, not fix
- commit 61144f9
- blacklist.conf: irrelevant in our configs
- commit e17de4e
- blacklist.conf: kABI
- commit e7ae590
- s390/cio: cio_ignore_proc_seq_next should increase position
index (git-fixes bsc#1215057).
- commit 128857d
- s390/dasd/cio: Interpret ccw_device_get_mdc return value
correctly (git-fixes bsc#1215049).
- commit a97aee2
- s390/zcrypt: handle new reply code FILTERED_BY_HYPERVISOR
(git-fixes bsc#1215046).
- commit 44d01f3
- s390/uaccess: avoid (false positive) compiler warnings
(git-fixes bsc#1215041).
- commit 59bf770
- s390/qdio: add sanity checks to the fast-requeue path (git-fixes
bsc#1215038).
- commit b52d0b2
- s390/kasan: fix strncpy_from_user kasan checks (git-fixes
bsc#1215037).
- commit 9a9cc75
- s390: zcrypt: initialize variables before_use (git-fixes
bsc#1215036).
- commit 4af7ade
- s390/pkey: add one more argument space for debug feature entry
(git-fixes bsc#1215035).
- commit 06b1fa0
- s390/dasd: Fix capacity calculation for large volumes (git-fixes
bsc#1215034).
- commit 3bac622
- s390/zcrypt: improve special ap message cmd handling (git-fixes
bsc#1215032).
- commit 13e8aa1
- s390/kdump: Fix memleak in nt_vmcoreinfo (git-fixes
bsc#1215028).
- commit b9151e6
- Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
(bsc#1214233 CVE-2023-40283).
- commit eabaa85
- drm/vmwgfx: Test shader type against SVGA3d_SHADERTYPE_MIN (bsc#1203517 CVE-2022-36402)
- commit 90f1895
- cifs: Fix UAF in cifs_demultiplex_thread() (bsc#1208995
CVE-2023-1192).
- commit f2c9320
- add upstream tags to a few pci-hyperv patches
- commit a255269
- sched/fair: Fix CFS bandwidth hrtimer expiry type (git fixes).
- sched/fair: Don't NUMA balance for kthreads (git fixes).
- sched/core: Check quota and period overflow at usec to nsec
conversion (git fixes).
- sched/core: Handle overflow in cpu_shares_write_u64 (git fixes).
- sched/cpufreq: Fix kobject memleak (git fixes).
- sched/topology: Fix off by one bug (git fixes).
- commit 1834f8f
- blacklist.conf: Cosmetic, not fix
- commit 59cf877
- blacklist.conf: Relatively high-risk given the lack of a customer bug
- commit b474f56
- scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
(git-fixes).
- scsi: storvsc: Always set no_report_opcodes (git-fixes).
- commit 1d90748
- blacklist.conf: optimization
- commit 117c6b0
- blacklist.conf: obsoleted by later patch
- commit 260ff3e
- blacklist.conf: kABI
- commit e0a5839
- blacklist.conf: kABI
- commit 980539d
- blacklist.conf: optimization
- commit 2fe1477
- scsi: qla2xxx: Remove unused variables in
qla24xx_build_scsi_type_6_iocbs() (bsc#1214928).
- scsi: qla2xxx: Update version to 10.02.09.100-k (bsc#1214928).
- Revert "scsi: qla2xxx: Fix buffer overrun" (bsc#1214928).
- scsi: qla2xxx: Fix smatch warn for qla_init_iocb_limit()
(bsc#1214928).
- scsi: qla2xxx: Remove unsupported ql2xenabledif option
(bsc#1214928).
- scsi: qla2xxx: Error code did not return to upper layer
(bsc#1214928).
- scsi: qla2xxx: Add logs for SFP temperature monitoring
(bsc#1214928).
- scsi: qla2xxx: Fix firmware resource tracking (bsc#1214928).
- scsi: qla2xxx: Flush mailbox commands on chip reset
(bsc#1214928).
- scsi: qla2xxx: Allow 32-byte CDBs (bsc#1214928).
- scsi: qla2xxx: Move resource to allow code reuse (bsc#1214928).
- scsi: qla2xxx: Remove unused declarations (bsc#1214928).
- commit e3144fe
- series: update metadata qla2xxx
- Refresh
patches.suse/scsi-qla2xxx-Adjust-IOCB-resource-on-qpair-create.patch.
- Refresh patches.suse/scsi-qla2xxx-Fix-TMF-leak-through.patch.
- Refresh
patches.suse/scsi-qla2xxx-Fix-command-flush-during-TMF.patch.
- Refresh
patches.suse/scsi-qla2xxx-Fix-deletion-race-condition.patch.
- Refresh
patches.suse/scsi-qla2xxx-Fix-erroneous-link-up-failure.patch.
- Refresh patches.suse/scsi-qla2xxx-Fix-session-hang-in-gnl.patch.
- Refresh
patches.suse/scsi-qla2xxx-Limit-TMF-to-8-per-function.patch.
- Refresh
patches.suse/scsi-qla2xxx-Turn-off-noisy-message-log.patch.
- Refresh
patches.suse/scsi-qla2xxx-Update-version-to-10.02.08.500-k.patch.
- Refresh
patches.suse/scsi-qla2xxx-fix-inconsistent-TMF-timeout.patch.
- commit a78c0e0
- blacklist: add nvme-tcp/nvme-rdma path freeze patches
- commit bfd23fd
- module: avoid allocation if module is already present and ready
(bsc#1213921).
- commit ea88fa3
- module: move check_modinfo() early to early_mod_check()
(bsc#1213921).
- commit 4dd579c
- module: move early sanity checks into a helper (bsc#1213921).
- commit 2966d5d
- module: extract patient module check into helper (bsc#1213921).
- commit ee26ffe
- blacklist.conf: Drop invplg patch
- commit 6d986f2
- x86/crash: Disable virt in core NMI crash handler to avoid double shootdown (git-fixes).
- commit 3755873
- x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes).
- commit 4f2adfa
- x86/mm: Fix use of uninitialized buffer in sme_enable() (git-fixes).
- commit 059349a
- x86/reboot: Disable SVM, not just VMX, when stopping CPUs (git-fixes).
- commit ebd4ce9
- x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes).
- commit 2e7ba0d
- x86/bugs: Reset speculation control settings on init (git-fixes).
- commit ef1a64e
- x86/ioapic: Don't return 0 from arch_dynirq_lower_bound() (git-fixes).
- commit 819086a
- x86/speculation: Mark all Skylake CPUs as vulnerable to GDS (git-fixes).
- commit a399606
- x86/microcode/AMD: Load late on both threads too (git-fixes).
- commit 1a17c86
- x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405 (git-fixes).
- commit 80a2dc8
- x86/cpu: Fix amd_check_microcode() declaration (git-fixes).
- commit 2702ba0
- x86: Move gds_ucode_mitigated() declaration to header (git-fixes).
- commit 723e612
- x86/CPU/AMD: Disable XSAVES on AMD family 0x17 (git-fixes).
- commit ee9c9b3
- blacklist.conf: Ignore a bunch of useless patches
They primarily relate to the GDS mitigations but have some implicit
dependencies which aren't satisfied in SLE12-SP5 hence can't be
backported without breaking the boot flow.
- commit 8a7a083
- NFS: Guard against READDIR loop when entry names exceed
MAXNAMELEN (git-fixes).
- nfs/blocklayout: Use the passed in gfp flags (git-fixes).
- NFSD: da_addr_body field missing in some GETDEVICEINFO replies
(git-fixes).
- fs: lockd: avoid possible wrong NULL parameter (git-fixes).
- NFSD: add encoding of op_recall flag for write delegation
(git-fixes).
- commit 9627d5e
- scripts/python/tests/test_header.py: Alt-commit tests
Add unit tests for the alt-commit tag
- commit 5b42b75
- ext4: avoid deadlock in fs reclaim with page writeback
(bsc#1213016).
- commit 9e76893
- blacklist.conf: optimization
- commit 0093119
- blacklist.conf: optimization
- commit 8d089ae
- scripts/python/suse_git/header.py: Add Alt-commit
Add a rule describing the Alt-commit tag.
Also describe the usage of the Alt-commit tag in
scripts/patch-tag-template.
- commit a27c481
- rpm/mkspec-dtb: support for nested subdirs
Commit 724ba6751532 ("ARM: dts: Move .dts files to vendor
sub-directories") moved the dts to nested subdirs, add a support for
that. That is, generate a %dir entry in %files for them.
- commit 6484eda
- Bluetooth: nokia: fix value check in
nokia_bluetooth_serdev_probe() (git-fixes).
- commit 65ce64f
- SUNRPC: always clear XPRT_SOCK_CONNECTING before
xprt_clear_connecting on TCP xprt (bsc#1214453).
- commit 262ee00
- libceph: fix potential hang in ceph_osdc_notify() (bsc#1214752).
- commit bb71e26
- usb-storage: alauda: Fix uninit-value in alauda_check_media()
(git-fixes).
- commit 699a0f7
- USB: serial: simple: sort driver entries (git-fixes).
- commit cd31a2c
- USB: serial: simple: add Kaufmann RKS+CAN VCP (git-fixes).
- commit 01910f6
- blacklist.conf: Add 541676078b52 membarrier: Disable preemption when calling smp_call_function_many()
- commit abc325d
- blacklist.conf: Add 295d6d5e3736 sched/deadline: Fix switching to -deadline
- commit eabea96
- blacklist.conf: Add ad789f84c9a1 sched/debug: Fix cgroup_path[] serialization
- commit 668acbe
- blacklist.conf: Add a46d14eca7b7 sched/fair: Use rq_lock/unlock in online_fair_sched_group
- commit f2e125e
- USB: serial: option: add Quectel EC200A module support
(git-fixes).
- commit 6a79fcc
- USB: serial: option: support Quectel EM060K_128 (git-fixes).
- commit 08d37b2
- USB: serial: option: add Quectel EM061KGL series (git-fixes).
- commit 8761a7d
- USB: serial: option: add LARA-R6 01B PIDs (git-fixes).
- commit f1fab77
- USB: serial: option: add u-blox LARA-L6 modem (git-fixes).
- commit b920356
- net-sysfs: Call dev_hold always in rx_queue_add_kobject
(git-fixes).
- commit 90595e2
- net-sysfs: Call dev_hold always in netdev_queue_add_kobject
(git-fixes).
- commit 890c248
- net-sysfs: fix netdev_queue_add_kobject() breakage (git-fixes).
- commit 29ae172
- blacklist.conf: add drivers/net/arcnet/
- commit 49ea450
- blacklist.conf: add CAIF drivers
- commit e788b55
- blacklist.conf: add CONFIG_WAN and CONFIG_IEEE802154 drivers
- commit 26fa349
- blacklist.conf: add CONFIG_ROSE
- commit 9103b7d
- blacklist.conf: add CONFIG_DECNET
- commit ffa631c
- blacklist.conf: add CONFIG_PHONET
- commit bd0a4a9
- blacklist.conf: add CONFIG_NETROM
- commit f7b4f72
- blacklist.conf: add CONFIG_X25
- commit 482c65e
- blacklist.conf: add CONFIG_IEEE802154
- commit 3234431
- blacklist.conf: update blacklist
- commit 9ca64d4
- netfilter: ipset: Fix an error code in ip_set_sockfn_get()
(git-fixes).
- commit 9e5e119
- bridge: ebtables: don't crash when using dnat target in output
chains (git-fixes).
- commit 6755ab5
- net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject (git-fixes).
- commit ba3b4ef
- xfrm: release device reference for invalid state (git-fixes).
- commit edb4011
- net/fq_impl: Switch to kvmalloc() for memory allocation (git-fixes).
- commit fc2b65b
- blacklist.conf: add CONFIG_BATMAN_ADV
- commit 4a7aeb7
- net: mana: add support for XDP_QUERY_PROG (jsc#SLE-18779, bsc#1214209).
- commit 2072e0b
- Input: cyttsp4_core - change del_timer_sync() to
timer_shutdown_sync() (bsc#1213971 CVE-2023-4134).
- commit 3678dd9
- x86/CPU/AMD: Fix the DIV(0) initial fix attempt (bsc#1213927, CVE-2023-20588).
- commit 7b74a19
- x86/CPU/AMD: Do not leak quotient data after a division by 0 (bsc#1213927, CVE-2023-20588).
- commit c7be7bc
- old-flavors: Drop 2.6 kernels.
2.6 based kernels are EOL, upgrading from them is no longer suported.
- commit 7bb5087
- net: nfc: Fix use-after-free caused by nfc_llcp_find_local
(bsc#1213601 CVE-2023-3863).
- nfc: llcp: simplify llcp_sock_connect() error paths (bsc#1213601
CVE-2023-3863).
- nfc: llcp: nullify llcp_sock->dev on connect() error paths
(bsc#1213601 CVE-2023-3863).
- commit d4622dc
- nfc: Fix to check for kmemdup failure (bsc#1213601
CVE-2023-3863).
Refresh
patches.suse/nfc-fix-refcount-leak-in-llcp_sock_connect.patch.
patches.suse/nfc-fix-memory-leak-in-llcp_sock_connect.patch.
patches.suse/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch.
- commit 8e06144
- Refresh patches.suse/x86-srso-add-ibpb.patch.
CPU_IBPB_ENTRY is non-existant on our kernels and we effectively always
have it enabled, adjust patch accordingly.
- commit ef69893
- x86/vmware: Enable steal time accounting (bsc#1210327).
- commit af543f3
- x86/vmware: Add steal time clock support for VMware guests
(bsc#1210327).
- commit 7743a65
- x86/cpu/vmware: Fix platform detection VMWARE_PORT macro
(bsc#1210327).
- commit ea2bc47
- x86/cpu/vmware: Use the full form of INL in VMWARE_HYPERCALL,
for clang/llvm (bsc#1210327).
- commit 1575f32
- x86/cpu/vmware: Use the full form of INL in VMWARE_PORT
(bsc#1210327).
- commit 2a67cd9
- net: vmxnet3: fix possible NULL pointer dereference in
vmxnet3_rq_cleanup() (bsc#1214451 CVE-2023-4459).
- commit 070c8ea
- kabi/severities: Ignore newly added SRSO mitigation functions
- commit 8a99b91
- blacklist.conf: add drivers/net/ethernet/lantiq_etop.c
- commit 26afac4
- net: bnx2x: fix variable dereferenced before check (git-fixes).
- commit bda0298
- tun: fix bonding active backup with arp monitoring (git-fixes).
- commit 60e162e
- bonding: Fix a use-after-free problem when
bond_sysfs_slave_add() failed (git-fixes).
- commit 7b40920
- USB: serial: option: add support for VW/Skoda "Carstick LTE"
(git-fixes).
- commit 7c6d92a
- USB: serial: option: add Quectel EM05CN modem (git-fixes).
- commit 6429943
- USB: serial: option: add Quectel EM05CN (SG) modem (git-fixes).
- commit e6e99a8
- net: tun: fix bugs for oversize packet when napi frags enabled
(bsc#1213543 CVE-2023-3812).
- commit 6b178d4
- USB: serial: cp210x: add SCALANCE LPE-9000 device id
(git-fixes).
- commit 533d12f
- USB: serial: option: add Quectel EC200U modem (git-fixes).
- commit dc34ec6
- USB: serial: cp210x: add Kamstrup RF sniffer PIDs (git-fixes).
- commit b8ed016
- Refresh
patches.suse/USB-serial-option-add-Quectel-EM05-G-modem.patch.
- commit df40afb
- Refresh
patches.suse/USB-serial-option-add-support-for-u-blox-LARA-R6-fam.patch.
- commit 13f6793
- USB: zaurus: Add ID for A-300/B-500/C-700 (git-fixes).
- commit 7f1436c
- x86/srso: Correct the mitigation status when SMT is disabled (git-fixes).
- commit e345bea
- x86/srso: Explain the untraining sequences a bit more (git-fixes).
- commit 71144e1
- x86/cpu/kvm: Provide UNTRAIN_RET_VM (git-fixes).
- commit bf1a2fa
- x86/cpu: Cleanup the untrain mess (git-fixes).
- commit a6086d7
- xfrm: add NULL check in xfrm_update_ae_params (bsc#1213666
CVE-2023-3772).
- commit fa1caab
- x86/cpu: Rename srso_(.*)_alias to srso_alias_\1 (git-fixes).
- commit 2cfb3ab
- x86/cpu: Rename original retbleed methods (git-fixes).
- commit 1310fe3
- x86/cpu: Fix up srso_safe_ret() and __x86_return_thunk() (git-fixes).
- commit e7d0cb6
- x86/cpu: Fix __x86_return_thunk symbol type (git-fixes).
- commit ddb54e9
- x86/retpoline,kprobes: Skip optprobe check for indirect jumps with retpolines and IBT (git-fixes).
- commit 19c2705
- x86/retpoline,kprobes: Fix position of thunk sections with CONFIG_LTO_CLANG (git-fixes).
- commit 9b3cb5f
- x86/srso: Disable the mitigation on unaffected configurations (git-fixes).
- commit 3c5d037
- x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() (git-fixes).
- commit ee484fd
- x86/srso: Fix build breakage with the LLVM linker (git-fixes).
- commit 87ffd8d
- Update config files. Drop the dpt_i2o kernel module.
For: jsc#PED-4579, CVE-2023-2007
- commit 55a7a29
- fs: jfs: fix possible NULL pointer dereference in dbFree() (bsc#1214348 CVE-2023-4385).
- commit 47225b2
- mkspec: Allow unsupported KMPs (bsc#1214386)
- commit 55d8b82
- check-for-config-changes: ignore BUILTIN_RETURN_ADDRESS_STRIPS_PAC (bsc#1214380).
gcc7 on SLE 15 does not support this while later gcc does.
- commit 5b41c27
- blacklist.conf: add drivers/net/ethernet/fujitsu/
- commit 3029931
- net: vmxnet3: fix possible use-after-free bugs in
vmxnet3_rq_alloc_rx_buf() (bsc#1214350 CVE-2023-4387).
- commit a117715
- blacklist.conf: kABI
- commit d3731cb
- patches.suse/btrfs-allow-use-of-global-block-reserve-for-balance-.patch:
(bsc#1214335).
- commit 22c271f
- kernel-binary: Common dependencies cleanup
Common dependencies are copied to a subpackage, there is no need for
copying defines or build dependencies there.
- commit 254b03c
- kernel-binary: Drop code for kerntypes support
Kerntypes was a SUSE-specific feature dropped before SLE 12.
- commit 2c37773
- blacklist.conf: too risky
- commit 711552b
- usb: xhci-mtk: set the dma max_seg_size (git-fixes).
- commit 96d510e
- usb: xhci: Check endpoint is valid before dereferencing it
(git-fixes).
- commit 759ec87
- xhci-pci: set the dma max_seg_size (git-fixes).
- commit fed4fe1
- xhci: Remove device endpoints from bandwidth list when freeing
the device (git-fixes).
- commit 841d8bb
- usb: host: xhci: Fix potential memory leak in
xhci_alloc_stream_info() (git-fixes).
- commit c04f324
- powerpc/mm/altmap: Fix altmap boundary check (bsc#1120059
git-fixes).
- commit 4b78272
- bnx2x: fix page fault following EEH recovery (bsc#1214299).
- commit 04ecd0c
- net/af_unix: fix a data-race in unix_dgram_poll (git-fixes).
- commit c65eb1d
- udp6: Fix race condition in udp6_sendmsg & connect (git-fixes).
- commit 8bfe338
- af_unix: Fix a data race of sk->sk_receive_queue->qlen
(git-fixes).
- commit fa2c287
- af_key: Fix send_acquire race with pfkey_register (git-fixes).
- commit f3afa57
- af_packet: fix data-race in packet_setsockopt /
packet_setsockopt (git-fixes).
- commit 67256be
- blacklist.conf: Add a07db5c08657 sched/core: Fix CPU controller for !RT_GROUP_SCHED
- commit dd8fafd
- blacklist.conf: Add 354d77930706 sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[]
- commit 9062495
- net/af_unix: fix a data-race in unix_dgram_sendmsg /
unix_release_sock (git-fixes).
- commit 210495b
- udp: fix race between close() and udp_abort() (git-fixes).
- commit a5be337
- skbuff: fix a data race in skb_queue_len() (git-fixes).
- commit 5ea9284
- packet: fix data-race in fanout_flow_is_huge() (git-fixes).
- commit 4e14632
- net: icmp: fix data-race in cmp_global_allow() (git-fixes).
- Refresh
patches.suse/icmp-randomize-the-global-rate-limiter.patch.
- commit ac95ea3
- inetpeer: fix data-race in inet_putpeer / inet_putpeer
(git-fixes).
- commit 80a2ee8
- packet: unconditionally free po->rollover (git-fixes).
- commit b37ed03
- media: usb: siano: Fix warning due to null work_func_t function
pointer (bsc#1213969 CVE-2023-4132).
- commit 75a6a97
- media: usb: siano: Fix use after free bugs caused by
do_submit_urb (bsc#1213969 CVE-2023-4132).
- commit 4613c3a
- netfilter: nf_conntrack: Fix possible possible crash on module
loading (git-fixes).
- commit 6f6cadf
- blacklist.conf: update blacklist
- commit f72ef52
- x86/speculation: Add cpu_show_gds() prototype (git-fixes).
- commit 9cd20c4
- fs/sysv: Null check to prevent null-ptr-deref bug (git-fixes).
- commit f41c2a0
- net/sched: cls_route: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_fw: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- net/sched: cls_u32: No longer copy tcf_result on update to
avoid use-after-free (bsc#1214149 CVE-2023-4128).
- commit c462108
- Sort latest foray of security patches
- Refresh patches.suse/kvm-add-gds_no-support-to-kvm.patch.
- Refresh
patches.suse/x86-speculation-add-gather-data-sampling-mitigation.patch.
- Refresh
patches.suse/x86-srso-add-a-speculative-ras-overflow-mitigation.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 6e04a2d
- s390/dasd: fix hanging device after quiesce/resume (git-fixes
bsc#1214157).
- commit a759906
- cxgb4: fix use after free bugs caused by circular dependency
problem (bsc#1213970 CVE-2023-4133).
- timers: Provide timer_shutdown[_sync]() (bsc#1213970).
- timers: Add shutdown mechanism to the internal functions
(bsc#1213970).
- timers: Split [try_to_]del_timer[_sync]() to prepare for
shutdown mode (bsc#1213970).
- timers: Silently ignore timers with a NULL function
(bsc#1213970).
- timers: Rename del_timer() to timer_delete() (bsc#1213970).
- timers: Rename del_timer_sync() to timer_delete_sync()
(bsc#1213970).
- timers: Use del_timer_sync() even on UP (bsc#1213970).
- timers: Update kernel-doc for various functions (bsc#1213970).
- timers: Replace BUG_ON()s (bsc#1213970).
- clocksource/drivers/sp804: Do not use timer namespace for
timer_shutdown() function (bsc#1213970).
- clocksource/drivers/arm_arch_timer: Do not use timer namespace
for timer_shutdown() function (bsc#1213970).
- ARM: spear: Do not use timer namespace for timer_shutdown()
function (bsc#1213970).
- commit 7812c75
- xen/netback: Fix buffer overrun triggered by unusual packet
(CVE-2023-34319, XSA-432, bsc#1213546).
- commit 3798a75
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
- commit c9296b1
- x86/srso: Tie SBPB bit setting to microcode patch detection (bsc#1213287, CVE-2023-20569).
- commit 18888c5
- blacklist.conf: ("arm64: Use correct ll/sc atomic constraints")
- commit fe276b3
- blacklist.conf: ("arm64: Avoid redundant type conversions in xchg() and cmpxchg()")
- commit bd2ee86
- bpf, arm64: use more scalable stadd over ldxr / stxr loop in xadd (git-fixes)
- commit 17e6299
- bpf, arm64: remove prefetch insn in xadd mapping (git-fixes)
- commit 07a4057
- arm64: vdso: Fix clock_getres() for CLOCK_REALTIME (git-fixes)
- commit ebeacd1
- arm64: Re-enable support for contiguous hugepages (git-fixes)
- commit ebd168a
- ubifs: fix snprintf() checking (git-fixes).
- commit 43c222a
- net: tap_open(): set sk_uid from current_fsuid() (CVE-2023-4194
bsc#1214019).
- net: tun_chr_open(): set sk_uid from current_fsuid()
(CVE-2023-4194 bsc#1214019).
- commit 82ba5a9
- tracing: Fix warning in trace_buffered_event_disable()
(git-fixes).
- commit d93f525
- ring-buffer: Fix wrong stat of cpu_buffer->read (git-fixes).
- commit 0dc7589
- fs: hfsplus: remove WARN_ON() from
hfsplus_cat_{read,write}_inode() (git-fixes).
- commit 90060d8
- nfsd: Remove incorrect check in nfsd4_validate_stateid
(git-fixes).
- commit 8542ece
- scripts/lib/SUSE/MyBS.pm: avoid i586 from factory also under openSUSE.org
When one uses openSUSE.org: prefix as an IBS project, exclude
openSUSE:Factory's i586 too. (And use LEGACYX86 instead.)
- commit fef5d5e
- Update config files. - Refresh patches.suse/x86-srso-add-srso_no-support.patch.
Ensure SRSO is always built and also ensure that msr interception works
correctly when writing to PRED_CMD msr with the SRSO_NO capability
present.
- commit c88c60d
- patches.kabi/cpufeatures-kabi-fix.patch: (bsc#1213287, CVE-2023-20569).
x86 bug bits alias into cap bits. However with the introduction of the
kABI fix for CPUID bits bug and cap ints need to be handled separately.
- commit 335c50e
- s390/ftrace: fix endless recursion in function_graph tracer
(git-fixes bsc#1213912).
- commit dee4f50
- s390/time: ensure get_clock_monotonic() returns monotonic values
(git-fixes bsc#1213911).
- commit 5c3c506
- s390/cpum_sf: Check for SDBT and SDB consistency (git-fixes
bsc#1213910).
- commit b02a979
- s390/cpum_sf: Avoid SBD overflow condition in irq handler
(git-fixes bsc#1213908).
- commit a9dbd12
- s390/smp: __smp_rescan_cpus() - move cpumask away from stack
(git-fixes bsc#1213906).
- commit c4dc11f
- s390/smp: fix physical to logical CPU map for SMT (git-fixes
bsc#1213904).
- commit 8c91a3b
- blacklist.conf: cleanup commit
- commit 4d18b38
- net: usb: qmi_wwan: add support for Compal RXM-G1 (git-fixes).
- commit d1428d0
- blacklist.conf: This is a feature
- commit 99bb16b
- s390/jump_label: print real address in a case of a jump label
bug (git-fixes bsc#1213899).
- commit c684264
- kabi fix test
- commit 87ce69f
- bpf: add missing header file include (bsc#1211738
CVE-2023-0459).
- commit ca4ea63
- s390/cpum_sf: Adjust sampling interval to avoid hitting sample
limits (git-fixes bsc#1213827).
- commit 8ee8817
- s390/maccess: add no DAT mode to kernel_write (git-fixes
bsc#1213825).
- commit bab3d2c
- vfio-ccw: Release any channel program when releasing/removing
vfio-ccw mdev (git-fixes bsc#1213823).
- commit 60eb99d
- vfio-ccw: Prevent quiesce function going into an infinite loop
(git-fixes bsc#1213819).
- commit 123e763
- Update
patches.suse/scsi-zfcp-Fix-missing-auto-port-scan-and-thus-missing-target-ports
(git-fixes bsc#1202670).
- commit dacbbc4
- Update
patches.suse/s390-dasd-fix-no-record-found-for-raw_track_access.patch
(git-fixes bsc#1212266 bsc#1207528).
- commit ae7fc88
- blacklist.conf: build warnings only
- commit 6609aaf
- media: videodev2.h: Fix struct v4l2_input tuner index comment
(git-fixes).
- commit 5a43e28
- block: Fix a source code comment in
include/uapi/linux/blkzoned.h (git-fixes).
- commit d8748d6
- blacklist.conf: kABI
- commit 2515e35
- blacklist.conf: kABI
- commit ec2e2d5
- blacklist.conf: kABI
- commit d01b20b
- blacklist.conf: irrelevant because you are not to do upstream
development with a SLE12 kernel
- commit 1dcedba
- blacklist.conf: irrelevant build fix
- commit db201cc
- blacklist.conf: irrelevant build fix
- commit ef696c2
- blacklist.conf: irrelevant build fix
- commit e324526
- blacklist.conf: irrelevant build fix
- commit 280f872
- livepatch: check kzalloc return values (git-fixes).
- commit c090f07
- virtio_net: bugfix overflow inside xdp_linearize_page()
(git-fixes).
- commit b6531dc
- virtio-net: Keep stop() to follow mirror sequence of open()
(git-fixes).
- commit 6c6da5a
- vhost/vsock: Use kvmalloc/kvfree for larger packets (git-fixes).
- commit 95a2d87
- virtio_net: fix xdp_rxq_info bug after suspend/resume
(git-fixes).
- commit cededae
- virtio-mmio: fix missing put_device() when vm_cmdline_parent
registration failed (git-fixes).
- commit cc5a462
- s390/numa: move initial setup of node_to_cpumask_map (git-fixes
bsc#1213766).
- commit 44aa432
- net/sched: cls_u32: Fix reference counter leak leading to
overflow (CVE-2023-3609 bsc#1213586).
- commit a166dc2
- virtio-pci: Remove wrong address verification in vp_del_vqs()
(git-fixes).
- commit fb88881
- blacklist.conf: triggers kABI check (bsc#1213350)
- commit c36a4a3
- blacklist.conf: just a cleanup that doesn't fix anything
- commit bef0bce
- blacklist.conf: a fix for never packported patch
- commit e2e42cd
- Fix double fget() in vhost_net_set_backend() (git-fixes).
- commit e283c32
- vhost/vsock: don't check owner in vhost_vsock_stop() while
releasing (git-fixes).
- commit 6e93d45
- net/sched: cls_fw: Fix improper refcount update leads to
use-after-free (CVE-2023-3776 bsc#1213588).
- commit 0349f73
- net/sched: sch_qfq: account for stab overhead in qfq_enqueue
(CVE-2023-3611 bsc#1213585).
- net/sched: sch_qfq: refactor parsing of netlink parameters
(bsc#1213585).
- blacklist follow-up commit 158810b261d0 ("net/sched: sch_qfq: reintroduce
lmax bound check for MTU") as unlike the original upstream commit, our
backport does not remove the check
- commit 5488c28
- net: skip virtio_net_hdr_set_proto if protocol already set
(git-fixes).
- commit 8780cf7
- virtio_ring: Fix querying of maximum DMA mapping size for
virtio device (git-fixes).
- commit 8dacd2d
- vhost/vsock: fix incorrect used length reported to the guest
(git-fixes).
- commit 2a64a7c
- net: virtio_net_hdr_to_skb: count transport header in UFO
(git-fixes).
- commit 9757e32
- vhost_net: fix OoB on sendmsg() failure (git-fixes).
- commit 88459d6
- x86/srso: Add IBPB on VMEXIT (bsc#1213287, CVE-2023-20569).
- commit 14120fa
- vringh: Use wiov->used to check for read/write desc order
(git-fixes).
- commit 6df31aa
- x86/srso: Add IBPB (bsc#1213287, CVE-2023-20569).
- commit 373f015
- x86/srso: Add SRSO_NO support (bsc#1213287, CVE-2023-20569).
- commit 447a133
- x86/cpu, kvm: Add support for CPUID_80000021_EAX (bsc#1213287, CVE-2023-20569).
- commit 8553516
- vhost: Fix the calculation in vhost_overflow() (git-fixes).
- commit 53b92b7
- Delete patches.suse/memcg-drop-kmem-limit_in_bytes.patch.
Remove the patch due to causing bsc#1213705.
- commit 3f5780d
- x86/srso: Add IBPB_BRTYPE support (bsc#1213287, CVE-2023-20569).
- commit 52998d3
- virtio: Improve vq->broken access to avoid any compiler
optimization (git-fixes).
- commit e78eee9
- virtio_net: Fix error handling in virtnet_restore() (git-fixes).
- commit 6e0d3eb
- x86: Sanitize linker script (bsc#1213287, CVE-2023-20569).
- commit 631311e
- x86/retbleed: Add __x86_return_thunk alignment checks (bsc#1213287, CVE-2023-20569).
- commit 00b523c
- vringh: fix __vringh_iov() when riov and wiov are different
(git-fixes).
- commit fc76995
- x86/srso: Add a Speculative RAS Overflow mitigation (bsc#1213287, CVE-2023-20569).
- commit ef43cae
- vhost/vsock: fix packet delivery order to monitoring devices
(git-fixes).
- commit 23364e7
- scsi: qla2xxx: Update version to 10.02.08.500-k (bsc#1213747).
- scsi: qla2xxx: fix inconsistent TMF timeout (bsc#1213747).
- scsi: qla2xxx: Fix TMF leak through (bsc#1213747).
- scsi: qla2xxx: Turn off noisy message log (bsc#1213747).
- scsi: qla2xxx: Fix session hang in gnl (bsc#1213747).
- scsi: qla2xxx: Fix erroneous link up failure (bsc#1213747).
- scsi: qla2xxx: Fix command flush during TMF (bsc#1213747).
- scsi: qla2xxx: Limit TMF to 8 per function (bsc#1213747).
- scsi: qla2xxx: Adjust IOCB resource on qpair create
(bsc#1213747).
- scsi: qla2xxx: Fix deletion race condition (bsc#1213747).
- commit ccb6c62
- scsi: qla2xxx: Fix error code in qla2x00_start_sp()
(bsc#1213747).
- scsi: qla2xxx: Silence a static checker warning (bsc#1213747).
- scsi: qla2xxx: Remove unused nvme_ls_waitq wait queue
(bsc#1213747).
- scsi: qla2xxx: Update version to 10.02.08.400-k (bsc#1213747).
- scsi: qla2xxx: Correct the index of array (bsc#1213747).
- scsi: qla2xxx: Pointer may be dereferenced (bsc#1213747).
- scsi: qla2xxx: Fix buffer overrun (bsc#1213747).
- scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
(bsc#1213747).
- scsi: qla2xxx: Avoid fcport pointer dereference (bsc#1213747).
- scsi: qla2xxx: Fix potential NULL pointer dereference
(bsc#1213747).
- scsi: qla2xxx: Array index may go out of bound (bsc#1213747).
- scsi: qla2xxx: Drop useless LIST_HEAD (bsc#1213747).
- scsi: qla2xxx: Fix end of loop test (bsc#1213747).
- scsi: qla2xxx: Fix NULL pointer dereference in target mode
(bsc#1213747).
- commit f23fa07
- virtio-balloon: fix managed page counts when migrating pages
between zones (git-fixes).
- commit 5ada11d
- vhost/vsock: split packets to send using multiple buffers
(git-fixes).
- commit e3832ce
- vhost/test: fix build for vhost test (git-fixes).
- commit 1e9d49e
- vsock/virtio: stop workers during the .remove() (git-fixes).
- commit 1f19f2b
- vsock/virtio: use RCU to avoid use-after-free on
the_virtio_vsock (git-fixes).
- commit a525dd1
- kernel-binary.spec.in: Remove superfluous %% in Supplements
Fixes: 02b7735e0caf ("rpm/kernel-binary.spec.in: Add Enhances and Supplements tags to in-tree KMPs")
- commit 264db74
- vhost_net: disable zerocopy by default (git-fixes).
- commit 05e0782
- xen/blkfront: Only check REQ_FUA for writes (git-fixes).
- commit 2f31c71
- scripts/CKC: mark local variables as such
The default global and dynamic scope nature of bash variables is causing
some race conditions. For example, missing hashes are sometimes printed
and sometimes not, depending on what is found in $missing variable. For
loops and functions are polluting global namespace with outdated state
that is being picked up on their next run. We should religiously mark
local variables as such unless we want to explicity do global store.
- commit 34619f5
- git_sort: netdev remotes switched from master to main branch
- commit 3544134
- s390/cio: check the subchannel validity for dev_busid
(bsc#1207526).
- commit 512a26a
- s390/cio: add dev_busid sysfs entry for each subchannel
(bsc#1207526).
- commit ff8d9d4
- s390/cio: introduce io_subchannel_type (bsc#1207526).
- Refresh
patches.suse/s390-cio-generate-delayed-uevent-for-vfio-ccw-subchannels.
- commit c7d1471
- vc_screen: don't clobber return value in vcs_read (bsc#1213167
CVE-2023-3567).
- vc_screen: modify vcs_size() handling in vcs_read() (bsc#1213167
CVE-2023-3567).
- vc_screen: move load of struct vc_data pointer in vcs_read()
to avoid UAF (bsc#1213167 CVE-2023-3567).
- commit d1352c9
- x86/microcode/AMD: Make stub function static inline (bsc#1213286, CVE-2023-20593)
Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch.
- commit 78a62d1
- svcrdma: Prevent page release when nothing was received
(git-fixes).
- SUNRPC: Fix UAF in svc_tcp_listen_data_ready() (git-fixes).
- nfsd: fix double fget() bug in __write_ports_addfd()
(git-fixes).
- SUNRPC: remove the maximum number of retries in call_bind_status
(git-fixes).
- NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease
(git-fixes).
- commit 2c4e751
- blacklist.conf: added drbd git-fix to ignore
- commit c682535
- blacklist.conf: Add a not-relevant ftrace fix
- commit 95f476b
- ring-buffer: Fix deadloop issue on reading trace_pipe
(git-fixes).
- commit 2ca6140
- README.BRANCH: Add myself as co-maintainer
- commit 432c0e5
- KVM: Add GDS_NO support to KVM (bsc#1206418, CVE-2022-40982).
- commit 363876a
- x86/speculation: Add Gather Data Sampling mitigation (bsc#1206418, CVE-2022-40982).
- commit 89ac44a
- netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
(CVE-2023-35001 bsc#1213059).
- commit 846f417
- fuse: revalidate: don't invalidate if interrupted (bsc#1213525).
- commit d6449dc
- uaccess: Add speculation barrier to copy_from_user()
(bsc#1211738 CVE-2023-0459).
- commit 8370997
- ocfs2: fix use-after-free when unmounting read-only filesystem
(git-fixes).
- commit 2b3e0de
- ocfs2: check new file size on fallocate call (git-fixes).
- commit 39f6614
- x86/cpu/amd: Add a Zenbleed fix (bsc#1213286, CVE-2023-20593).
- commit 9c7bbf1
- x86/cpu/amd: Move the errata checking functionality up (bsc#1213286, CVE-2023-20593).
- commit 06feaef
- USB: serial: option: add u-blox LARA-R6 00B modem (git-fixes).
- commit 722987b
- blacklist.conf: risk of regression
- commit 77e520e
- USB: serial: option: add Fibocom FM160 0x0111 composition
(git-fixes).
- commit 5e781fe
- USB: serial: option: add Sierra Wireless EM9191 (git-fixes).
- commit a5c215c
- blacklist.conf: kABI
- commit 272efb8
- USB: serial: option: add Quectel EM05-G (RS) modem (git-fixes).
- commit a3f4bd9
- USB: serial: option: add Quectel EM05-G (GR) modem (git-fixes).
- commit 0683869
- powerpc/security: Fix Speculation_Store_Bypass reporting on
Power10 (bsc#1188885 ltc#193722 git-fixes).
- powerpc/64: Update Speculation_Store_Bypass in
/proc/<pid>/status (bsc#1188885 ltc#193722 git-fixes).
- commit c14b3fc
- Refresh
patches.suse/keys-Fix-linking-a-duplicate-key-to-a-keyring-s-asso.patch.
- commit ed0f049
- Refresh
patches.suse/cifs-split-out-ses-and-tcon-retrieval-from-mount_get_conns-.patch.
- Refresh
patches.suse/cifs-support-nested-dfs-links-over-reconnect.patch.
Fix backport of
patches.suse/cifs-support-nested-dfs-links-over-reconnect.patch
(bsc#1212871)
- commit 3f2dafd
- blacklist.conf: fix for patch that is not included
- commit 8426871
- s390/perf: Return error when debug_register fails (git-fixes
bsc#1212657).
- commit 0fcfe58
- Update patches.suse/08-x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch
(bsc#1087082 CVE-2018-3639 bsc#1207561).
- commit cdd6858
- Update patches.suse/08-x86-bugs-provide-boot-parameters-for-the-spec_store_bypass_disable-mitigation.patch
(bsc#1087082 CVE-2018-3639 bsc#1207561).
- commit 35a0609
- rpm: Update dependency to match current kmod.
- commit d687dc3
- usb: core: add quirk for Alcor Link AK9563 smartcard reader
(git-fixes).
- commit 8095fd4
- usb: add NO_LPM quirk for Realforce 87U Keyboard (git-fixes).
- commit 6c36377
- uas: ignore UAS for Thinkplus chips (git-fixes).
- commit 6536763
- usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS (git-fixes).
- commit 454dfcf
- uas: add no-uas quirk for Hiksemi usb_disk (git-fixes).
- commit 49cc350
- USB: hcd-pci: Fully suspend across freeze/thaw cycle
(git-fixes).
- commit 9d12426
- usb: hub: Add delay for SuperSpeed hub resume to let links
transit to U0 (git-fixes).
- commit ec30965
- usb: core: hub: Disable autosuspend for Cypress CY7C65632
(git-fixes).
- Refresh
patches.suse/usb-core-hub-disable-autosuspend-for-TI-TUSB8041.patch.
- commit 3ec99e4
- x86/speculation/mmio: Print SMT warning (git-fixes).
- commit 304caaa
- x86: Fix return value of __setup handlers (git-fixes).
- commit 53fc9a6
- x86/delay: Fix the wrong asm constraint in delay_loop() (git-fixes).
- commit 873671b
- x86/cpu: Load microcode during restore_processor_state() (git-fixes).
- commit e7bd394
- x86/bugs: Remove apostrophe typo (git-fixes).
- commit 972a8b3
- x86/bugs: Enable STIBP for JMP2RET (git-fixes).
- Refresh patches.suse/x86-bugs-enable-stibp-for-ibpb-mitigated-retbleed.patch.
- commit c8acef1
- x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts (git-fixes).
- commit ba92ee5
- blacklist.conf: cosmetic change
- commit 4490310
- s390: limit brk randomization to 32MB (git-fixes bsc#1213346).
- commit 99a7771
- s390/perf: Change CPUM_CF return code in event init function
(git-fixes bsc#1213344).
- commit 8991783
- git_sort: Add OF fixes branch.
- commit 2b00b1d
- blacklist.conf: cleanup designed to break kABI
- commit 9af40cb
- net: mana: Add support for vlan tagging (bsc#1212301).
- commit 9f17643
- s390/dasd: fix memleak in path handling error case (git-fixes
bsc#1213221).
- commit d16f3d6
- vfio-ccw: Do not call flush_workqueue while holding the spinlock
(git-fixes bsc#1213218).
- commit 99ea851
- vfio-ccw: fence off transport mode (git-fixes bsc#1213215).
- commit 09eec4a
- blacklist.conf: license change
- commit 092eb89
- btrfs: fix resolving backrefs for inline extent followed by
prealloc (bsc#1213133).
- commit 9143ce4
- fs: hfsplus: fix UAF issue in hfsplus_put_super (bsc#1211867, CVE-2023-2985).
- commit 0939c1b
- memcg: drop kmem.limit_in_bytes (bsc#1208788, bsc#1212905).
- commit 3699a6e
- Update metadata
- commit 4f06ed0
- rpm/check-for-config-changes: ignore also RISCV_ISA_* and DYNAMIC_SIGFRAME
They depend on CONFIG_TOOLCHAIN_HAS_*.
- commit 1007103
- powerpc/mm/dax: Fix the condition when checking if altmap
vmemap can cross-boundary (bsc#1150305 ltc#176097 git-fixes).
- commit 49e2ec1
- ubi: Fix failure attaching when vid_hdr offset equals to
(sub)page size (bsc#1210584).
- ubi: ensure that VID header offset + VID header size <= alloc,
size (bsc#1210584).
- commit 4331e8e
- scripts/gitlog2changes: Handle SSH signatures
Commit a384f306f91 (Fix parsing of GPG-signed commit) added the ability
to handle lines beginning with gpgsig but only added the check for the
PGP signatures. It would mark the state as being within a signature and
not print anything and get stuck in that state because the check was
only looking for PGP and not SSH signatures like the ones used in the
repo.
- commit 98cedc3
- blacklist.conf: Blacklist a408f33e895e4
- commit 6fc7467
- include/trace/events/writeback.h: fix -Wstringop-truncation
warnings (bsc#1213023).
- blacklist.conf: Remove commit d1a445d3b8 from blacklist
- patches.suse/writeback-Fix-sync-livelock-due-to-b_dirty_time-proc.patch:
Refresh
- commit 4c9bb20
- lib/string: Add strscpy_pad() function (bsc#1213023).
- commit 3c00676
- fs: fix guard_bio_eod to check for real EOD errors
(bsc#1213042).
- commit a1e013d
- udf: Check consistency of Space Bitmap Descriptor (bsc#1210771).
- commit 7ebedbc
- udf: Do not update file length for failed writes to inline files
(bsc#1213041).
- commit 18b4c06
- udf: Do not bother merging very long extents (bsc#1213040).
- commit b8138fe
- udf: Truncate added extents on failed expansion (bsc#1213039).
- commit edadd0d
- udf: Define EFSCORRUPTED error code (bsc#1213038).
- commit b1ce7bf
- udf: Fix extending file within last block (bsc#1213037).
- commit 43eaf71
- udf: Discard preallocation before extending file with a hole
(bsc#1213036).
- commit d6c23d6
- udf: Do not bother looking for prealloc extents if i_lenExtents
matches i_size (bsc#1213035).
- commit 4ee0c8f
- udf: Fix preallocation discarding at indirect extent boundary
(bsc#1213034).
- commit 4ad4e85
- udf: Drop unused arguments of udf_delete_aext() (bsc#1213033).
- commit 1a487a5
- udf: Avoid double brelse() in udf_rename() (bsc#1213032).
- commit c1551d1
- inotify: Avoid reporting event with invalid wd (bsc#1213025).
- commit 1b40fc6
- writeback: fix call of incorrect macro (bsc#1213024).
- commit be6c80a
- memcg: fix a crash in wb_workfn when a device disappears
(bsc#1213023).
Refresh patches.suse/writeback-Fix-sync-livelock-due-to-b_dirty_time-proc.patch
- commit ab66f3a
- blkcg, writeback: dead memcgs shouldn't contribute to writeback
ownership arbitration (bsc#1213022).
- commit deeb8e8
- blacklist.conf: Blacklist 12e0613715e1
- commit 0f8099a
- ext4: fix to check return value of freeze_bdev() in
ext4_shutdown() (bsc#1213021).
- commit e4bb61c
- ext4: Fix reusing stale buffer heads from last failed mounting
(bsc#1213020).
- commit 39e60c2
- ext4: only update i_reserved_data_blocks on successful block
allocation (bsc#1213019).
- commit 9a3a64e
- blacklist.conf: Blacklist dea9d8f7643f
- commit 2a0b76b
- ext4: bail out of ext4_xattr_ibody_get() fails for any reason
(bsc#1213018).
- commit e0aebad
- blacklist.conf: Blacklist 2220eaf90992
- commit 0a7a059
- ext4: improve error recovery code paths in __ext4_remount()
(bsc#1213017).
- commit 0d0eede
- blacklist.conf: Blacklist aff3bea95388
- commit 4c5264c
- blacklist.conf: Blacklist 4f04351888a8
- commit 15cda77
- blacklist.conf: Blacklist b87c7cdf2bed
- commit 2eafae9
- blacklist.conf: Blacklist 463808f237cf
- commit 6d6f5a5
- ext4: fix i_disksize exceeding i_size problem in paritally
written case (bsc#1213015).
- commit 7b579a0
- jdb2: Don't refuse invalidation of already invalidated buffers
(bsc#1213014).
- commit 0c38716
- blacklist.conf: Blacklist 93cdf49f6eca
- commit 725de91
- ext4: zero i_disksize when initializing the bootloader inode
(bsc#1213013).
- commit 1c940cb
- ext4: fix WARNING in ext4_update_inline_data (bsc#1213012).
- commit c52c259
- ext4: move where set the MAY_INLINE_DATA flag is set
(bsc#1213011).
- commit 5819fe4
- ext4: fix RENAME_WHITEOUT handling for inline directories
(bsc#1210766).
- commit c039f47
- ext4: fix cgroup writeback accounting with fs-layer encryption
(bsc#1210765).
- commit dd448da
- blacklist.conf: Blacklist 0813299c586b
- commit bd6a717
- blacklist.conf: Blacklist 0f7bfd6f8164
- commit 2a94ded
- ext4: fail ext4_iget if special inode unallocated (bsc#1213010).
- commit 630fe8f
- blacklist.conf: Blacklist e4db04f7d3db, 1e9d62d25281, f31173c19901
- commit 77a2527
- blacklist.conf: Blacklist cc12a6f25e07
- commit 3c8b58f
- ext4: avoid unaccounted block allocation when expanding inode
(bsc#1207634).
- commit 9e6d432
- ext4: initialize quota before expanding inode in setproject
ioctl (bsc#1207633).
- commit b8cc1a5
- ext4: fix deadlock due to mbcache entry corruption
(bsc#1207653).
- commit cb6b593
- igb: revert rtnl_lock() that causes deadlock (git-fixes).
- Refresh patches.suse/igb-Enable-SR-IOV-after-reinit.patch.
- commit e174406
- fs: dlm: handle -EBUSY first in lock arg validation (git-fixes).
- commit ba06019
- fs: dlm: fix race between test_bit() and queue_work()
(git-fixes).
- commit af66625
- dlm: fix missing lkb refcount handling (git-fixes).
- commit 1fdc07a
- dlm: fix plock invalid read (git-fixes).
- commit 5846a6b
- fs: dlm: filter user dlm messages for kernel locks (git-fixes).
- commit 70cf60c
- fs: dlm: fix memory leak when fenced (git-fixes).
- commit d603d38
- fs: dlm: cancel work sync othercon (git-fixes).
- commit ae6c300
- fs: dlm: fix debugfs dump (git-fixes).
- commit 93164bc
- fs: dlm: fix configfs memory leak (git-fixes).
- commit afdd8b1
- dlm: fix invalid cluster name warning (git-fixes).
- commit a02356b
- dlm: NULL check before kmem_cache_destroy is not needed
(git-fixes).
- commit 7f3aa73
- dlm: fix missing idr_destroy for recover_idr (git-fixes).
- commit 5d97801
- dlm: fix possible call to kfree() for non-initialized pointer
(git-fixes).
- commit 52d34af
- dlm: Delete an unnecessary variable initialisation in
dlm_ls_start() (git-fixes).
- commit 8663a16
- ext4: avoid BUG_ON when creating xattrs (bsc#1205496).
- commit 349d51a
- ext4: fix error code return to user-space in ext4_get_branch()
(bsc#1207630).
- commit f7cb6ba
- ext4: init quota for 'old.inode' in 'ext4_rename' (bsc#1207629).
- commit ffba993
- ext4: fix bug_on in __es_tree_search caused by bad boot loader
inode (bsc#1207620).
- commit cccc3e5
- ext4: add inode table check in __ext4_get_inode_loc to aovid
possible infinite loop (bsc#1207617).
- commit 859359e
- jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when
journal aborted (bsc#1202716).
- commit e85fc79
- blacklist.conf: Blacklist 310c097c2bdb
- commit 522a9c3
- fs: prevent BUG_ON in submit_bh_wbc() (bsc#1212990).
Refresh patches.suse/ext4-fix-error-code-in-ext4_commit_super.patch
- commit daeb235
- jbd2: abort journal if free a async write error metadata buffer
(bsc#1212989).
- commit 5f2b1c4
- jbd2: fix data races at struct journal_head (bsc#1173438).
- commit 7c8dc88
- blacklist.conf: Blacklist 24dc9864914e
- commit b656355
- jbd2: Fix statistics for the number of logged blocks
(bsc#1212988).
- commit 9de4b16
- jbd2: fix invalid descriptor block checksum (bsc#1212987).
- commit 8705ef8
- jbd2: fix race when writing superblock (bsc#1212986).
- commit 6256642
- blacklist.conf: Add 6f363f5aa845 cgroup: Do not corrupt task iteration when rebinding subsystem
- commit e6c7d2e
- patches.suse/btrfs-unset-reloc-control-if-transaction-commit-fail.patch:
(bsc#1212051).
- commit f5c0b6d
- python3-base
-
- (bsc#1214691, CVE-2022-48566) Add
CVE-2022-48566-compare_digest-more-constant.patch to make
compare_digest more constant-time.
- (bsc#1214685, CVE-2022-48565) Add
CVE-2022-48565-plistlib-XML-vulns.patch (from
gh#python/cpython#86217) reject XML entity declarations in
plist files.
- (bsc#1214677, CVE-2022-48564) Add
CVE-2022-48564-DoS-read_ints-plistlib.patch fixing
gh#python/cpython#86269 (backport from 3.6), which prevents DoS
when processing malformed Apple Property List files in binary
format.
- Skip test_plistlib.test_identity test on aarch64.
- (bsc#1210638, CVE-2023-27043) Add
CVE-2023-27043-email-parsing-errors.patch, which detects email
address parsing errors and returns empty tuple to indicate the
parsing error (old API).
- Add 99366-patch.dict-can-decorate-async.patch fixing
gh#python/cpython#98086 (backport from Python 3.10 patch in
gh#python/cpython!99366), fixing bsc#1211158.
- Add stack_overflow_test_endless_recursion.patch to avoid
failing test.
- Add CVE-2007-4559-filter-tarfile_extractall.patch to fix
CVE-2007-4559 (bsc#1203750) by adding the filter for
tarfile.extractall (PEP 706).
CURRENTLY SWITCHED OFF, AS IT IS STILL WIP AND UNDEBUGGED
- Use python3 modules to build the documentation.