- sudo
-
- Fix NOPASSWD issue introduced by patches for CVE-2023-42465
[bsc#1221151, bsc#1221134]
* Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
* Enable running regression selftests during build time.
- libzypp
-
- Url: Hide known password entires when writing the query part
(bsc#1050625 bsc#1177583, CVE-2017-9271)
- version 16.22.13 (0)
- applydeltaprm: Create target directory if it does not exist
(bsc#1219442)
- version 16.22.12 (0)
- _product:sle-sdk-release
-
n/a
- python-requests
-
- Add CVE-2024-35195.patch (CVE-2024-35195, bsc#1224788)
- Add httpbin.patch to fix a test failure caused by the previous patch.
- shim
-
- Update shim to 15.8-150300.4.20.2 from SLE15-SP3
+ Version: 15.8, "Thu Apr 18 2024"
+ Update the SLE signatures
+ Include the fixes for (bsc#1215099,CVE-2023-40546),
(bsc#1215098,CVE-2023-40547), (bsc#1215103,CVE-2023-40551),
(bsc#1215102,CVE-2023-40550), (bsc#1215101,CVE-2023-40549),
(bsc#1215100,CVE-2023-40548), bsc#1205588, bsc#1202120, bsc#1201066,
(bsc#1198458, CVE-2022-28737), bsc#1198101, bsc#1193315, bsc#1193282
- python-pyOpenSSL
-
- Add CVE-2018-1000807-8_use_after_free_X509.patch to fix
CVE-2018-1000807 (bsc#1111635) and CVE-2018-1000808 (bsc#1111634)
fix a memory leak and a potential UAF and also #722 (#723)
sanity check
bump cryptography minimum version, add changelog
- Add skip_user_after_free_tests.patch to pass the test suite.
- bsc#1021578 add move_cryptography_backend_import.patch to avoid bad
interaction with python-cryptography package.
- nghttp2
-
- security update
- added patches
fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+ nghttp2-CVE-2024-28182-1.patch
fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+ nghttp2-CVE-2024-28182-2.patch
- zypper
-
- clean: Do not report an error if no repos are defined at all
(bsc#1223971)
- version 1.13.66
- suseconnect-ng
-
- Update to version 1.9.0
* Fix certificate import for Yast when using a registration proxy with
self-signed SSL certificate (bsc#1223107)
- Update to version 1.8.0
* Allow "--rollback" flag to run on readonly filesystem (bsc#1220679)
- shadow
-
- bsc#1188307: Fix passwd segfault
Add shadow-bsc1188307-passwd-segfault.patch
- perl-Bootloader
-
- merge gh#openSUSE/perl-bootloader#166
- log grub2-install errors correctly (bsc#1221470)
- 0.947
- merge gh#openSUSE/perl-bootloader#161
- support old grub versions (<= 2.02) that used /usr/lib
(bsc#1218842)
- create EFI boot fallback directory if necessary
- 0.946
- merge gh#openSUSE/perl-bootloader#157
- bootloader_entry script can have an optional 'force-default'
argument (bsc#1215064)
- skip warning about unsupported options when in compat mode
- 0.945
- xen
-
- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
History Injection (XSA-456)
661560b9-x86-use-indirect-calls-in-reset-stack.patch
661560ba-x86-drop-INDIRECT_JMP.patch
661560bb-x86-TSX-expose-RTM_ALWAYS_ABORT.patch
661560bc-x86-spec-ctrl-support-BHI_DIS_S.patch
661560bd-x86-spec-ctrl-BHB-clearing-sequences.patch
661560be-x86-spec-ctrl-wire-up-native-BHI-sequences.patch
661560bf-x86-spec-ctrl-long-BHB-loop-sequence.patch
- Upstream bug fixes and renamed patches (bsc#1027519)
61a4db41-wait-remove-indirect-jump.patch
65bbf68a-x86-spec-ctrl-expose-IPRED_CTRL.patch
65bbf68b-x86-spec-ctrl-expose-RRSBA_CTRL.patch
65bbf68c-x86-spec-ctrl-expose-BHI_CTRL.patch
65c37b93-VMX-tertiary-exec-control.patch
66100277-x86-TSX-cope-with-ALWAYS_ABORT-vs-RTM-mismatch.patch
66155013-x86-dont-expose-IPRED-RRSBA-BHI-ctrl-to-PV.patch
661560b1-x86-rename-spec_ctrl_flags.patch
661560b2-x86-spec-ctrl-rework-cond-safety-for-ENTRY.patch
661560b3-x86-entry-arrange-for-r14-to-be-STACK_END-across.patch
661560b4-x86-spec_ctrl-hold-SCF-in-ebx-across-ENTRY-PV-INTR.patch
661560b5-x86-spec-ctrl-simplify-DO_COND_IBPB.patch
661560b6-x86-spec-ctrl-detail-the-safety-in-ENTRY.patch
661560b7-VMX-support-virtualize-SPEC_CTRL.patch
661560b8-x86-spec-ctrl-widen-fields.patch
xsa455.patch -> 661560b0-x86-spec-ctrl-Fix-BTC-SRSO-mitigations.patch
xsa454-1.patch -> 66152b54-hypercall_xlat_continuation-replace-BUG_ON.patch
xsa454-2.patch -> 66152b54-x86-HVM-clear-upper-halves-of-GPRs-upon.patch
- Correction to the following patch
646e51b7-x86-TSX-remove-opencoded-MSR_ARCH_CAPS-check.patch
- Upstream bug fixes (bsc#1027519)
65cb29fe-x86-HVM-tidy-state-on-hvmemul_map_linear_addr.patch
65ddea7c-x86-spec-set-INDIRECT_THUNK-only-when-enabled.patch
65ddea90-x86-spec-dont-log-thunk-option-if-not.patch
- bsc#1222302 - VUL-0: CVE-2024-31142: xen: x86: Incorrect logic
for BTC/SRSO mitigations (XSA-455)
xsa455.patch
- Upstream bug fixes (bsc#1027519)
652fef4f-x86-AMD-erratum-1485.patch
6532858d-x86-DOITM.patch
6566fef3-x86-vLAPIC-x2APIC-derive-LDR-from-APIC-ID.patch
6569ad03-libxg-mem-leak-in-cpu-policy-get-set.patch
656ee5e1-x86emul-avoid-triggering-event-assertions.patch
656ee6c3-domain_create-error-path.patch
65842d5c-x86-AMD-extend-CPU-erratum-1474-fix.patch
659d44da-x86-HVM-hide-SVM-VMX-when.patch
65a7a0a4-x86-Intel-GPCC-setup.patch
65b27990-x86-p2m-pt-off-by-1-in-entry-check.patch
- bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may
trigger Xen bug check (XSA-454)
xsa454-1.patch
xsa454-2.patch
- Code and comment adjustments to previous fixes
62cd91d5-x86-cpuid-BTC_NO-enum.patch
636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch
642d51ac-x86-remove-temporary-policy-defines.patch
64bea1b2-x86-AMD-Zenbleed.patch
64d24f05-x86-spec-ctrl-mitigate-SRSO.patch
65f079a3-x86-spec-ctrl-rename-VERW-related-options.patch
65f079aa-locking-wrappers-always-inline.patch
- Upstream bug fixes (bsc#1027519)
5dfce874-x86-APIC-force-phys-if-no-intremap.patch
5e5930f7-AMD-IOMMU-correct-handling-when-XT-prereqs.patch
5e67a376-AMD-IOMMU-no-XT-x2APIC-phys.patch
616e7cfe-x86-paging-restrict-paddr-width-reported.patch
61e0296a-x86-time-calibration-relative-counts.patch
61e029c8-x86-time-TSC-freq-calibration-accuracy.patch
61f7b2af-libxl-dont-touch-nr_vcpus_out-if-listing.patch
61f933a4-x86-cpuid-advertise-SSB_NO.patch
625fca42-VT-d-reserved-CAP-ND.patch
626f7ee8-x86-MSR-handle-P5-MC-reads.patch
627549d6-IO-shutdown-race.patch
62d65105-x86-spec-ctrl-MD_CLEAR-reporting.patch
62d807c1-x86-suppress-MMX.patch
62ecfc08-VMX-use-IST-RSB-protection.patch
62f5f479-PCI-simplify-and-thus-correct-pci_get_pdev-.patch
6346e404-VMX-correct-error-handling-in-vmx_create_vmcs.patch
635274c0-EFI-dont-convert-runtime-mem-to-RAM.patch
637b5f4f-efifb-ignore-invalid.patch
63a03e28-x86-high-freq-TSC-overflow.patch
6419697d-AMD-IOMMU-no-XT-x2APIC-phys.patch
6424a76c-xenstore-quota-check-in-acc_fix_domains.patch
646b782b-PCI-pci_get_pdev-respect-segment.patch
648863fc-AMD-IOMMU-Invalidate-All-check.patch
64c7b1ac-x86-Zen2-disable-C6-after-1000-days.patch
64e6459b-revert-VMX-sanitize-rIP-before-reentering.patch
64eef7e9-x86-reporting-spurious-i8259-interrupts.patch
- bsc#1221332 - VUL-0: CVE-2023-28746: xen: x86: Register File Data
Sampling (XSA-452)
65dcd66b-x86-entry-EFRAME_-constants.patch
65e2371b-x86-CP-allow-levelling-of-VERW-side-effects.patch
65f079a1-VMX-perform-VERW-flushing-later.patch
65f079a2-x86-spec-ctrl-perform-VERW-flushing-later.patch
65f079a3-x86-spec-ctrl-rename-VERW-related-options.patch
65f079a4-x86-spec-ctrl-VERW-handling-adjustments.patch
65f079a5-x86-spec-ctrl-mitigate-RFDS.patch
- bsc#1221334 - VUL-0: CVE-2024-2193: xen: GhostRace: Speculative
Race Conditions (XSA-453)
60700077-x86-vpt-avoid-pt_migrate-rwlock.patch
650dac01-x86-paging-drop-update_cr3-do_locking.patch
65f079a6-swap-order-of-actions-in-FREE-macros.patch
65f079a7-x86-spinlock-block-speculation-into.patch
65f079a8-rwlock-block-speculation-into.patch
65f079a9-percpu-rwlock-block-speculation-into.patch
65f079aa-locking-wrappers-always-inline.patch
65f079ab-x86-mm-speculation-barriers-in-open-coded.patch
65f079ac-x86-protect-conditional-locking-from-speculative.patch
- Upstream bug fixes and renamed patches (bsc#1027519)
xsa368.patch -> 60535c11-libxl-Fix-domain-soft-reset-state-handling.patch
xsa370.patch -> 60913ab0-non-shim-32bit-PV-doc-speculative-status.patch
xsa376.patch -> 61dd5f64-limit-support-statement-for-Linux-and-Windows-frontends.patch
xsa393.patch -> 61efec1d-Arm-P2M-always-clear-entry-on-mapping-removal.patch
xsa394.patch -> 61efec4d-gnttab-only-decrement-refcounter-on-final-unmap.patch
xsa395.patch -> 61efec96-IOMMU-x86-stop-pirq-iteration-immediately-on-error.patch
xsa397.patch -> 624c31f2-x86-HAP-dont-switch-on-log-dirty-for.patch
xsa398-1.patch -> 62278667-Arm-introduce-new-processors.patch
xsa398-2.patch -> 62278668-Arm-move-errata-CSV2-check-earlier.patch
xsa398-3.patch -> 62278669-Arm-add-ECBHB-and-CLEARBHB-ID-fields.patch
xsa398-4.patch -> 6227866a-Arm-Spectre-BHB-handling.patch
xsa398-5.patch -> 6227866b-Arm-allow-SMCCC_ARCH_WORKAROUND_3-use.patch
xsa398-6.patch -> 6227866c-x86-AMD-cease-using-thunk-lfence.patch
xsa399.patch -> 624c322b-VT-d-correct-order-in-cleanup_domid_map.patch
xsa400-00.patch -> 619e0e9c-VT-d-split-domid-map-cleanup-check.patch
xsa400-01.patch -> 624c32e5-VT-d-fix-de-assign-ordering-with-RMRRs.patch
xsa400-02.patch -> 624c330a-VT-d-fix-add-remove-ordering-with-RMRRs.patch
xsa400-03.patch -> 624c3351-VT-d-drop-ownership-checking-from-dcm1.patch
xsa400-04.patch -> 624c3366-VT-d-re-assign-devices-directly.patch
xsa400-05.patch -> 624c337c-AMD-IOMMU-re-assign-devices-directly.patch
xsa400-06.patch -> 624c3392-VT-d-prepare-per-dev-quarantine-pt-I.patch
xsa400-07.patch -> 624c33a8-VT-d-prepare-per-dev-quarantine-pt-II.patch
xsa400-08.patch -> 624c33be-IOMMU-x86-maintain-per-dev-pseudo-domID.patch
xsa400-09.patch -> 624c33de-IOMMU-x86-drop-TLB-flushes-from-qinit.patch
xsa400-10.patch -> 624c33f4-AMD-IOMMU-abstract-max-pt-levels.patch
xsa400-11.patch -> 624c34f2-IOMMU-x86-use-per-dev-pts-for-quarantine.patch
xsa401-1.patch -> 62a1e594-x86-clean-up-_get_page_type.patch
xsa401-2.patch -> 62a1e5b0-x86-ABAC-race-in-_get_page_type.patch
xsa402-0.patch -> 5d31ae8e-x86-Intel-clear-cache-self-snoop-when.patch
xsa402-1.patch -> 62a1e5d2-x86-introduce-_PAGE_-for-mem-types.patch
xsa402-2.patch -> 62a1e5f0-x86-dont-change-cacheability-of-directmap.patch
xsa402-3.patch -> 62a1e60e-x86-split-cache_flush-out-of-cache_writeback.patch
xsa402-4.patch -> 62a1e62b-x86-AMD-work-around-CLFLUSH-ordering.patch
xsa402-5.patch -> 62a1e649-x86-track-and-flush-non-coherent.patch
xsa404-1.patch -> 62ab0fab-x86-spec-ctrl-VERW-flushing-runtime-cond.patch
xsa404-2.patch -> 62ab0fac-x86-spec-ctrl-enum-for-MMIO-Stale-Data.patch
xsa404-3.patch -> 62ab0fad-x86-spec-ctrl-add-unpriv-mmio.patch
xsa407-0a.patch -> 61e98e8a-x86-spec-ctrl-drop-ENTRY-EXIT-HVM.patch
xsa407-0b.patch -> 61f933a5-x86-drop-use_spec_ctrl-boolean.patch
xsa407-0c.patch -> 61f933a6-x86-new-has_spec_ctrl-boolean.patch
xsa407-0d.patch -> 61f933a7-x86-dont-use-spec_ctrl-enter-exit-for-S3.patch
xsa407-0e.patch -> 61f933a9-x86-SPEC_CTRL-use-common-logic-for-AMD.patch
xsa407-0f.patch -> 62bdd840-x86-spec-ctrl-only-adjust-idle-with-legacy-IBRS.patch
xsa407-0g.patch -> 62bdd841-x86-spec-ctrl-knobs-for-STIBP-and-PSFD.patch
xsa407-0h.patch -> 62cc31ee-cmdline-extend-parse_boolean.patch
xsa407-0i.patch -> 62cc31ef-x86-spec-ctrl-fine-grained-cmdline-subopts.patch
xsa407-1.patch -> 62cd91d0-x86-spec-ctrl-rework-context-switching.patch
xsa407-2.patch -> 62cd91d1-x86-spec-ctrl-rename-SCF_ist_wrmsr.patch
xsa407-3.patch -> 62cd91d2-x86-spec-ctrl-rename-opt_ibpb.patch
xsa407-4.patch -> 62cd91d3-x86-spec-ctrl-rework-SPEC_CTRL_ENTRY_FROM_INTR_IST.patch
xsa407-5.patch -> 62cd91d4-x86-spec-ctrl-IBPB-on-entry.patch
xsa407-6.patch -> 62cd91d5-x86-cpuid-BTC_NO-enum.patch
xsa407-7.patch -> 62cd91d6-x86-spec-ctrl-enable-Zen2-chickenbit.patch
xsa407-8.patch -> 62cd91d7-x86-spec-ctrl-mitigate-Branch-Type-Confusion.patch
xsa408.patch -> 62dfe40a-x86-mm-gpt-TLB-flush-condition.patch
xsa410-01.patch -> 63455f82-Arm-P2M-prevent-adding-mapping-when-dying.patch
xsa410-02.patch -> 63455fa8-Arm-P2M-preempt-when-freeing-intermediate.patch
xsa410-03.patch -> 63455fc3-x86-p2m_teardown-allow-skip-root-pt-removal.patch
xsa410-04.patch -> 63455fe4-x86-HAP-monitor-table-error-handling.patch
xsa410-05.patch -> 63456000-x86-tolerate-sh_set_toplevel_shadow-failure.patch
xsa410-06.patch -> 6345601d-x86-tolerate-shadow_prealloc-failure.patch
xsa410-07.patch -> 6345603a-x86-P2M-refuse-new-alloc-for-dying.patch
xsa410-08.patch -> 63456057-x86-P2M-truly-free-paging-pool-for-dying.patch
xsa410-09.patch -> 63456075-x86-P2M-free-paging-pool-preemptively.patch
xsa410-10.patch -> 63456090-x86-p2m_teardown-preemption.patch
xsa411.patch -> 634561aa-gnttab-locking-on-transitive-copy-error-path.patch
xsa422-01.patch -> 636a9130-x86-spec-ctrl-Enumeration-for-IBPB_RET.patch
xsa422-02.patch -> 636a9130-x86-spec-ctrl-Mitigate-IBPB-not-flushing-the-RSB-RAS.patch
xsa427.patch -> 64199e0c-x86-shadow-account-for-log-dirty-mode.patch
xsa428-1.patch -> 64199e0d-x86-HVM-bound-number-of-pca-regions.patch
xsa428-2.patch -> 64199e0e-x86-HVM-serialize-pca-list-manipulation.patch
xsa429.patch -> 64199e0f-x86-spec-ctrl-defer-CR4_PV32_RESTORE-for-CSTAR.patch
xsa433.patch -> 64bea1b2-x86-AMD-Zenbleed.patch
xsa434-1.patch -> 64d24f03-x86-spec-ctrl-rework-ibpb_calculations.patch
xsa434-2.patch -> 64d24f04-x86-spec-ctrl-enumerations-for-SRSO.patch
xsa434-3.patch -> 64d24f05-x86-spec-ctrl-mitigate-SRSO.patch
xsa435-0-01.patch -> 5d728656-x86-extend-cpuid-option-to-support-all.patch
xsa435-0-02.patch -> 5e581082-x86-gen-cpuid-rework-logic-to-ease.patch
xsa435-0-03.patch -> 6081bae4-x86-cpuid-LFENCE-always-serialising.patch
xsa435-0-04.patch -> 60c90488-x86-MSR-expose-MSR_ARCH_CAPS-in-policies.patch
xsa435-0-05.patch -> 6202afa8-x86-spec-ctrl-clean-up-MSR_MCU_OPT_CTRL-handling.patch
xsa435-0-06.patch -> 60be3097-x86-cpuid-drop-special_features.patch
xsa435-0-07.patch -> 61bba121-x86-cpuid-split-dom0-handling-out-of-init_.patch
xsa435-0-08.patch -> 61bba121-x86-cpuid-factor-common-parsing-out-of.patch
xsa435-0-09.patch -> 61bba121-x86-dom0-cpuid-cmdline-option.patch
xsa435-0-10.patch -> 61f2dd76-x86-migration-compatibility-MSR_SPEC_CTRL.patch
xsa435-0-11.patch -> 62f27ebd-x86-expose-more-MSR_ARCH_CAPS-to-hwdom.patch
xsa435-0-12.patch -> 62f51e16-x86-spec-ctrl-enumerate-PBRSB_NO.patch
xsa435-0-13.patch -> 63e53ac9-x86-cpuid-infrastructure-leaves-7-1.patch
xsa435-0-14.patch -> 640f0862-x86-spec-ctrl-add-BHI-controls-to.patch
xsa435-0-15.patch -> 640f0862-x86-spec-ctrl-enumerate-DDP.patch
xsa435-0-16.patch -> 640f0861-tools-xen-cpuid-dash-as-separator.patch
xsa435-0-17.patch -> 640f0862-tools-xen-cpuid-rework-handling-of-dynamic.patch
xsa435-0-18.patch -> 640f0863-x86-sysctl-Retrofit-XEN_SYSCTL_cpu_featureset-max.patch
xsa435-0-19.patch -> 642d51a0-x86-rename-struct-cpu_policy-to-old.patch
xsa435-0-20.patch -> 642d51a1-x86-rename-domctl-sysctl-cpu_policy-msr-fields.patch
xsa435-0-21.patch -> 642d51a2-x86-rename-struct-cpuid_policy-to-cpu_policy.patch
xsa435-0-22.patch -> 642d51a3-x86-merge-struct-msr_policy-into-cpu_policy.patch
xsa435-0-23.patch -> 642d51a4-x86-merge-system-cpuid-msr-policies.patch
xsa435-0-24.patch -> 642d51a5-x86-merge-domain-cpuid-msr-policies.patch
xsa435-0-25.patch -> 642d51a6-x86-drop-struct-old_cpu_policy.patch
xsa435-0-26.patch -> 642d51a7-x86-out-of-inline-policy-featureset-convertors.patch
xsa435-0-27.patch -> 642d51a8-x86-boot-move-MSR-policy-init-logic-into.patch
xsa435-0-28.patch -> 642d51a9-x86-boot-merge-CPUID-policy-init-logic-into.patch
xsa435-0-29.patch -> 642d51aa-x86-emul-switch-x86_emulate_ctxt-to-cpu_policy.patch
xsa435-0-30.patch -> 642d51ab-libx86-update-library-API-for-cpu_policy.patch
xsa435-0-31.patch -> 642d51ac-x86-remove-temporary-policy-defines.patch
xsa435-0-32.patch -> 6462035f-x86-cpuid-Calculate-FEATURESET_NR_ENTRIES-more-helpfully.patch
xsa435-0-33.patch -> 646e51b0-x86-boot-rework-dom0-feature-configuration.patch
xsa435-0-34.patch -> 646e51b1-x86-boot-adjust-MSR_ARCH_CAPS-handling-for-Host.patch
xsa435-0-35.patch -> 646e51b2-x86-cpu-policy-infrastructure-for-MSR_ARCH_CAPS.patch
xsa435-0-36.patch -> 646e51b3-x86-cpu-policy-MSR_ARCH_CAPS-names.patch
xsa435-0-37.patch -> 646e51b4-x86-boot-record-MSR_ARCH_CAPS-for-Raw-and-Host.patch
xsa435-0-38.patch -> 646e51b5-x86-boot-expose-MSR_ARCH_CAPS-in-guest-max.patch
xsa435-0-39.patch -> 646e51b6-VT-x-remove-opencoded-MSR_ARCH_CAPS-check.patch
xsa435-0-40.patch -> 646e51b7-x86-TSX-remove-opencoded-MSR_ARCH_CAPS-check.patch
xsa435-0-41.patch -> 646e51b9-x86-spec-ctrl-remove-opencoded-MSR_ARCH_CAPS-check.patch
xsa435-0-42.patch -> 64763137-x86-spec-ctrl-update-hints.patch
xsa435-0-43.patch -> 648c6258-x86-spec-ctrl-rendering-of-FB_CLEAR.patch
xsa435-0-44.patch -> 648c6259-x86-spec-ctrl-rename-retpoline_safe-to.patch
xsa435-0-45.patch -> 648c625a-x86-spec-ctrl-fix-up-RSBA-RRSBA-bits.patch
xsa435-0-46.patch -> 648c625b-x86-cpu-policy-derive-RSBA-RRSBA-for-guest.patch
xsa435-0-47.patch -> 64c0edc7-x86-cpu-policy-advertise-MSR_ARCH_CAPS.patch
xsa435-0-48.patch -> 609185e7-libxl-dont-ignore-retval-from-xc_cpuid_apply_policy.patch
xsa435-0-49.patch -> 64c0edc8-libs-guest-introduce-support-for-setting-guest-MSRs.patch
xsa435-0-50.patch -> 64c0edc9-libxl-introduce-MSR-data-in-libxl_cpuid_policy.patch
xsa435-0-51.patch -> 64c0edca-libxl-split-logic-to-parse-user-provided-features.patch
xsa435-0-52.patch -> 64c0edcb-libxl-use-cpuid-feature-names-from.patch
xsa435-0-53.patch -> 64c0edcc-libxl-support-parsing-MSR-features.patch
xsa435-0-54.patch -> xsa435-0.patch
xsa435-1.patch -> 64d24f05-x86-cpu-policy-hide-CLWB-by-default-on.patch
xsa435-2.patch -> 64d24f05-x86-spec-ctrl-enumerate-GDS.patch
xsa435-3.patch -> 64d24f05-x86-spec-ctrl-mitigate-GDS.patch
xsa438.patch -> 650abbfe-x86-shadow-defer-PV-top-level-release.patch
xsa439-1.patch -> 65087000-x86-spec-ctrl-SPEC_CTRL_EXIT_TO_XEN-confusion.patch
xsa439-2.patch -> 65087001-x86-spec-ctrl-fold-DO_SPEC_CTRL_EXIT_TO_XEN.patch
xsa439-3.patch -> 65087002-x86-spec-ctrl-SPEC_CTRL-ENTRY-EXIT-asm-macros.patch
xsa439-4.patch -> 65087003-x86-spec-ctrl-SPEC_CTRL-ENTER-EXIT-comments.patch
xsa439-5.patch -> 65087004-x86-entry-restore_all_xen-stack_end.patch
xsa439-6.patch -> 65087005-x86-entry-track-IST-ness-of-entry.patch
xsa439-7.patch -> 65087006-x86-spec-ctrl-VERW-on-IST-exit-to-Xen.patch
xsa439-8.patch -> 65087007-x86-AMD-Zen-1-2-predicates.patch
xsa439-9.patch -> 65087008-x86-spec-ctrl-Zen1-DIV-leakage.patch
xsa442.patch -> 65263470-AMD-IOMMU-flush-TLB-when-flushing-DTE.patch
xsa443-01.patch -> 65263471-libfsimage-xfs-remove-dead-code.patch
xsa443-02.patch -> 65263472-libfsimage-xfs-amend-mask32lo.patch
xsa443-03.patch -> 65263473-libfsimage-xfs-sanity-check-superblock.patch
xsa443-04.patch -> 65263474-libfsimage-xfs-compile-time-check.patch
xsa443-05.patch -> 65263475-pygrub-remove-unnecessary-hypercall.patch
xsa443-06.patch -> 65263476-pygrub-small-refactors.patch
xsa443-07.patch -> 65263477-pygrub-open-output-files-earlier.patch
xsa443-08.patch -> 65263478-libfsimage-function-to-preload-plugins.patch
xsa443-09.patch -> 65263479-pygrub-deprivilege.patch
xsa443-10.patch -> 6526347a-libxl-allow-bootloader-restricted-mode.patch
xsa443-11.patch -> 6526347b-libxl-limit-bootloader-when-restricted.patch
xsa444-1.patch -> 6526347c-SVM-fix-AMD-DR-MASK-context-switch-asymmetry.patch
xsa444-2.patch -> 6526347d-x86-PV-auditing-of-guest-breakpoints.patch
xsa445.patch -> 65536847-AMD-IOMMU-correct-level-for-quarantine-pt.patch
xsa446.patch -> 65536848-x86-spec-ctrl-remove-conditional-IRQs-on-ness.patch
xsa449.patch -> 65b8f961-PCI-fail-dev-assign-if-phantom-functions.patch
- bsc#1220141 - Call trace of XSAVE consistency problem in sle15sp6
PV domU on XEN
6306185f-x86-XSTATE-CPUID-subleaf-1-EBX.patch
- systemd
-
- Import commit 15ca9f01c18a8037bf26b1a85fee344c65944268
eedf77456d util: improve comments why we ignore EACCES and EPERM
2018a0d492 util: bind_remount_recursive_with_mountinfo(): ignore submounts which cannot be accessed
4c98cb57e2 namespace: don't fail on masked mounts (#3794) (bsc#1220285)
7dd5e84ab6 man: Document ranges for distributions config files and local config files
7282534592 Recommend drop-ins over modifications to the main config file
29e632c34a man: reword the description of "main conf file"
e903f529e8 man: rework section about configuration file precedence
4438e1be12 man: document paths under /usr/local in standard-conf.xml
- bind
-
- Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service
condition. This has been fixed. (CVE-2023-50387)
[bsc#1219823, bind-CVE-2023-50387-CVE-2023-50868.patch]
* Preparing an NSEC3 closest encloser proof could cause excessiv
CPU load, leading to a denial-of-service condition. This has
been fixed. (CVE-2023-50868)
[bsc#1219826, bind-CVE-2023-50387-CVE-2023-50868.patch]
* Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
[bsc#1219851, bind-CVE-2023-4408.patch]
- openssl-1_1
-
- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
security vulnerability. Calling the function SSL_free_buffers()
potentially caused memory to be accessed that was previously
freed in some situations and a malicious attacker could attempt
to engineer a stituation where this occurs to facilitate a
denial-of-service attack. [CVE-2024-4741, bsc#1225551]
- Security fix: [bsc#1219243, CVE-2024-0727]
* Add NULL checks where ContentInfo data can be NULL
* Add openssl-CVE-2024-0727.patch
- python-typing
-
- Update to 3.10.0.0
* Implement TypeGuard (PEP 649)
* backport ParamSpecArgs/Kwargs
* Fixed required/optional keys with old-style TypedDict
* Bring in protocol’s __init__ behaviour same like in python > 3.8
* Support PEP 612 in typing_extensions (Python 3)
* Also run python 3.9 in CI
* Add OrderedDict to typing_extensions
* Only allow installing this package for Python 2.7 and 3.4
* Document availability of Annotated
* Update test_typing_extensions.py
* Apply get_args fix from bpo-40398 to typing_extensions
* Fix tests failing with 3.10.0a2+
* Fix stray close paren
* Update README
* Disable 3.5.1 build -- can't install psutils needed by pytest-xdist
* Bump typing_extensions version to 3.7.4.3
* Remove extra 'use' in readme
- from version 3.7.4.3
* Revert last two changes; bump version to 3.7.4.3
- from version 3.7.4.2
* Disallow installation on 3.5+
* Add tox.ini for typing_extensions
* Add PEP 613 TypeAlias to typing_extensions
* Make tests for Annotated work with Python 3.9
* Remove Python 3.3 from tox.ini
* Fix flake8 failure by using Python 3.8
* Add SupportsIndex, added in Python 3.8
* Update package metadata
* Bump typing_extensions version to 3.7.4.2
* Fix ForwardRef hash and equality checks
* Fix required and optional keys inheritance for TypedDict
* Replace asyncio.coroutine with async-await
* Reuse stdlib PEP 593 implementation in typing_extensions if present
* Add .vscode and .egg-info to gitignore
* Backport get_origin() and get_args()
* Add clarification to package description
* Track optional TypdeDict keys
* Accept arbitrary keyword names in NamedTuple() and TypedDict()
* Bump typing_extensions version
* Add missing objects in typing_extensions/README.rst
- from version 3.7.4.1
* Fix isinstance() with generic protocol subclasses after subscripting
* Try fixing Travis build
+ fix tests for non-default interpreters
* Use environment marker to specify typing dependency
* Fix unions of protocols on Python 2
* Bump typing_extensions version and typing dependency version
- from version 3.7.4
* Fix subclassing builtin protocols on older Python versions
* Move Protocol, runtime_checkable, Final, final, Literal, and TypedDict to typing
* Add support for Python 3.8 in typing_extensions
* Unify the implementation of annotated in src_py2 and src_py3
* Add Annotated in python2
* Pep 593 py3
* Drop support of Python 3.3
* [typing-extensions] Simple implementation for IntVar
* Add a python 3.7+ version of Annotated to typing_extensions
* Add SupportsIndex
* Add TypedDict to typing_extensions
* .travis.yml: The 'sudo' tag is now deprecated in Travis CI
* Add Final to the README
* Run the tests using the current Python executable
* Fix GeneralMeta.__instancecheck__() for old style classes
* Bump typing_extensions version
* Add Literal[...] types to typing_extensions
* Fix instance/subclass checks of functions against runtime protocols
* Bump typing_extension version
* Improve PyPI entry for typing_extensions
* Add Final to typing_extensions
- from version 3.6.6
* Include license file for typing-extensions and in wheels
* Fix IO.closed to be property
* Backport Generic.__new__ fix
* Bump typing_extensions version before release
* Add missing 'NoReturn' to __all__ in typing.py
* Add annotations to NamedTuple children __new__ constructors
* Fix typing_extensions to support PEP 560
* Fix for issue #524
* Pass *args and **kwargs to superclass in Generic.__new__
- Rename README.rst to README.md in %doc section
- libfastjson
-
- fix CVE-2020-12762 integer overflow and out-of-bounds write via a
large JSON file (bsc#1171479)
add 0001-Fix-CVE-2020-12762.patch
- ncurses
-
- Add patch ncurses-5.9-bsc1220061.patch (bsc#1220061, CVE-2023-45918)
* Backport from ncurses-6.4-20230615.patch
improve checks in convert_string() for corrupt terminfo entry
- python36
-
- Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109,
gh#python/cpython!16557) fixes syslog making default "ident"
from sys.argv[0].
- Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that
it uses features sniffing, not just comparing version number
(bsc#1220664, bsc#1219559, bsc#1221563, bsc#1222075).
- Remove support-expat-CVE-2022-25236-patched.patch, which was
the previous name of this patch.
- Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping
failing tests.
- Refresh patches:
- CVE-2023-27043-email-parsing-errors.patch
- fix_configure_rst.patch
- skip_if_buildbot-extend.patch
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Add bh42369-thread-safety-zipfile-SharedFile.patch (from
gh#python/cpython!26974) required by the previous patch.
- Add expat-260-test_xml_etree-reparse-deferral.patch to make the
interpreter work with patched libexpat in our distros.
- Move all patches from locally sourced to the branch
opensuse-3.6 branch at GitHub repo, and move all metadata to
commits themselves (readable in the headers of each patch).
- Add bpo-41675-modernize-siginterrupt.patch to make Python build
cleanly even on more recent SPs of SLE-15
(gh#python/cpython#85841).
- Remove patches:
- bpo36263-Fix_hashlib_scrypt.patch - fix against bug in
OpenSSL fixed in 1.1.1c (gh#openssl/openssl!8483), so this
patch is redundant on all SUSE-supported distros
- python-3.3.0b1-test-posix_fadvise.patch - protection
against the kernel issues which has been fixed in
gh#torvalds/linux@3d3727cdb07f, which has been included in
all our kernels more recent than SLE-11.
- python-3.3.3-skip-distutils-test_sysconfig_module.patch -
skips a test, which should be relevant only for testing on
Mac OS X systems with universal builds. I have no valid
record, that this test would be ever problematic on Linux.
- bpo-36576-skip_tests_for_OpenSSL-111.patch, which was
included already in Python 3.5.
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into
skip_SSL_tests.patch, and make them include all conditionals.
- wicked
-
- arp: increase arp-send retry value to avoid address configuration
failure due to ENOBUF reported by kernel while duplicate address
detection with underlying bonding in 802.3ad mode reporting link
"up & running" too early (bsc#1218668, gh#openSUSE/wicked#1020,
gh#openSUSE/wicked#1022).
[+ 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]
- client: fix ifreload to pull UP ports/links again when the config
of their master/lower changed (bsc#1224100,gh#openSUSE/wicked#1014).
[+ 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
- Update to version 0.6.75:
- cleanup: fix ni_fsm_state_t enum-int-mismatch warnings
- cleanup: fix overflow warnings in a socket testcase on i586
- ifcheck: report new and deleted configs as changed (bsc#1218926)
- man: improve ARP configuration options in the wicked-config.5
- bond: add ports when master is UP to avoid port MTU revert (bsc#1219108)
- cleanup: fix interface dependencies and shutdown order (bsc#1205604)
- Remove port arrays from bond,team,bridge,ovs-bridge (redundant)
and consistently use config and state info attached to the port
interface as in rtnetlink(7).
- Cleanup ifcfg parsing, schema configuration and service properties
- Migrate ports in xml config and policies already applied in nanny
- Remove "missed config" generation from finite state machine, which
is completed while parsing the config or while xml config migration.
- Issue a warning when "lower" interface (e.g. eth0) config is missed
while parsing config depending on it (e.g. eth0.42 vlan).
- Resolve ovs master to the effective bridge in config and wickedd
- Implement netif-check-state require checks using system relations
from wickedd/kernel instead of config relations for ifdown and add
linkDown and deleteDevice checks to all master and lower references.
- Add a `wicked <ifup|ifdown|ifreload> --dry-run …` option to show the
system/config interface hierarchies as notice with +/- marked
interfaces to setup and/or shutdown.
- Removed patches included in the source archive:
[- 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
[- 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
[- 0003-move-all-attribute-definitions-to-compiler-h.patch]
[- 0004-hide-secrets-in-debug-log-bsc-1221194.patch]
[- 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]
- client: do not convert sec to msec twice (bsc#1222105)
[+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]
- addrconf: fix fallback-lease drop (bsc#1220996)
[+ 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
- extensions/nbft: use upstream `nvme nbft show` (bsc#1221358)
[+ 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
- hide secrets in debug log (bsc#1221194)
[+ 0003-move-all-attribute-definitions-to-compiler-h.patch]
[+ 0004-hide-secrets-in-debug-log-bsc-1221194.patch]
- update to version 0.6.74
+ team: add new options like link_watch_policy (jsc#PED-7183)
+ Fix memory leaks in dbus variant destroy and fsm free (gh#openSUSE/wicked#1001)
+ xpath: allow underscore in node identifier (gh#openSUSE/wicked#999)
+ vxlan: don't format unknown rtnl attrs (bsc#1219751)
- removed patches included in the source archive:
[- 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
[- 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
[- 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
[- 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
[- 0005-duid-fix-comment-for-v6time.patch]
[- 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
[- 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
[- 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
[- 0001-fix_arp_notify_loop_and_burst_sending.patch]
- ifreload: VLAN changes require device deletion (bsc#1218927)
[+ 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
- ifcheck: fix config changed check (bsc#1218926)
[+ 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
- client: fix exit code for no-carrier status (bsc#1219265)
[+ 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
- dhcp6: omit the SO_REUSEPORT option (bsc#1215692)
[+ 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
- duid: fix comment for v6time
(https://github.com/openSUSE/wicked/pull/989)
[+ 0005-duid-fix-comment-for-v6time.patch]
- rtnl: fix peer address parsing for non ptp-interfaces
(https://github.com/openSUSE/wicked/pull/987,
https://github.com/openSUSE/wicked/pull/988)
[+ 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
[+ 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
- system-updater: Parse updater format from XML configuration to
ensure install calls can run.
(https://github.com/openSUSE/wicked/pull/985)
[+ 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
- kernel-default
-
- Refresh patches.kabi/net-preserve-kabi-for-sk_buff.patch.
- commit fa7929b
- net: preserve kabi for sk_buff (CVE-2024-26921 bsc#1223138).
- commit 726f363
- inet: inet_defrag: prevent sk release while still in use
(CVE-2024-26921 bsc#1223138).
- commit 7846939
- nvme-tcp: fix UAF when detecting digest errors (CVE-2022-48686 bsc#1223948).
Update blacklist.conf: remove entry
- commit f159215
- nvme-loop: fix memory leak in nvme_loop_create_ctrl() (CVE-2021-47074 bsc#1220854).
Update blacklist.conf: remove entry
- commit 5f6a5df
- nvme-rdma: destroy cm id before destroy qp to avoid use after
free (CVE-2021-47378 bsc#1225201).
- commit 599a36a
- nvmet: fix a use-after-free (CVE-2022-48697 bsc#1223922).
Update blacklist.conf: drop entry from it
- commit 5e496a4
- nvme-fc: do not wait in vain when unloading module
(CVE-2024-26846 bsc#1223023).
- commit 365a6dd
- blacklist.conf: add d380ce70058a4ccddc3e5f5c2063165dc07672c6
netrom: Fix data-races around sysctl_net_busy_read
(CVE-2024-27419 bsc#1224759)
- commit 9b21914
- net/tls: Fix flipped sign in tls_err_abort() calls
(CVE-2021-47496 bsc#1225354)
- commit af28ae7
- Update
patches.suse/0004-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch
(git-fixes bsc#1225247 CVE-2021-47435).
- Update
patches.suse/0022-dm-btree-remove-assign-new_root-only-when-removal-su.patch
(git fixes bsc#1225155 CVE-2021-47343).
- Update
patches.suse/0066-virtio-blk-Fix-memory-leak-among-suspend-resume-procedure.patch
(git-fixes bsc#1225054 CVE-2021-47319).
- Update
patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch
(git-fixes bsc#1207186 bsc#1225303 CVE-2021-47404).
- Update
patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch
(git-fixes bsc#1225438 CVE-2021-47523).
- Update
patches.suse/IB-mlx5-Fix-initializing-CQ-fragments-buffer.patch
(git-fixes bsc#1224954 CVE-2021-47261).
- Update
patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch
(git-fixes bsc#1224904 CVE-2021-47485).
- Update
patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch
(git-fixes bsc#1225318 CVE-2021-47391).
- Update
patches.suse/RDMA-cma-Fix-rdma_resolve_route-memory-leak.patch
(git-fixes bsc#1225157 CVE-2021-47345).
- Update
patches.suse/SUNRPC-Fix-RPC-client-cleaned-up-the-freed-pipefs-de.patch
(git-fixes bsc#1225008 CVE-2023-52803).
- Update
patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch
(bsc#1191452 bsc#1225193 CVE-2021-47375).
- Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch
(git-fixes bsc#1225256 CVE-2021-47456).
- Update
patches.suse/cifs-Fix-use-after-free-in-rdata-read_into_pages-.patch
(bsc#1190317 bsc#1225479 CVE-2023-52741).
- Update
patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch
(bsc#1185902 bsc#1224961 CVE-2021-47307).
- Update
patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch
(git-fixes bsc#1224968 CVE-2021-47305).
- Update
patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch
(git-fixes bsc#1224982 CVE-2021-47280).
- Update
patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch
(git-fixes bsc#1224966 CVE-2021-47276).
- Update patches.suse/gfs2-ignore-negated-quota-changes.patch
(git-fixes bsc#1225560 CVE-2023-52759).
- Update
patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch
(bsc#1101816 FATE#325147 FATE#325149 bsc#1225367
CVE-2021-47424).
- Update
patches.suse/igb-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224916 CVE-2021-47301).
- Update
patches.suse/igc-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224917 CVE-2021-47302).
- Update
patches.suse/ipv4-ipv6-Fix-handling-of-transhdrlen-in-__ip-6-_app.patch
(git-fixes bsc#1220928 CVE-2023-52527).
- Update
patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch
(git-fixes bsc#1224987 CVE-2021-47284).
- Update
patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch
(bsc#1194591 bsc#1225198 CVE-2021-47478).
- Update
patches.suse/kprobes-Fix-possible-use-after-free-issue-on-kprobe-registration.patch
(git-fixes bsc#1224676 CVE-2024-35955).
- Update
patches.suse/l2tp-pass-correct-message-length-to-ip6_append_data.patch
(git-fixes bsc#1222667 CVE-2024-26752).
- Update
patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch
(git-fixes bsc#1225143 CVE-2021-47356).
- Update
patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch
(git-fixes bsc#1224922 CVE-2021-47344).
- Update
patches.suse/net-USB-Fix-wrong-direction-WARNING-in-plusb.c.patch
(git-fixes bsc#1225482 CVE-2023-52742).
- Update
patches.suse/net-hns3-do-not-allow-call-hns3_nic_net_open-repeate.patch
(git-fixes bsc#1225329 CVE-2021-47400).
- Update
patches.suse/net-mdiobus-Fix-memory-leak-in-__mdiobus_register.patch
(git-fixes bsc#1225189 CVE-2021-47472).
- Update
patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch
(git-fixes bsc#1225453 CVE-2021-47541).
- Update
patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch
(git-fixes bsc#1224981 CVE-2021-47285).
- Update patches.suse/net-qcom-emac-fix-UAF-in-emac_remove.patch
(git-fixes bsc#1225010 CVE-2021-47311).
- Update patches.suse/net-ti-fix-UAF-in-tlan_remove_one.patch
(git-fixes bsc#1224959 CVE-2021-47310).
- Update
patches.suse/net-usb-kalmia-Don-t-pass-act_len-in-usb_bulk_msg-er.patch
(git-fixes bsc#1225549 CVE-2023-52703).
- Update
patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch
(git-fixes bsc#1225058 CVE-2021-47320).
- Update
patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch
(git-fixes bsc#1225404 CVE-2021-47506).
- Update
patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch
(bsc#1190795 bsc#1225251 CVE-2021-47460).
- Update
patches.suse/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
(bsc#1197760 bsc#1225252 CVE-2021-47458).
- Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes
bsc#1225336 CVE-2021-47416).
- Update
patches.suse/ppdev-Add-an-error-check-in-register_device.patch
(git-fixes bsc#1225640 CVE-2024-36015).
- Update
patches.suse/s390-dasd-protect-device-queue-against-concurrent-access.patch
(git-fixes bsc#1217519 bsc#1225572 CVE-2023-52774).
- Update
patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list
(git-fixes bsc#1225164 CVE-2021-47369).
- Update
patches.suse/s390-qeth-fix-deadlock-during-failing-recovery
(bsc#1206213 LTC#200742 bsc#1225207 CVE-2021-47382).
- Update
patches.suse/scsi-core-Fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid
(git-fixes bsc#1224926 CVE-2021-47337).
- Update
patches.suse/scsi-core-Put-LLD-module-refcnt-after-SCSI-device-is-released
(git-fixes bsc#1225322 CVE-2021-47480).
- Update
patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch
(bsc#1188616 bsc#1224963 CVE-2021-47308).
- Update
patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test
(git-fixes bsc#1225384 CVE-2021-47565).
- Update
patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els
(git-fixes bsc#1225192 CVE-2021-47473).
- Update
patches.suse/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
(bsc#1221977 CVE-2021-47162 bsc#1225764 CVE-2024-36954).
- Update
patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch
(git-fixes bsc#1224990 CVE-2021-47274).
- Update
patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch
(git-fixes CVE-2024-26920).
- Update
patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
(bsc#1222619 CVE-2023-52880).
- Update
patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch
(git-fixes bsc#1225084 CVE-2021-47330).
- Update
patches.suse/udf-Fix-NULL-pointer-dereference-in-udf_symlink-func.patch
(bsc#1206646 bsc#1225128 CVE-2021-47353).
- Update
patches.suse/usb-config-fix-iteration-issue-in-usb_get_bos_descri.patch
(git-fixes bsc#1225092 CVE-2023-52781).
- Update
patches.suse/usb-dwc2-check-return-value-after-calling-platform_g.patch
(git-fixes bsc#1225330 CVE-2021-47409).
- Update
patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch
(git-fixes bsc#1224996 CVE-2021-47269).
- Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch
(git-fixes bsc#1225244 CVE-2021-47436).
- Update patches.suse/usbnet-sanity-check-for-maxpacket.patch
(git-fixes bsc#1225351 CVE-2021-47495).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch
(git-fixes bsc#1225060 CVE-2021-47321).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch
(git-fixes bsc#1225030 CVE-2021-47324).
- Update
patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch
(git-fixes bsc#1225026 CVE-2021-47323).
- Update
patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
(git-fixes bsc#1225177 CVE-2021-47347).
- commit 8975a47
- powerpc/pseries/lparcfg: drop error message from guest name
lookup (bsc#1187716 ltc#193451 git-fixes).
- commit 62b0891
- blacklist.conf: PPC fsl_msi is not used
- commit bbad33b
- netfilter: nft_compat: explicitly reject ERROR and standard
target (git-fixes).
- commit 46fdab6
- netfilter: x_tables: set module owner for icmp(6) matches
(git-fixes).
- commit 8835e2a
- netfilter: nf_queue: augment nfqa_cfg_policy (git-fixes).
- commit d5734cd
- rds: avoid unenecessary cong_update in loop transport
(git-fixes).
- commit 758da4a
- cls_rsvp: check user supplied offsets (CVE-2023-42755
bsc#1215702).
- commit b722f7c
- l2tp: pass correct message length to ip6_append_data
(git-fixes).
- commit 5edafdb
- net: 9p: avoid freeing uninit memory in p9pdu_vreadf
(git-fixes).
- commit fdb6a12
- wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
- commit 58724e2
- ipv4, ipv6: Fix handling of transhdrlen in
__ip{,6}_append_data() (git-fixes).
- commit 7f0cb3d
- rxrpc: Fix a memory leak in rxkad_verify_response() (git-fixes).
- commit 301026e
- wifi: radiotap: fix kernel-doc notation warnings (git-fixes).
- commit a96badd
- net: tcp: fix unexcepted socket die when snd_wnd is 0
(git-fixes).
- commit 66b602a
- tcp: tcp_make_synack() can be called from process context
(git-fixes).
- commit 1171bb0
- net/smc: fix fallback failed while sendmsg with fastopen
(git-fixes).
- commit 85612f4
- nfc: change order inside nfc_se_io error path (git-fixes).
- commit 92d40f5
- ila: do not generate empty messages in
ila_xlat_nl_cmd_get_mapping() (git-fixes).
- commit bd4b08a
- rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp
(git-fixes).
- commit 30e8bf8
- rxrpc: Work around usercopy check (git-fixes).
- commit f1a8d7a
- rxrpc: Don't put crypto buffers on the stack (git-fixes).
- commit d4118f5
- rxrpc: Provide a different lockdep key for call->user_mutex
for kernel calls (git-fixes).
- commit 256d44f
- rxrpc: The mutex lock returned by rxrpc_accept_call() needs
releasing (git-fixes).
- commit 56d0a26
- net: atlantic: eliminate double free in error handling logic
(CVE-2023-52664 bsc#1224747).
- ipvlan: add ipvlan_route_v6_outbound() helper (CVE-2023-52796
bsc#1224930).
- net/mlx5e: Fix page reclaim for dead peer hairpin
(CVE-2021-47246 bsc#1224831).
- commit e8481e2
- ceph: blocklist the kclient when receiving corrupted snap trace
(bsc#1225222 CVE-2023-52732).
- commit afa0bf6
- btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() (CVE-2024-35936 bsc#1224644)
- commit 7904756
- btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() (CVE-2024-35936 bsc#1224644)
- commit 64d6920
- ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array (bsc#1225506 CVE-2021-47548)
- commit e4002ca
- mmc: sdhci-msm: pervent access to suspended controller (bsc#1225708 CVE-2024-36029)
- commit 0915583
- llc: call sock_orphan() at release time
(CVE-2024-26625 bsc#1221086)
- commit 1715209
- blacklist.conf: not affected by CVE-2024-35984
- commit 19bc954
- virtio-net: Add validation for used length (CVE-2021-47352
bsc#1225124).
- commit 91c03a8
- calipso: fix memory leak in netlbl_calipso_add_pass()
(CVE-2023-52698 bsc#1224621)
- commit 008f52c
- blacklist.conf: Add c5b0a7eefc70 sched/fair: Remove sysctl_sched_migration_cost condition
- commit dbc3425
- ppdev: Add an error check in register_device (git-fixes).
- commit d524561
- drm/amdgpu: fix gart.bo pin_count leak (CVE-2021-47431 bsc#1225390).
- commit 1e38f4d
- btrfs: send: handle path ref underflow in header iterate_inode_ref() (CVE-2024-35935 bsc#1224645)
- commit 0b2d17e
- cifs: fix underflow in parse_server_interfaces() (bsc#1223084,
CVE-2024-26828).
- commit 7164147
- drm/nouveau/debugfs: fix file release memory leak (CVE-2021-47423 bsc#1225366).
- commit 5f7b5c9
- drm/radeon: fix a possible null pointer dereference (CVE-2022-48710 bsc#1225230).
- commit ee59a3e
- nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
(bsc#1225355 CVE-2021-47497).
- commit 30121bc
- drm/vc4: don't check if plane->state->fb == state->fb (CVE-2024-35932 bsc#1224650).
- commit 4fdcf5e
- iio: mma8452: Fix trigger reference couting (bsc#1225360
CVE-2021-47500).
- commit a0d87d5
- PCI/PM: Drain runtime-idle callbacks before driver removal
(CVE-2024-35809 bsc#1224738).
- commit 9f4d35b
- tty: Fix out-of-bound vmalloc access in imageblit
(CVE-2021-47383 bsc#1225208).
- commit a21c750
- ALSA: pcm: oss: Fix negative period/buffer sizes (CVE-2021-47511
bsc#1225411).
- commit 748d8c1
- ALSA: pcm: oss: Limit the period size to 16MB (CVE-2021-47509
bsc#1225409).
- commit 8f92260
- x86/mm/pat: fix VM_PAT handling in COW mappings (bsc#1224525
CVE-2024-35877).
- commit d228bf6
- batman-adv: Avoid infinite loop trying to resize local TT
(CVE-2024-35982 bsc#1224566)
- commit 4f15041
- ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
(CVE-2024-35969 bsc#1224580)
- commit bcaf17a
- blacklist.conf: Add SPI fix commit to be ignored (CVE-2021-47469 bsc#1225347)
SLE12-SP5 has no devm spi controller allocation, hence it's superfluous
- commit 939a6a5
- kABI workaround for spi_controller (CVE-2021-47469 bsc#1225347).
- commit af00c9b
- spi: Fix deadlock when adding SPI controllers on SPI buses
(CVE-2021-47469 bsc#1225347).
- commit 575a8d4
- kvm: avoid speculation-based attacks from out-of-range memslot
accesses (bsc#1224960, CVE-2021-47277).
- commit 7198007
- KVM: SVM: Flush pages under kvm->lock to fix UAF in
svm_register_enc_region() (bsc#1224725, CVE-2024-35791).
- commit 818a70e
- ipack: ipoctal: fix stack information leak (CVE-2021-47401
bsc#1225242).
- commit 3e8997b
- drm/radeon: possible buffer overflow (CVE-2023-52867 bsc#1225009).
- commit 45094e6
- drm/panel: fix a possible null pointer dereference (CVE-2023-52821 bsc#1225022).
- commit 109e7f1
- RDMA: Verify port when creating flow rule (CVE-2021-47265 bsc#1224957)
- commit c0cbaec
- drm/amd/pm: Update intermediate power state for SI (CVE-2021-47362 bsc#1225153).
- commit 318c627
- mcb: fix error handling in mcb_alloc_bus() (CVE-2021-47361
bsc#1225151).
- commit 813b8ac
- platform/x86: wmi: Fix opening of char device (CVE-2023-52864
bsc#1225132).
- commit b207efb
- pinctrl: single: fix potential NULL dereference (CVE-2022-48708
bsc#1224942).
- commit feac349
- VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
(CVE-2024-35944 bsc#1224648).
- commit a03c425
- net: ipv4: fix memory leak in ip_mc_add1_src
(CVE-2021-47238 bsc#1224847)
- commit 4ce368a
- mmc: sdio: fix possible resource leaks in some error paths
(CVE-2023-52730 bsc#1224956).
- commit 8629def
- atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
(CVE-2021-47355 bsc#1225141).
- commit 111c5b1
- netfilter: synproxy: Fix out of bounds when parsing TCP options
(CVE-2021-47245 bsc#1224838)
- commit 3bf50df
- of: module: prevent NULL pointer dereference in vsnprintf()
(CVE-2024-35878 bsc#1224671).
- commit dcde1a4
- IB/hfi1: Restore allocated resources on failed copyout (CVE-2023-52747 bsc#1224931)
- commit 4ba08d9
- net: rds: fix memory leak in rds_recvmsg
(CVE-2021-47249 bsc#1224880)
- commit 79b2ee2
- sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
(CVE-2021-47397 bsc#1225082)
- commit 2340710
- net: ipv4: fix memory leak in netlbl_cipsov4_add_std
(CVE-2021-47250 bsc#1224827)
- commit ffd876f
- btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
(CVE-2024-35849 bsc#1224733).
- commit 4e18545
- ring-buffer: Fix a race between readers and resize checks
(bsc#1222893).
- commit e55a48c
- ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
(git-fixes).
- commit 56a4e35
- tracing: hide unused ftrace_event_id_fops (git-fixes).
- commit 6e3bbc9
- tracing: Fix blocked reader of snapshot buffer (git-fixes).
- commit 7cc9ae2
- ALSA: usb-audio: Stop parsing channels bits when all channels
are found (CVE-2024-27436 bsc#1224803).
- ALSA: seq: Fix race of snd_seq_timer_open() (CVE-2021-47281
bsc#1224983).
- commit 19aff08
- af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress (bsc#1223384).
- commit 8ee0966
- blacklist.conf: add not-needed or too intrusive tracing fixes
- commit ab535d8
- kprobes: Fix possible use-after-free issue on kprobe
registration (git-fixes).
- commit fd63e27
- tracing: Use .flush() call to wake up readers (git-fixes).
- commit 4442cfe
- tracing: Use strncpy instead of memcpy when copying comm in
trace.c (git-fixes).
- commit 77a5fe6
- ring-buffer: Clean ring_buffer_poll_wait() error return
(git-fixes).
- commit dec7c48
- wifi: mac80211: check/clear fast rx for non-4addr sta VLAN
changes (CVE-2024-35789 bsc#1224749).
- media: tc358743: register v4l2 async device only after
successful setup (CVE-2024-35830 bsc#1224680).
- misc/libmasm/module: Fix two use after free in ibmasm_init_one
(CVE-2021-47334 bsc#1225112).
- atm: iphase: fix possible use-after-free in ia_module_exit()
(CVE-2021-47357 bsc#1225144).
- commit 4495db1
- clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
(CVE-2023-52875 bsc#1225096).
- commit eff8019
- clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
(CVE-2023-52865 bsc#1225086).
- commit c2dc4d3
- ax25: fix use-after-free bugs caused by ax25_ds_del_timer
(CVE-2024-35887 bzg#1224663)
- commit 2bbaa4c
- regmap: Fix possible double-free in regcache_rbtree_exit()
(CVE-2021-47483 bsc#1224907).
- commit 1f96a36
- s390/pci: fix max size calculation in zpci_memcpy_toio()
(git-fixes bsc#1225062).
- commit 1d5a845
- s390/zcrypt: fix reference counting on zcrypt card objects
(git-fixes CVE-2024-26957 bsc#1223666).
- commit 1a50d91
- KVM: s390: Check kvm pointer when testing KVM_CAP_S390_HPAGE_1M
(git-fixes bsc#1225059).
- commit b5429fa
- Refresh
patches.suse/USB-core-Fix-deadlock-in-usb_deauthorize_interface.patch.
- Update
patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch
(bsc#1209657 CVE-2023-0160 CVE-2024-35895 bsc#1224511).
- Update
patches.suse/nfsd-Fix-error-cleanup-path-in-nfsd_rename.patch
(bsc#1221044 CVE-2023-52591 CVE-2024-35914 bsc#1224482).
- Update
patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch
(CVE-2023-47233 bsc#1216702 CVE-2024-35811 bsc#1224592).
- commit 9a84305
- Update
patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_eve.patch
(bsc#1065729 CVE-2023-52686 bsc#1224682).
- Update
patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_pow.patch
(bsc#1181674 ltc#189159 git-fixes CVE-2023-52696 bsc#1224601).
- Update
patches.suse/pstore-ram_core-fix-possible-overflow-in-persistent_ram_init_ecc.patch
(git-fixes CVE-2023-52685 bsc#1224728).
- commit 0720a5d
- Update
patches.suse/NFS-Fix-a-potential-NULL-dereference-in-nfs_get_clie.patch
(git-fixes CVE-2021-47260 bsc#1224834).
- Update
patches.suse/PCI-aardvark-Fix-kernel-panic-during-PIO-transfer.patch
(git-fixes CVE-2021-47229 bsc#1224854).
- Update
patches.suse/batman-adv-Avoid-WARN_ON-timing-related-checks.patch
(git-fixes CVE-2021-47252 bsc#1224882).
- Update
patches.suse/can-mcba_usb-fix-memory-leak-in-mcba_usb.patch
(git-fixes CVE-2021-47231 bsc#1224849).
- Update
patches.suse/gfs2-Fix-use-after-free-in-gfs2_glock_shrink_scan.patch
(git-fixes CVE-2021-47254 bsc#1224888).
- Update
patches.suse/media-ngene-Fix-out-of-bounds-bug-in-ngene_command_c.patch
(git-fixes CVE-2021-47288 bsc#1224889).
- Update
patches.suse/memory-fsl_ifc-fix-leak-of-IO-mapping-on-probe-failu.patch
(git-fixes CVE-2021-47315 bsc#1224892).
- Update
patches.suse/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch
(git-fixes CVE-2021-47314 bsc#1224893).
- Update patches.suse/net-cdc_eem-fix-tx-fixup-skb-leak.patch
(git-fixes CVE-2021-47236 bsc#1224841).
- Update
patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
(git-fixes CVE-2021-47235 bsc#1224844).
- Update
patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch
(git-fixes CVE-2021-47237 bsc#1224830).
- Update
patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
(bsc#1221994 CVE-2021-47171 CVE-2021-47239 bsc#1224846).
- Update
patches.suse/scsi-core-Fix-error-handling-of-scsi_host_alloc
(git-fixes CVE-2021-47258 bsc#1224899).
- Update
patches.suse/udp-fix-race-between-close-and-udp_abort.patch
(git-fixes CVE-2021-47248 bsc#1224867).
- Update
patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch
(git-fixes CVE-2021-47220 bsc#1224859).
- commit 7295d7f
- Update
patches.suse/gfs2-Fix-use-after-free-in-gfs2_glock_shrink_scan.patch
(git-fixes CVE-2021-47254).
- commit 38ebdb5
- blacklist.conf: pure cleanup
- commit 5f0720c
- blacklist.conf: we select the CONFIG whose absence triggers this in all
configs
- commit 2c2df2e
- assoc_array: Fix BUG_ON during garbage collect.
- commit 56fe1ad
- list: fix a data-race around ep->rdllist (git-fixes).
- commit f2db318
- lib/mpi: use kcalloc in mpi_resize (git-fixes).
- commit c463c57
- net: usb: ax88179_178a: stop lying about skb->truesize
(git-fixes).
- commit c4bb7b5
- drm/amd/pm: fix a double-free in si_dpm_init (CVE-2023-52691 bsc#1224607).
- commit 7a87ede
- Fix backport of : NFS: Fix error handling for O_DIRECT write
scheduling (bsc#1224785).
- commit e968faa
- blacklist.conf: Add a1fd0b9d751f sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
- commit 3567984
- Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
(bsc#1224174 CVE-2024-27398).
- commit 231873b
- af_unix: Replace BUG_ON() with WARN_ON_ONCE() (bsc#1223384).
- af_unix: Do not use atomic ops for unix_sk(sk)->inflight (bsc#1223384).
- commit 0110a15
- blacklist.conf: btrfs: config fix for 256k pages
- commit a9a21e4
- btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl (git-fixes)
- commit db54449
- btrfs: tree-checker: do not error out if extent ref hash doesn't match (git-fixes)
- commit 874e705
- btrfs: send: ensure send_fd is writable (git-fixes)
- commit 7e0fb05
- btrfs: send: limit number of clones and allocated memory size (git-fixes)
- commit fa2504c
- btrfs: fail mount when sb flag is not in BTRFS_SUPER_FLAG_SUPP (git-fixes)
- commit 7f9b413
- blacklist.conf: btrfs: metadata dump v2 definition only
e2731e55884f2138a252b0a3d7b24d57e49c3c59
- commit b680815
- btrfs: Fix out of bounds access in btrfs_search_slot (git-fixes)
- commit 6b6da17
- btrfs: fix deadlock when writing out space cache (git-fixes)
- commit cdd0586
- btrfs: Explicitly handle btrfs_update_root failure (git-fixes)
- commit ac502aa
- btrfs: undo writable superblocke when sprouting fails (git-fixes)
- commit 9fbf261
- btrfs: avoid null pointer dereference on fs_info when calling btrfs_crit (git-fixes)
- commit daf7dc2
- drm/msm/dpu: Add mutex lock in control vblank irq (CVE-2023-52586 bsc#1221081).
- commit 474c511
- btrfs: prevent to set invalid default subvolid (git-fixes)
- commit c399d80
- Btrfs: fix incorrect {node,sector}size endianness from BTRFS_IOC_FS_INFO (git-fixes)
- commit b016cd3
- Refresh patches.suse/nfs-fix-UAF-in-direct-writes.patch.
Fixup the build warning:
Changed build warnings:
* **** 1 warnings *****
* passing argument 1 of 'nfs_commit_end' from incompatible pointer type [enabled by default] (nfs_commit_end) in ../fs/nfs/direct.c in nfs_direct_commit_complete
../fs/nfs/direct.c: In function 'nfs_direct_commit_complete':
../fs/nfs/direct.c:668:2: warning: passing argument 1 of 'nfs_commit_end' from incompatible pointer type [enabled by default]
- commit 10952b2
- scripts/log2: Fix References: update detection
The following change
- REferences: git-fixes
+REferences: git-fixes bsc#123456
(note the typo in E) will not be detected as a reference update and
generates a commit message like
Refresh patches.suse/foo.patch
whereas the correct is
Update patches.suse/foo.patch (git-fixes bsc#123456)
Fix it by detecting References: update regardless of case.
- commit 25997c3
- Update
patches.suse/USB-core-Fix-deadlock-in-usb_deauthorize_interface.patch
(git-fixes CVE-2024-26934 bsc#1223671).
- commit cc5c596
- s390/cpum_cf: make crypto counters upward compatible across
machine types (bsc#1224347).
- commit 8af04c2
- ecryptfs: fix kernel panic with null dev_name (git-fixes)
- commit 4ecd122
- ecryptfs: Fix typo in message (git-fixes)
- commit b1331d9
- ep_create_wakeup_source(): dentry name can change under you (git-fixes)
- commit e90f9bb
- ecryptfs: fix a memory leak bug in ecryptfs_init_messaging() (git-fixes)
- commit 7163ecf
- ecryptfs: fix a memory leak bug in parse_tag_1_packet() (git-fixes)
- commit d3aeb95
- exportfs_decode_fh(): negative pinned may become positive without the parent locked (git-fixes)
- commit 681e816
- autofs: fix a leak in autofs_expire_indirect() (git-fixes)
- commit 2e9a485
- fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes (git-fixes)
- commit 73af5d9
- blacklist.conf: fs: fget/fput optimization
Commit looks safe but is not a fix rather than an optimization.
- commit 2263087
- fscrypt: clean up some BUG_ON()s in block encryption/decryption (git-fixes)
- commit 2945a7c
- blacklist.conf: fscrypt: depends on no-key format update
Fix depends on functionality added by edc440e3d27fb3 ("fscrypt: improve
format of no-key names")
- commit 871959c
- nouveau: lock the client object tree. (bsc#1223834 CVE-2024-27062)
- commit c775ad3
- blacklist.conf: orangefs not supported
- commit f732788
- nouveau: fix instmem race condition around ptr stores (bsc#1223633 CVE-2024-26984)
- commit 9350c2a
- Refresh
patches.suse/x86-boot-Ignore-relocations-in-.notes-sections-in-walk_rel.patch.
- commit 1389ef9
- net: usb: smsc95xx: stop lying about skb->truesize (git-fixes).
- commit 3b70647
- net: usb: sr9700: stop lying about skb->truesize (git-fixes).
- commit d83f5a1
- usb: aqc111: stop lying about skb->truesize (git-fixes).
- commit 0a7bdae
- Refresh
patches.suse/media-flexcop-usb-fix-NULL-ptr-deref-in-flexcop_usb_.patch.
Fix the Patch-mainline tag.
- commit 3169adb
- Bluetooth: btusb: Some Qualcomm Bluetooth adapters stop working
(git-fixes).
- commit 23ff40d
- usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear
(bsc#1220487 CVE-2021-46933).
- commit 33d6865
- blacklist.conf: Add 9474c62ab65f net/sched: Add module alias for sch_fq_pie
- commit b755821
- net: gtp: Fix Use-After-Free in gtp_dellink (bsc#1224096
CVE-2024-27396).
- commit a81f04c
- scripts/check-kernel-fix: print a message when no action is needed.
Script exits without printing anything about the actions necessary
in non-verbose mode. This can be confusing to a beginner user.
- commit fe35947
- Update
patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
(bsc#1221994 CVE-2021-47171).
Added bugzilla ID and CVE
The initial fix was present, but it turned later out to be wrong
and the correct fix lacked the references.
- commit cf80be9
- usb: aqc111: check packet for fixup for true limit (bsc#1217169
CVE-2023-52655).
- commit 9dd6dfa
- scripts/git_sort/git_sort.py: add rafael/linux-pm.git#linux-next to remotes
- commit 2ae5e1c
- btrfs: sysfs: use NOFS for device creation (git-fixes)
Adjustment: add #include
- commit f20ad81
- btrfs: send: in case of IO error log it (git-fixes)
- commit 840f907
- btrfs: fix lost error handling when looking up extended ref on log replay (git-fixes)
- commit 20591f1
- btrfs: check if root is readonly while setting security xattr (git-fixes)
- commit 01674b5
- btrfs: limit device extents to the device size (git-fixes)
- commit 0ba992a
- btrfs: fix btrfs_prev_leaf() to not return the same key twice (git-fixes)
- commit 2834caf
- btrfs: fix range_end calculation in extent_write_locked_range (git-fixes)
- commit e723a0b
- btrfs: scrub: reject unsupported scrub flags (git-fixes)
- commit c5866de
- btrfs: fix race when deleting quota root from the dirty cow roots list (git-fixes)
- commit 1e8a661
- btrfs: fix lockdep splat and potential deadlock after failure running delayed items (git-fixes)
- commit 20fccdb
- btrfs: record delayed inode root in transaction (git-fixes)
- commit 7a64f13
- btrfs: tree-checker: fix inline ref size in error messages (git-fixes)
- commit 7031a61
- btrfs: don't stop integrity writeback too early (git-fixes)
- commit 9304b5f
- md: fix kmemleak of rdev->serial (CVE-2024-26900, bsc#1223046).
- commit 0488367
- firewire: nosy: ensure user_length is taken into account when
fetching packet contents (CVE-2024-27401 bsc#1224181).
- commit f890e6b
- aoe: avoid potential deadlock at set_capacity (CVE-2024-26775,
bsc#1222627).
- commit 72683cd
- Update
patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling.patch
(bsc#1222671, CVE-2021-47188).
- commit df1a16c
- blacklist.conf: pure cleanup
- commit b459965
- blacklist.conf: irrelevant in our configs
- commit 91ec532
- blacklist.conf: pure cleanup
- commit 4da5c7c
- blacklist.conf: pure cleanup
- commit c4855e9
- blacklist.conf: pure cleanup
- commit 00ca6d9
- blacklist.conf: pure cleanup
- commit a6aa054
- blacklist.conf: pure cleanup
- commit 27ba46a
- scripts/PMU: Always use 12 digits for abbreviated hash references
Kernel developers tend to use 12 digits for abbreviated hash
references as this is mandatory for upstream work. Enforce this count
in PMU for consistency.
- commit 67f4919
- nfs: fix UAF in direct writes (bsc#1223653 CVE-2024-26958).
- commit 5347d82
- drm/radeon: add a force flush to delay work when radeon (bsc#1223932 CVE-2022-48704)
- commit 05d207f
- blacklist.conf: Append 'drm/amd/display: Fix MST Null Ptr for RV'
- commit aab0541
- btrfs: don't get an EINTR during drop_snapshot for reloc (git-fixes)
- commit 2f0ddbd
- btrfs: tree-checker: add missing returns after data_ref alignment checks (git-fixes)
- commit 465da04
- btrfs: tree-checker: add missing return after error in root_item (git-fixes)
- commit 2c66867
- btrfs: fix return value mixup in btrfs_get_extent (git-fixes)
- commit c7aefc2
- btrfs: tree-checker: Fix misleading group system information (git-fixes)
- Refresh patches.suse/0014-btrfs-tree-checker-get-fs_info-from-eb-in-block_grou.patch.
- commit 4c1912f
- btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag (git-fixes)
- commit 6b856de
- btrfs: fix unaligned access in readdir (git-fixes)
- Refresh patches.suse/btrfs-support-swap-files.patch.
Diff context only.
- commit 0df1b83
- btrfs: Fix NULL pointer exception in find_bio_stripe (git-fixes)
- commit 99eebfb
- scripts/pmu: Remove spurious whitespace
The indentation whitespace is interpretted by sed and the result is
ragged XML like :
<binary name="kernel-livepatch-5_14
<binary name="kernel-livepatch-5_14
<binary name="kernel-livepatch-SLE1
<binary name="kernel-livepatch-
<binary name="kernel-livepatch-5_14
<binary name="kernel-livepatch-SLE1
The intention is to copy old rows as they are present without adding any
new indentation, hence remove the spaces.
- commit ea629df
- net: vmxnet3: Fix NULL pointer dereference in
vmxnet3_rq_rx_complete() (bsc#1223360).
- commit 829bff3
- usb: host: ohci-tmio: check return value after calling
platform_get_resource() (bsc#1222894 CVE-2021-47206).
- blacklist.conf: blacklist entry was a mistake caused by the driver
being dropped upstream, but only after SLE12
- commit 740a25a
- drm/amdgpu: Reset IH OVERFLOW_CLEAR bit (bsc#1223207 CVE-2024-26915)
- commit f1d8ff2
- Update
patches.suse/USB-usb-storage-Prevent-divide-by-0-error-in-isd200_.patch
(bsc#1223738 CVE-2024-27059).
Added CVE and bugzilla ids
- commit 6bf9f21
- usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb
ep transport error (bsc#1223752 CVE-2024-26996).
- commit f8904de
- drm/mediatek: Fix a null pointer crash in (CVE-2024-26874 bsc#1223048)
- commit e57c0ce
- ALSA: emu10k1: Fix out of bounds access in
snd_emu10k1_pcm_channel_alloc() (bsc#1223923 CVE-2022-48702).
- commit af9ea5f
- of: fdt: fix off-by-one error in unflatten_dt_nodes()
(CVE-2022-48672 bsc#1223931).
- commit 032891a
- btrfs: abort in rename_exchange if we fail to insert the second ref (CVE-2021-47113 bsc#1221543)
- Refresh patches.suse/btrfs-prevent-rename2-from-exchanging-a-subvol-with-a-directory-from-different-parents.patch.
- commit 6cc4490
- btrfs: dev-replace: properly validate device names (CVE-2024-26791 bsc#1222793)
- commit cc0f00b
- scripts/check-kernel-fix: add -F parameter
- scripts/common-functions:
There are cases where Fixes tag is incorrect. Example would be
bsc1223062 comment 3.
- commit d763992
- Update
patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
references (CVE-2024-26739 bsc#1222559, drop incorrect references).
- commit ea93ecf
- scripts/common-functions: for_each_build_branch traverse branches in dependency topo sorted list
- scripts/check-kernel-fix: avoid rechecking child branches when parents are OK
Topological sorted dependency tree allows to optimize check-kernel-fixe
in cases where parent already has the fix. There is not reason to check
branches which merge from that branch as they will get the fix
eventually.
- commit 71b58d2
- net/tls: Remove the context from the list in tls_device_down
(bsc#1221545).
- commit 58c1b25
- tls: Fix context leak on tls_device_down (bsc#1221545).
- commit 389808e
- blacklist.conf: add 94ce3b64c62d
Blacklist commit 94ce3b64c62d ("net/tls: Use RCU API to access
tls_ctx->netdev"). This is a follow-up to c55dcdd435aa which addresses an
issue which is rather theoretical and the backport would be quite
intrusive.
- commit 8ca558a
- ALSA: usb-audio: Fix an out-of-bounds bug in
__snd_usb_parse_audio_interface() (CVE-2022-48701 bsc#1223921).
- commit 6f798e9
- kabi: hide new member of struct tls_context (CVE-2021-47131
bsc#1221545).
- net/tls: Fix use-after-free after the TLS device goes down
and up (CVE-2021-47131 bsc#1221545).
- commit 8c186be
- Update
patches.suse/SUNRPC-fix-some-memleaks-in-gssx_dec_option_array.patch
(git-fixes CVE-2024-27388 bsc#1223744).
- Update
patches.suse/s390-Once-the-discipline-is-associated-with-the-device-de.patch
(bsc#1141539 git-fixes CVE-2024-27054 bsc#1223819).
- Update
patches.suse/scsi-qla2xxx-Fix-command-flush-on-cable-pull.patch
(bsc1221816 CVE-2024-26931 bsc#1223627).
- Update patches.suse/scsi-qla2xxx-Fix-double-free-of-fcport.patch
(bsc1221816 CVE-2024-26929 bsc#1223715).
- Update
patches.suse/scsi-qla2xxx-Fix-double-free-of-the-ha-vp_map-pointe.patch
(bsc1221816 CVE-2024-26930 bsc#1223626).
- commit daf9a87
- Update
patches.suse/SUNRPC-fix-a-memleak-in-gss_import_v2_context.patch
(git-fixes CVE-2023-52653 bsc#1223712).
- Update patches.suse/aio-fix-mremap-after-fork-null-deref.patch
(git-fixes CVE-2023-52646 bsc#1223432).
- commit 793a07e
- Update
patches.suse/i40e-Fix-kernel-crash-during-module-removal.patch
(git-fixes CVE-2022-48688 bsc#1223953).
- Update
patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
(bsc#1211592 CVE-2023-2860 CVE-2022-48687 bsc#1223952).
- Update
patches.suse/s390-dasd-fix-Oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup
(git-fixes CVE-2022-48636 bsc#1223512).
- Update
patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch
(git-fixes CVE-2022-48695 bsc#1223941).
- Update
patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch
(bsc#1203935 CVE-2022-48650 bsc#1223509).
- commit cc68904
- Update
patches.suse/net-dsa-fix-a-crash-if-get_sset_count-fails.patch
(CVE-2021-47146 bsc#1221979 CVE-2021-47159 bsc#1221967).
- Update
patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling.patch
(bsc#11222671 CVE-2021-47188 bsc#1222671).
- commit 5a613f4
- Fix references of
patches.suse/net-dsa-fix-a-crash-if-get_sset_count-fails.patch
This fix actually refers to different CVE and bug report. Fix the error.
- commit b797fc2
- openvswitch: fix stack OOB read while fragmenting IPv4 packets
(CVE-2021-46955 bsc#1220513).
- commit 1116e19
- sctp: fix potential deadlock on &net->sctp.addr_wq_lock
(CVE-2024-0639 bsc#1218917).
- commit de19ab3
- Update
patches.suse/SUNRPC-fix-some-memleaks-in-gssx_dec_option_array.patch
(git-fixes CVE-2024-27388 bsc#1223744).
- Update
patches.suse/s390-Once-the-discipline-is-associated-with-the-device-de.patch
(bsc#1141539 git-fixes CVE-2024-27054 bsc#1223819).
- Update
patches.suse/scsi-qla2xxx-Fix-command-flush-on-cable-pull.patch
(bsc1221816 CVE-2024-26931 bsc#1223627).
- Update patches.suse/scsi-qla2xxx-Fix-double-free-of-fcport.patch
(bsc1221816 CVE-2024-26929 bsc#1223715).
- Update
patches.suse/scsi-qla2xxx-Fix-double-free-of-the-ha-vp_map-pointe.patch
(bsc1221816 CVE-2024-26930 bsc#1223626).
- commit d54495e
- Update
patches.suse/SUNRPC-fix-a-memleak-in-gss_import_v2_context.patch
(git-fixes CVE-2023-52653 bsc#1223712).
- Update patches.suse/aio-fix-mremap-after-fork-null-deref.patch
(git-fixes CVE-2023-52646 bsc#1223432).
- commit 6164312
- Update
patches.suse/s390-dasd-fix-Oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup
(git-fixes CVE-2022-48636 bsc#1223512).
- Update
patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch
(bsc#1203935 CVE-2022-48650 bsc#1223509).
- commit b81c322
- drm/tegra: dsi: Add missing check for of_find_device_by_node (CVE-2023-52650 bsc#1223770)
- commit 52453b3
- livepatch: Fix missing newline character in
klp_resolve_symbols() (bsc#1223539).
- commit a04a835
- printk: Update @console_may_schedule in
console_trylock_spinning() (bsc#1223969).
- commit 2217d14
- fs: sysfs: Fix reference leak in sysfs_break_active_protection() (CVE-2024-26993 bsc#1223693)
- commit d5b445d
- drm: nv04: Fix out of bounds access (CVE-2024-27008 bsc#1223802).
- commit d2971e3
- usb: dwc2: Fix memory leak in dwc2_hcd_init.
- commit b68c644
- printk: Disable passing console lock owner completely during
panic() (bsc#1197894).
- commit 7493ac1
- Input: ipaq-micro-keys - add error handling for devm_kmemdup.
- commit 8755dbb
- Input: xpad - add PXN V900 support.
- commit fbd5f3f
- Input: adxl34x - do not hardcode interrupt trigger type
(git-fixes).
- commit 926a03d
- blacklist.conf: cleanup surpressing a warning
- commit 922f659
- Input: drv260x - sleep between polling GO bit (git-fixes).
- commit e9e8d04
- blacklist.conf: cleanup, not a fix, no code change
- commit 9cb5758
- blacklist.conf: driver not compiled
- commit a3fa3df
- blacklist.conf: driver not compiled
- commit 9dfacec
- blacklist.conf: driver not compiled
- commit 1aef6fe
- drm/amd/display: Add a dc_state NULL check in dc_state_release (CVE-2024-26948 bsc#1223664)
- commit 04ae1fa
- blacklist.conf: this patch enables features only
- commit b3e7c52
- blacklist.conf: false positive
- commit 88b62ef
- USB: core: Fix deadlock in usb_deauthorize_interface().
- commit ab56ab9
- USB: usb-storage: Prevent divide-by-0 error in
isd200_ata_command (git-fixes).
- commit f114b54
- usb: roles: don't get/set_role() when usb_role_switch is
unregistered.
- commit d121124
- usb: mon: Fix atomicity violation in mon_bin_vma_fault
(git-fixes).
- commit 0605a2c
- blacklist.conf: not enabled
- commit 7aaa582
- blacklist.conf: kABI
- commit d241153
- drivers: usb: host: Fix deadlock in oxu_bus_suspend()
(git-fixes).
- commit 4bfa035
- blacklist.conf: add two fuse commits from git-fixes
- commit 57c7ed8
- fuse: don't unhash root (bsc#1223954).
- commit 4838661
- mass-cve: Always use bash in Makefile
Some constrcts are just too convenient to leave them in favor of
POSIX'd /bin/sh. Switch to explicit bash.
- commit d180dfd
- tun: limit printing rate when illegal packet received by tun
dev (bsc#1223745 CVE-2024-27013).
- net/mlx5e: Prevent deadlock while disabling aRFS (bsc#1223735
CVE-2024-27014).
- nfp: flower: handle acti_netdevs allocation failure (bsc#1223827
CVE-2024-27046).
- commit bb18705
- tipc: fix a possible memleak in tipc_buf_append (bsc#1221977
CVE-2021-47162).
- commit 503e448
- media: usbtv: Remove useless locks in usbtv_video_free()
(CVE-2024-27072 bsc#1223837).
- commit 784e536
- media: dvb-frontends: avoid stack overflow warnings with clang
(CVE-2024-27075 bsc#1223842).
- commit 134dc5e
- media: ttpci: fix two memleaks in budget_av_attach
(CVE-2024-27073 bsc#1223843).
- commit 13b28d2
- media: go7007: fix a memleak in go7007_load_encoder
(CVE-2024-27074 bsc#1223844).
- commit 54185dc
- media: edia: dvbdev: fix a use-after-free (CVE-2024-27043
bsc#1223824).
- commit 2732be2
- s390/mm: Fix storage key clearing for guest huge pages
(git-fixes bsc#1223885).
- commit cd536ee
- s390/mm: Fix clearing storage keys for huge pages (git-fixes
bsc#1223883).
- commit a8f7fd9
- media: v4l2-tpg: fix some memleaks in tpg_alloc (CVE-2024-27078
bsc#1223781).
- commit 9ec09ea
- tty/sysrq: replace smp_processor_id() with get_cpu()
(bsc#1223540).
- commit f6b8019
- NTB: fix possible name leak in ntb_register_device()
(CVE-2023-52652 bsc#1223686).
- commit ca5484d
- scsi: ufs: core: Improve SCSI abort handling (bsc#11222671,
CVE-2021-47188).
- blacklist.conf: remove 3ff1f6b
- commit 9ba0cd1
- drm/bridge: adv7511: fix crash on irq during probe (CVE-2024-26876 bsc#1223119).
- commit be1e389
- mass-cve: Add convenience KBUILD_USER environment variable
- commit 37d9436
- scripts/bugzilla-create: update help message with -a/--arch
- commit 3348e09
- scripts/bugzilla-create: allow -a or --arch option
I'd like to use something like...
./scripts/bugzilla-create -a "S/390-64" some.patch
- commit 0f79df2
- kABI workaround for cec_adapter (CVE-2024-23848 bsc#1219104).
- media: cec: core: avoid recursive cec_claim_log_addrs
(CVE-2024-23848 bsc#1219104).
- media: cec: core: avoid confusing "transmit timed out" message
(CVE-2024-23848 bsc#1219104).
- media: cec: cec-api: add locking in cec_release()
(CVE-2024-23848 bsc#1219104).
- media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
(CVE-2024-23848 bsc#1219104).
- commit 6debb18
- media: cec: abort if the current transmit was canceled
(CVE-2024-23848 bsc#1219104).
- commit 331f0d4
- cachefiles: fix memory leak in cachefiles_add_cache()
(bsc#1222976 CVE-2024-26840).
- commit 7ab2bde
- mass-cve: Use dedicated worktree for reference updates
So that any checkout in KSOURCE_GIT is not changed.
- commit a21e700
- mass-cve: Fail early without data files
curl >$@ would create/update the file even if download fails.
Use explicit argument to prevent continuation with empty cve2bugzilla
file.
- commit 19318c9
- mass-cve: Make BRANCH mandatory
- commit 9365607
- net/bnx2x: Prevent access to a freed page in page_pool
(bsc#1223049 CVE-2024-26859).
- commit d2c8d25
- spi: spi-fsl-dspi: Fix a resource leak in an error handling path
(CVE-2021-47161 bsc#1221966).
- commit 86c2723
- amdkfd: use calloc instead of kzalloc to avoid integer overflow (CVE-2024-26817 bsc#1222812)
- commit e67f0f8
- blacklist.conf: Append 'drm/amdgpu: fix use-after-free bug'
- commit f438d4d
- Update
patches.suse/smb3-fix-temporary-data-corruption-in-insert-range.patch
(bsc#1190317 CVE-2022-48667 bsc#1223518).
- commit 91d9162
- Update
patches.suse/smb3-fix-temporary-data-corruption-in-collapse-range.patch
(bsc#1190317 CVE-2022-48668 bsc#1223516).
- commit 10d5c12
- net: fujitsu: fix potential null-ptr-deref (bsc#1221972
CVE-2021-47149).
- commit 9abeb19
- tipc: skb_linearize the head skb when reassembling msgs
(bsc#1221977 CVE-2021-47162).
- commit ba440f6
- net: dsa: fix a crash if ->get_sset_count() fails
(CVE-2021-47146 bsc#1221979).
- commit 599796c
- mld: fix panic in mld_newpack() (CVE-2021-47146 bsc#1221979).
- commit e3d5602
- netfilter: nf_tables: disallow timeout for anonymous sets
(CVE-2023-52620 bsc#1221825).
- commit f690b72
- mass-cve: Fix update detection with packed-refs
Per-branch files are thing of the past, git may non-deterministically
pack the ref files. Therefore use the timestamp of the whole packed-ref
file (better false positive detection of update than breakage or false
negative).
Add unified approach to read packed-refs regardless of KSOURCE_GIT
worktree or not.
- commit 57244df
- net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
(CVE-2024-26852 bsc#1223057)
- commit 598df4c
- Update
patches.suse/s390-Once-the-discipline-is-associated-with-the-device-de.patch
(bsc#1141539 git-fixes).
- commit b8b94c0
- quota: Fix potential NULL pointer dereference (bsc#1223060
CVE-2024-26878).
- commit 983d363
- do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
(bsc#1223198 CVE-2024-26901).
- commit 2f53016
- blk-mq: fix IO hang from sbitmap wakeup race (bsc#1222357
CVE-2024-26671).
- commit ecdc50b
- ext4: avoid allocating blocks from corrupted group in
ext4_mb_find_by_goal() (bsc#1222613 CVE-2024-26772).
- commit 3d3003a
- PM / devfreq: Fix buffer overflow in trans_stat_show
(CVE-2023-52614 bsc#1221617).
- commit ad2729f
- net: ice: Fix potential NULL pointer dereference in
ice_bridge_setlink() (bsc#1223051 CVE-2024-26855).
- geneve: make sure to pull inner header in geneve_rx()
(bsc#1223058 CVE-2024-26857).
- ppp_async: limit MRU to 64K (bsc#1222379 CVE-2024-26675).
- ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
(bsc#1223513 CVE-2022-48651).
- commit bc8fe89
- RDMA/mlx5: Fix fortify source warning while accessing Eth segment (bsc#1223203 CVE-2024-26907)
- commit 1c532b6
- regmap: prevent noinc writes from clobbering cache (bsc#1221162
CVE-2023-52488).
- regmap: fix page selection for noinc writes (bsc#1221162
CVE-2023-52488).
- regmap: fix page selection for noinc reads (bsc#1221162
CVE-2023-52488).
- commit dc5bde0
- scripts/common-functions: cve2cvss fix CVE matching
CVE-2023-4244:
cvss:
- version: 3.1
score: 7
vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-42445:
cvss:
- version: 3.1
score: 6.8
vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H
CVE-2023-4244 will mismatch. Thanks to Marcus for spotting!
- commit 1e0c847
- blacklist.conf: false positive
- commit 17b05a2
- usb: dwc2: check return value after calling
platform_get_resource() (git-fixes).
- commit 831627d
- usb: dwc3: gadget: Ignore EP queue requests during bus reset
(git-fixes).
- commit 270950d
- drm/amdgpu: validate the parameters of bo mapping operations more (CVE-2024-26922 bsc#1223315)
- commit 1a7d0fd
- i40e: Fix NULL ptr dereference on VSI filter sync (bsc#1222666
CVE-2021-47184).
- commit 1ad3e1d
- usb: gadget: Fix issue with config_ep_by_speed function
(git-fixes).
- commit e3f4200
- x86/boot: Ignore relocations in .notes sections in walk_relocs() too (bsc#1222624 CVE-2024-26816).
- commit b878a00
- x86, relocs: Ignore relocations in .notes section (bsc#1222624 CVE-2024-26816).
- commit d091560
- blacklist.conf: Add 246f80a0b17f8 ("sh: push-switch: Reorder cleanup operations to avoid use-after-free bug")
- commit 8e38656
- PM / devfreq: Synchronize devfreq_monitor_[start/stop]
(CVE-2023-52635 bsc#1222294).
- commit faf3604
- Update
patches.suse/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_-2535b848.patch
(bsc#1219170 CVE-2024-22099 CVE-2024-26903 bsc#1223187).
- Update
patches.suse/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
(bsc#1218562 CVE-2023-6270 CVE-2024-26898 bsc#1223016).
- Update
patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
(CVE-2024-26733 bsc#1222585 CVE-2024-26739 bsc#1222559).
- Update
patches.suse/sr9800-Add-check-for-usbnet_get_endpoints.patch
(git-fixes CVE-2024-26651 bsc#1221337).
- commit f0c3935
- Update
patches.suse/msft-hv-2480-x86-hyperv-Fix-NULL-deref-in-set_hv_tscchange_cb-if-.patch
(git-fixes CVE-2021-47217 bsc#1222836).
- Update
patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch
(git-fixes CVE-2021-47204 bsc#1222787).
- Update patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch
(git-fixes CVE-2021-47216 bsc#1222876).
- Update
patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch
(bsc#1192145 CVE-2021-47198 bsc#1222883).
- commit 1aa3f8e
- scripts/check-kernel-fix: hide add references hint
We would like to handle reference updates in batches by mass-cve tooling
so prevent potential races when people add references manually. Still
show this in the verbose mode though.
- commit 44b9e4b
- scripts/install-git-hooks: Use --git-common-dir for $GIT_DIR
This option works better for the repo via git-worktree
- commit 5ef3652
- bpf: Fix stackmap overflow check on 32-bit arches (bsc#1223035
CVE-2024-26883).
- bpf: Fix hashtab overflow check on 32-bit arches (bsc#1223189
CVE-2024-26884).
- bpf: Check for integer overflow when using roundup_pow_of_two()
(bsc#1223035 CVE-2024-26883).
- commit 4249641
- scripts/check-kernel-fix: add -c CVE-XXXX-YYY support
Older CVEs are not tracked by VULNS_GIT so give those a chance to use
the same workflow by just giving the CVE number.
- commit eac99ec
- scripts/check-kernel-fix: integrate suse-get-maintainers
- commit fd66b07
- IB/hfi1: Fix a memleak in init_credit_return (CVE-2024-26839 bsc#1222975)
- commit 1b9aeec
- Refresh
patches.suse/NFS-add-atomic_open-for-NFSv3-to-handle-O_TRUNC-corr.patch.
Handle too-long file names.
- commit d3b61d6
- scripts/check-kernel-fix: improve branch output elimination
If the merge origin branch is only missing references then it doesn't
make sense to report missing patch or references in the target branch
as it will get all from the merge origin.
- commit 5728eb5
- scripts/check-kernel-fix: improve branch output elimination
./scripts/check-kernel-fix CVE-2024-26805
661779e1fcaf ("netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter") merged v6.8-rc7~26^2~35
Fixes: 1853c9496460 ("netlink, mmap: transform mmap skb into full skb on taps") merged v4.3-rc3~13^2~83
Security fix for CVE-2024-26805 bsc#1222630 with CVSS 5.5
..............................
ACTION NEEDED!
SLE15-SP6-RT: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460)
ALP-current-RT: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460)
SLE15-SP5-RT: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460)
SLE12-SP3-TD: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460)
Note how *RT branches are printed even though SLE15-SP6 resp SLE15-SP5
already have the fix. The current elimination logic only drops branches
which are in the same state as their merge origin.
mb_line processing is incorrect when that state differs. Fix that by
looking up the state rather than play with sed and grep for identical
output.
With this patch applied
[...]
ACTION NEEDED!
SLE12-SP3-TD: MANUAL: backport 661779e1fcafe1b74b3f3fe8e980c1e207fea1fd (Fixes 1853c9496460)
- commit 2e74804
- wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is
disabled (CVE-2023-52644 bsc#1222961).
- commit 411fc96
- clk: sunxi-ng: Unregister clocks/resets when unbinding
(CVE-2021-47205 bsc#1222888).
- commit 67523b6
- ALSA: usb-audio: fix null pointer dereference on pointer cs_desc
(CVE-2021-47211 bsc#1222869).
- commit a86f817
- Update
patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch
(bsc#1190576 CVE-2021-47203 bsc#1222881).
- commit 2cb2a3c
- ALSA: gus: fix null pointer dereference on pointer block
(CVE-2021-47207 bsc#1222790).
- commit 2c3256c
- wifi: mac80211: fix race condition on enabling fast-xmit
(CVE-2024-26779 bsc#1222772).
- commit 5e02fca
- scripts/cve_tools: Update README
Issue was fixed in ad3235427c3
- commit 67e16e8
- wifi: rt2x00: restart beacon queue when hardware reset
(CVE-2023-52595 bsc#1221046).
- commit 671852b
- ceph: prevent use-after-free in encode_cap_msg() (bsc#1222503
CVE-2024-26689).
- commit 09813ff
- blacklist.conf: Append 'drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()''
- commit cde121c
- Update patches.suse/arp-Prevent-overflow-in-arp_req_get.patch
- fix build warning
- commit f10c34a
- kABI: regmap: Add regmap_noinc_read/write API (bsc#1221162
CVE-2023-52488).
- commit fb0c9d2
- regmap: Add regmap_noinc_write API (bsc#1221162 CVE-2023-52488).
- regmap: Add regmap_noinc_read API (bsc#1221162 CVE-2023-52488).
- commit 60efad2
- usb: roles: fix NULL pointer issue when put module's reference
(bsc#1222609 CVE-2024-26747).
- commit 73af327
- serial: sc16is7xx: convert from _raw_ to _noinc_ regmap
functions for FIFO (bsc#1221162 CVE-2023-52488).
- commit a689f3e
- Refresh patches.kabi/cpufeatures-kabi-fix.patch (bsc#1222952)
Don't call set_cpu_caps when calling set_cpu_bug, this causes problems
with overlapping feature/bug ints. Directly call set_bit witht he
correct parameters.
- commit 16e52e8
- scripts/check-kernel-fix: allow explicit git fixes
- scripts/common-functions:
change -f from flat mode to -f fixes and use -t for the flat mode.
It seems that the security team is not using the flat mode anyway so we
might drop it eventually. Let's keep it to play around, it is a trivial
code anyway.
- f "sha" now allows to specify explicit Fixes commit shas which would
extend existing ones.
- commit 468ac9c
- md/raid5: fix atomicity violation in raid5_cache_count (bsc#1219169, CVE-2024-23307).
- commit c0dbc35
- ext4: avoid allocating blocks from corrupted group in
ext4_mb_try_best_found() (bsc#1222618 CVE-2024-26773).
- commit 4110538
- thermal: Fix NULL pointer dereferences in of_thermal_ functions (CVE-2021-47202 bsc#1222878)
- commit 08cf92c
- md/raid5: fix atomicity violation in raid5_cache_count
(bsc#1219169, CVE-2024-23307).
- commit 391774d
- fbdev: sis: Error out if pixclock equals zero (bsc#1222765 CVE-2024-26777)
- commit 283e632
- fbdev: savage: Error out if pixclock equals zero (bsc#1222770 CVE-2024-26778)
- commit c2c54cf
- drm: Don't unref the same fb many times by mistake due to deadlock handling (CVE-2023-52486 bsc#1221277).
- commit 5843530
- blacklist.conf: add one more PCI git-fixes
- commit 7baca5d
- IB/ipoib: Fix mcast list locking (CVE-2023-52587 bsc#1221082)
- commit 94cde16
- RDMA/IPoIB: Fix error code return in ipoib_mcast_join (bsc#1221082)
- commit 348c98c
- RDMA/srp: Do not call scsi_done() from srp_abort() (CVE-2023-52515 bsc#1221048)
- commit d5d3a97
- RDMA/qedr: Fix qedr_create_user_qp error flow (bsc#1222677 CVE-2024-26743)
- commit c49697b
- RDMA/srpt: Support specifying the srpt_service_guid parameter (bsc#1222449 CVE-2024-26744)
- commit 00d0add
- NFS: avoid spurious warning of lost lock that is being unlocked
(bsc#1221791).
- commit 63a2e3f
- Update
patches.suse/NFS-add-atomic_open-for-NFSv3-to-handle-O_TRUNC-corr.patch
(bsc#1219847 bsc#1221862).
Fix a NULL-pointer-deref bug. Make the patch closer to the patch I sent
upstream.
- commit 5f62723
- dm-crypt: don't modify the data when using authenticated
encryption (bsc#1222720, CVE-2024-26763).
- commit 3e74213
- scsi: core: Fix scsi_mode_sense() buffer length handling
(bsc#1222662 CVE-2021-47182).
- commit 09c6ab5
- scripts/check-kernel-fix: Do not report missing references for EB branches
After discussion with Christian Hueller (EB branches maintainer) we have
concluded that updating references to CVE fixes which are already in EB
branches is not really adding any value so let's just not report them
- commit 0fddb67
- scripts/check-kernel-fix: require both bsc and cvss for security fixes
cve2bsc DB might be out of sync. This could be annoying when dealing
with freshly coming CVE bugs where the bsc# is known and proposed
references addition miss the bug number.
Enforce both bsc and CVSS data for security bugs and allow to
provide/override the bug number by -b bsc#NUMBER parameter.
- commit cc2be7b
- dmaengine: ti: edma: Add some null pointer checks to the edma_probe (CVE-2024-26771 bsc#1222610)
- commit 01a7e9c
- netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
(bsc#1222630 CVE-2024-26805).
- commit ad84c88
- Update
patches.suse/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_gen.patch
(bsc#1222428 CVE-2024-26793 CVE-2024-26754 bsc#1222632).
- commit b4d8fa6
- Update
patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch
(git-fixes CVE-2021-47189 bsc#1222706).
- commit d1ad6f0
- tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc
(bsc#1222669 CVE-2021-47185).
- commit 24cc88e
- PCI: pciehp: Add pciehp_set_indicators() to set both indicators
(git-fixes).
- commit deaddb6
- PCI/ASPM: Reduce severity of common clock config message
(git-fixes).
- commit 00c0986
- PCI/ASPM: Don't warn if already in common clock mode
(git-fixes).
- commit 231253b
- PCI/ASPM: Factor out pcie_wait_for_retrain() (git-fixes).
- PCI/ASPM: Return 0 or -ETIMEDOUT from pcie_retrain_link()
(git-fixes).
- PCI: Rework pcie_retrain_link() wait loop (git-fixes).
- commit 4a0cd5a
- scripts/check-kernel-fix: bail out without CVSS score
cve2cvss DB takes quite some time to sync and it is less confusing to
enfore cache refresh or provide manual scoring (via -s) as that tends to
be available in bugzilla most of the time.
- commit bdee7f8
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
- commit 70aa480
- Refresh patches.suse/x86-bhi-Add-BHI-mitigation-knob.patch.
Check for bug presence with cpu_has_bug rather than cpu_has so that
overlapping bug/feature bits are handled correctly
- commit ec98c66
- Update
patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch
(bsc#1192145 CVE-2021-47183 bsc#1222664).
- commit b599f2b
- Update
patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch
(git-fixes CVE-2021-47181 bsc#1222660).
- commit a0f1eaa
- scripts/common-functions: cve2sha: fix multiline output from vulns DB
$ ./scripts/check-kernel-fix -s 5.5 CVE-2021-47181
failes with uknown sha for the given CVE because vulns.git cve_search
returns unexpected multi-line output
$ scripts/cve_search CVE-2021-47181
CVE-2021-47181 is assigned to git id 14651496a3de6807a17c310f63c894ea0c5d858e
f08adf5add9a071160c68bb2a61d697f39ab0758
Filter out the first line only to handle that
- commit 970f746
- tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
(bsc#1222619).
- commit 94fc6e9
- PCI: Mark 3ware-9650SE Root Port Extended Tags as broken
(git-fixes).
- PCI/DPC: Print all TLP Prefixes, not just the first (git-fixes).
- PCI/MSI: Prevent MSI hardware interrupt number truncation
(git-fixes).
- PCI/sysfs: Protect driver's D3cold preference from user space
(git-fixes).
- PCI/ASPM: Use RMW accessors for changing LNKCTL (git-fixes).
- PCI: pciehp: Use RMW accessors for changing LNKCTL (git-fixes).
- PCI: Make link retraining use RMW accessors for changing LNKCTL
(git-fixes).
- PCI: Add locking to RMW PCI Express Capability Register
accessors (git-fixes).
- kABI: PCI: Add locking to RMW PCI Express Capability Register
accessors (kabi).
- PCI: qcom: Use DWC helpers for modifying the read-only DBI
registers (git-fixes).
- PCI: qcom: Disable write access to read only registers for IP
v2.3.3 (git-fixes).
- PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
(git-fixes).
- PCI: pciehp: Cancel bringup sequence if card is not present
(git-fixes).
- PCI/ASPM: Avoid link retraining race (git-fixes).
- commit 5d813c6
- arp: Prevent overflow in arp_req_get() (CVE-2024-26733
bsc#1222585).
- commit 64afd8b
- net/sched: act_mirred: don't override retval if we already
lost the skb (CVE-2024-26733 bsc#1222585).
- commit ec837ad
- blacklist.conf: update blacklist
- commit f1ca6cb
- PCI/ASPM: Disable ASPM on MFD function removal to avoid
use-after-free (git-fixes).
- PCI: pciehp: Fix AB-BA deadlock between reset_lock and
device_lock (git-fixes).
- PCI: switchtec: Return -EFAULT for copy_to_user() errors
(git-fixes).
- PCI: Avoid FLR for AMD FCH AHCI adapters (git-fixes).
- PCI/IOV: Enlarge virtfn sysfs name buffer (git-fixes).
- PCI: hotplug: Allow marking devices as disconnected during
bind/unbind (git-fixes).
- PCI: dwc: Add unroll iATU space support to dw_pcie_disable_atu()
(git-fixes).
- PCI: Add ACS quirk for Broadcom BCM5750x NICs (git-fixes).
- commit 60d94f2
- PCI: endpoint: Don't stop controller when unbinding endpoint
function (git-fixes).
- PCI: qcom: Fix unbalanced PHY init on probe errors (git-fixes).
- PCI: Avoid pci_dev_lock() AB/BA deadlock with
sriov_numvfs_store() (git-fixes).
- PCI/PM: Power up all devices during runtime resume (git-fixes).
- PCI/AER: Clear MULTI_ERR_COR/UNCOR_RCV bits (git-fixes).
- PCI: aardvark: Fix setting MSI address (git-fixes).
- PCI: aardvark: Fix support for MSI interrupts (git-fixes).
- commit fd2813d
- Refresh
patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch.
Add alternate ID for stable
- commit 38c4e25
- Bluetooth: btqcomsmd: Fix command timeout after setting BD
address (git-fixes).
- commit de57587
- Bluetooth: hci_intel: Add check for platform_driver_register
(git-fixes).
- commit 0e58b3a
- Bluetooth: btqca: Introduce HCI_EV_VENDOR and use it
(git-fixes).
- commit 7e74176
- Bluetooth: btqca: Fixed a coding style error (git-fixes).
- commit 0f83a52
- blacklist.conf: false positive (introduced v5.14, not backported)
- commit e867532
- ext4: fix double-free of blocks due to wrong extents moved_len
(bsc#1222422 CVE-2024-26704).
- commit da029ac
- Refresh
patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch.
- commit 6490813
- gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
(bsc#1222428 CVE-2024-26793).
- gtp: fix use-after-free and null-ptr-deref in
gtp_genl_dump_pdp() (bsc#1222428 CVE-2024-26793).
- commit 9c6b7d6
- scripts/git_sort/git_sort.py:
Add Len Brown's kernel subtree
- commit 3e92416
- nfsd: Fix error cleanup path in nfsd_rename() (bsc#1221044
CVE-2023-52591).
- commit b8b869c
- usb: musb: Modify the "HWVers" register address (git-fixes).
- commit d99cd58
- blacklist.conf: This is a feature, not a fix
- commit f6334d7
- sr9800: Add check for usbnet_get_endpoints (git-fixes).
- commit 24ceaa4
- blacklist.conf: add unneeded PCI git-fixes
- commit beed85d
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
Fix aliasing problems if we have an extended capability which aliases a
non-extended bug bit. The fix is to always ensure that bug bits related
functionality doesn't use the "generic" cap functionality.
- commit c674af2
- Update
patches.suse/KVM-s390-vsie-fix-race-during-shadow-creation.patch
(git-fixes bsc#1220613 CVE-2023-52639 bsc#1222300).
- Update
patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch
(CVE-2023-4881 bsc#1215221 CVE-2023-52628 bsc#1222117).
- commit 5564fa1
- mass-cve: Case insensitive references detection
Only add reference when it is new (regardless of case).
- commit 9944f70
- scripts/check-kernel-fix: implement -s CVSS option
- commit b759632
- scripts/check-kernel-fix: clarify no CVSS assignment
- commit 3d658ea
- mass-cve: Fix path to git repos
Specifying only --git-dir ends up with checking out files to CWD and to
under $VULNS_GIT. `git -C` should fix all various setups (worktrees or
not).
- commit ad32354
- nfsd: Fix error cleanup path in nfsd_rename() (git-fixes).
- commit c8d258d
- scripts/check-kernel-fix: Handled unknown branches more gracefully
- scripts/common-functions:
This doesn't happen often. Usually when branches.conf doesn't match the
kernel-source.git tree because of renaming. git fetch should fix those
so be more helpuful to poor users.
- commit 7d296f5
- scripts/common-functions: silenc errors when forcibly removing cache files
- commit f76f1c4
- x86/bhi: Mitigate KVM by default (bsc#1217339 CVE-2024-2201).
- commit 7079142
- scripts/common-functions: call out upstream patches with no Fixes tag
- commit 4d33f71
- x86/bhi: Add BHI mitigation knob (bsc#1217339 CVE-2024-2201).
- Update config files.
- commit 41d6371
- x86/bhi: Enumerate Branch History Injection (BHI) bug (bsc#1217339 CVE-2024-2201).
- commit 2432a6f
- x86/bhi: Define SPEC_CTRL_BHI_DIS_S (bsc#1217339 CVE-2024-2201).
- commit fe53768
- x86/bhi: Add support for clearing branch history at syscall entry (bsc#1217339 CVE-2024-2201).
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
- commit 955ab56
- Fixup NULL ptr dereference due to mistake in backporting in
patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch.
- commit 55001e0
- Delete
patches.suse/x86-bugs-Fix-the-SRSO-mitigation-on-Zen3-4.patch.
the kernel fails to boot on x86:
[ 0.048461] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[ 0.048698] MMIO Stale Data: Unknown: No mitigations
qemu-system-x86_64: terminating on signal 15 from pid 42034 (timeout)
- commit 035c88f
- x86/cpufeature: Add missing leaf enumeration (bsc#1217339 CVE-2024-2201).
- commit 248bb60
- Update references
- commit 1bab65d
- scsi: lpfc: Fix a possible data race in
lpfc_unregister_fcf_rescan() (bsc#1219618 CVE-2024-24855).
- commit 6004b44
- scripts/check-kernel-fix: document LINUX_GIT requirement
- scripts/common-functions:
- commit 4f88751
- media: xc4000: Fix atomicity violation in xc4000_get_frequency
(git-fixes bsc#1219623 CVE-2024-24861).
- commit ad0b314
- scripts/check-kernel-fix: add flat mode
Talked to Robert Frohl from the security team and he exaplained that
they would appreciate a mode which doesn't do any filtering because
the team has to track even those products which are not required to
publish fixes. -f should achieve that
- commit dfb0710
- x86/bugs: Fix the SRSO mitigation on Zen3/4 (git-fixes).
- commit 8032e89
- mass-cve: Hide unimportant make messages
Hide data preprocessing messages, preserve messages that relate to git
operations.
- commit d5ea4b9
- bpf, sockmap: Prevent lock inversion deadlock in map delete elem
(bsc#1209657 CVE-2023-0160).
- commit 40497a8
- bpf, sockmap: Fix preempt_rt splat when using raw_spin_lock_t
(git-fixes).
- commit 3c6384f
- bnx2x: Fix enabling network interfaces without VFs (git-fixes).
- commit b60bea3
- ethernet: myri10ge: Fix missing error code in myri10ge_probe()
(git-fixes).
- commit 71a7d56
- bnx2x: Fix missing error code in bnx2x_iov_init_one()
(git-fixes).
- commit 813cb9c
- net: macb: ensure the device is available before accessing
GEMGXL control registers (git-fixes).
- commit 1742349
- net/qla3xxx: fix schedule while atomic in ql_sem_spinlock
(git-fixes).
- commit 8e475cb
- blacklist.conf: update blacklist
- commit a7a5329
- netfilter: nf_tables: disallow anonymous set with timeout flag
(CVE-2024-26642 bsc#1221830).
- commit b3d18fd
- netfilter: ctnetlink: fix possible refcount leak in
ctnetlink_create_conntrack() (CVE-2023-7192 bsc#1218479).
- commit 0774a95
- net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function (git-fixes).
- commit d464181
- ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram (git-fixes).
- commit 6895e10
- net/mlx5: Properly convey driver version to firmware (git-fixes).
- commit 09bc4c8
- net: stmmac: free tx skb buffer in stmmac_resume() (git-fixes).
- commit 7769206
- tun: honor IOCB_NOWAIT flag (git-fixes).
- commit 1f0149b
- atl1e: fix error return code in atl1e_probe() (git-fixes).
- commit da6dd80
- atl1c: fix error return code in atl1c_probe() (git-fixes).
- commit 56e0459
- net: atheros: switch from 'pci_' to 'dma_' API (git-fixes).
- commit 47ce14b
- blacklist.conf: update blacklist
- commit dc2abcd
- mass-cve: Fail nicely if env is not set
- commit 7d0c68a
- mass-cve: Invalidate cache when scanned branch is updated
- commit cf71c00
- README.BRANCH: Remove copy of branch name
- commit 26f4895
- usb: dwc3: core: Do not perform GCTL_CORE_SOFTRESET during
bootup (bsc#1220628 CVE-2021-46941).
- commit ebce255
- usb: dwc3: core: balance phy init and exit (bsc#1220628
CVE-2021-46941).
- commit 8f693d2
- USB: usbfs: Don't WARN about excessively large memory
allocations.
- commit 8172f18
- ipv6: init the accept_queue's spinlocks in inet6_create
(bsc#1221293 CVE-2024-26614).
- commit 6bea6a5
- tcp: make sure init the accept_queue's spinlocks once
(bsc#1221293 CVE-2024-26614).
- commit 800aa0a
- userfaultfd: release page in error path to avoid BUG_ON
(CVE-2021-46988 bsc#1220706).
- commit bcafeec
- powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
(CVE-2023-52607 bsc#1221061).
- commit af6f33a
- mass-cve: Lazily pull from vulns DB git
- commit cf62cc6
- mass-cve: Allow calling make -f Makefile from anywhere
- commit 96ccd46
- mass-cve: Add README
- commit d223050
- Update
patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch
(git-fixes CVE-2023-52524 bsc#1220927).
- Update
patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch
(git-fixes CVE-2023-52528 bsc#1220843).
- Update
patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch
(bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
CVE-2023-6356 CVE-2023-52454 bsc#1220320).
- Update
patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch
(bsc#1221044 CVE-2023-52591 CVE-2023-52590 bsc#1221088).
- Update
patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch
(bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836).
- Update
patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch
(git-fixes CVE-2023-52575 bsc#1220871).
- commit 2258ead
- Update patches.suse/mmc-moxart_remove-Fix-UAF.patch (bsc#1194516
CVE-2022-0487 CVE-2022-48626 bsc#1220366).
- commit 10fc152
- Update
patches.suse/0019-dm-rq-fix-double-free-of-blk_mq_tag_set-in-dev-remov.patch
(git fixes CVE-2021-46938 bsc#1220554).
- Update
patches.suse/ACPI-custom_method-fix-potential-use-after-free-issu.patch
(git-fixes CVE-2021-46966 bsc#1220572).
- Update
patches.suse/ARM-footbridge-fix-PCI-interrupt-mapping.patch
(git-fixes CVE-2021-46909 bsc#1220442).
- Update
patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch
(git-fixes CVE-2021-47104 bsc#1220960).
- Update
patches.suse/NFC-nci-fix-memory-leak-in-nci_allocate_device.patch
(git-fixes CVE-2021-47180 bsc#1221999).
- Update
patches.suse/NFS-Don-t-corrupt-the-value-of-pg_bytes_written-in-n.patch
(git-fixes CVE-2021-47166 bsc#1221998).
- Update
patches.suse/NFS-Fix-an-Oopsable-condition-in-__nfs_pageio_add_re.patch
(git-fixes CVE-2021-47167 bsc#1221991).
- Update
patches.suse/NFS-fix-an-incorrect-limit-in-filelayout_decode_layo.patch
(git-fixes CVE-2021-47168 bsc#1222002).
- Update
patches.suse/NFSv4-Fix-a-NULL-pointer-dereference-in-pnfs_mark_ma.patch
(git-fixes CVE-2021-47179 bsc#1222001).
- Update
patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch
(git-fixes CVE-2021-47101 bsc#1220987).
- Update
patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch
(git-fixes CVE-2021-47015 bsc#1220794).
- Update
patches.suse/btrfs-fix-race-between-transaction-aborts-and-fsyncs.patch
(bsc#1186441 CVE-2021-46958 bsc#1220521).
- Update
patches.suse/cifs-Return-correct-error-code-from-smb2_get_enc_key.patch
(git-fixes CVE-2021-46960 bsc#1220528).
- Update
patches.suse/crypto-qat-ADF_STATUS_PF_RUNNING-should-be-set-after.patch
(git-fixes CVE-2021-47056 bsc#1220769).
- Update
patches.suse/cxgb4-avoid-accessing-registers-when-clearing-filter.patch
(bsc#1136345 jsc#SLE-4681 CVE-2021-47138 bsc#1221934).
- Update patches.suse/drm-amdgpu-Fix-a-use-after-free.patch
(git-fixes CVE-2021-47142 bsc#1221952).
- Update
patches.suse/drm-meson-fix-shutdown-crash-when-component-not-prob.patch
(git-fixes CVE-2021-47165 bsc#1221965).
- Update
patches.suse/ethernet-enic-Fix-a-use-after-free-bug-in-enic_hard_.patch
(bsc#1113431 CVE-2021-46998 bsc#1220625).
- Update
patches.suse/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_spli.patch
(bsc#1187408 CVE-2021-47117 bsc#1221575).
- Update
patches.suse/ext4-fix-memory-leak-in-ext4_fill_super.patch
(bsc#1187409 CVE-2021-47119 bsc#1221608).
- Update
patches.suse/gve-Add-NULL-pointer-checks-when-freeing-irqs.patch
(bsc#1176940 CVE-2021-47141 bsc#1221949).
- Update
patches.suse/i2c-i801-Don-t-generate-an-interrupt-on-bus-reset.patch
(git-fixes CVE-2021-47153 bsc#1221969).
- Update patches.suse/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu
(bsc#1189272 CVE-2021-47177 bsc#1221997).
- Update
patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch
(git-fixes CVE-2021-47100 bsc#1220985).
- Update
patches.suse/kvm-destroy-i-o-bus-devices-on-unregister-failure-after_-sync-ing-srcu
(CVE-2020-36312 bsc#1184509 CVE-2021-47061 bsc#1220745).
- Update
patches.suse/kvm-stop-looking-for-coalesced-mmio-zones-if-the-bus-is-destroyed
(CVE-2020-36312 bsc#1184509 CVE-2021-47060 bsc#1220742).
- Update
patches.suse/md-raid1-properly-indicate-failure-when-ending-a-fai.patch
(bsc#1185680 CVE-2021-46950 bsc#1220662).
- Update
patches.suse/misc-uss720-fix-memory-leak-in-uss720_probe.patch
(git-fixes CVE-2021-47173 bsc#1221993).
- Update
patches.suse/msft-hv-2305-Drivers-hv-vmbus-Use-after-free-in-__vmbus_open.patch
(git-fixes CVE-2021-47049 bsc#1220692).
- Update
patches.suse/msft-hv-2316-uio_hv_generic-Fix-a-memory-leak-in-error-handling-p.patch
(git-fixes CVE-2021-47071 bsc#1220846).
- Update
patches.suse/msft-hv-2317-uio_hv_generic-Fix-another-memory-leak-in-error-hand.patch
(git-fixes CVE-2021-47070 bsc#1220829).
- Update
patches.suse/mtd-require-write-permissions-for-locking-and-badblo.patch
(git-fixes CVE-2021-47055 bsc#1220768).
- Update
patches.suse/nbd-Fix-NULL-pointer-in-flush_workqueue-79eb.patch
(git-fixes CVE-2021-46981 bsc#1220611).
- Update
patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch
(git-fixes CVE-2021-47150 bsc#1221973).
- Update
patches.suse/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch
(CVE-2021-23134 bsc#1186060 CVE-2021-47068 bsc#1220739).
- Update
patches.suse/net-smc-remove-device-from-smcd_dev_list-after-failed-device_add
(git-fixes CVE-2021-47143 bsc#1221988).
- Update
patches.suse/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
(git-fixes CVE-2021-47171 bsc#1221994).
- Update patches.suse/ocfs2-fix-data-corruption-by-fallocate.patch
(bsc#1187412 CVE-2021-47114 bsc#1221548).
- Update
patches.suse/pid-take-a-reference-when-initializing-cad_pid.patch
(bsc#1114648 CVE-2021-47118 bsc#1221605).
- Update
patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch
(git-fixes CVE-2021-47073 bsc#1220850).
- Update
patches.suse/powerpc-64s-Fix-crashes-when-toggling-entry-flush-ba.patch
(bsc#1177666 git-fixes bsc#1186460 ltc#192531 CVE-2021-46990
bsc#1220743).
- Update
patches.suse/powerpc-64s-Fix-pte-update-for-kernel-memory-on-radi.patch
(bsc#1055117 git-fixes CVE-2021-47034 bsc#1220687).
- Update
patches.suse/scsi-lpfc-Fix-null-pointer-dereference-in-lpfc_prep_.patch
(bsc#1182574 CVE-2021-47045 bsc#1220640).
- Update
patches.suse/scsi-qla2xxx-Fix-crash-in-qla2xxx_mqueuecommand.patch
(bsc#1185491 CVE-2021-46963 bsc#1220536).
- Update patches.suse/scsi-qla2xxx-Reserve-extra-IRQ-vectors.patch
(bsc#1185491 CVE-2021-46964 bsc#1220538).
- Update
patches.suse/serial-rp2-use-request_firmware-instead-of-request_f.patch
(git-fixes CVE-2021-47169 bsc#1222000).
- Update
patches.suse/tracing-Restructure-trace_clock_global-to-never-block.patch
(git-fixes CVE-2021-46939 bsc#1220580).
- Update
patches.suse/vsock-virtio-free-queued-packets-when-closing-socket.patch
(git-fixes CVE-2021-47024 bsc#1220637).
- Update
patches.suse/x86-kvm-Disable-kvmclock-on-all-CPUs-on-shutdown.patch
(bsc#1185308 CVE-2021-47110 bsc#1221532).
- Update
patches.suse/x86-kvm-Teardown-PV-features-on-boot-CPU-as-well.patch
(bsc#1185308 CVE-2021-47112 bsc#1221541).
- commit fa763cd
- Update
patches.suse/netlabel-fix-out-of-bounds-memory-accesses.patch
(networking-stable-19_03_07 CVE-2019-25160 bsc#1220394).
- commit cfd1daa
- scripts/check-kernel-fix: print summary of the commit to check
- commit b73a330
- scripts/check-kernel-fix: be more conservative when proposing branches to backport to non CVE patches
If a kernel fix doesn't have any CVE assigned (e.g. a regular git-fixes
candidate) then do not propose branches that have higher bar to accept
changes (e.g. LTSS branches)
- commit 5988064
- scripts/common-functions: sha_in_upstream: do not assume origin/HEAD points to origin/master
- commit ac1161f
- scripts/cve_tools/cve2metadata.sh: clarify the error message
- commit b222dc5
- scripts/common-functions: sha_in_upstream refinements.
- commit ef93b37
- IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests (bsc#1220445 CVE-2023-52474)
- commit 71ecb14
- scripts/common-functions: for_each_build_branch: do not consider stable and slowroll branches
- commit da10c28
- scripts/check-kernel-fix: Print RUN command with current references helper
- commit 72f7f72
- s390/vtime: fix average steal time calculation (git-fixes
bsc#1221953).
- commit ccf7a1f
- s390/ptrace: handle setting of fpc register correctly
(CVE-2023-52598 bsc#1221060 git-fixes).
- commit 0d179a3
- scripts/check-kernel-fix: refine the help message
- commit 339f56a
- scripts/check-kernel-fix: unify VULNS_GIT variable
- scripts/common-functions:
- commit 2d74673
- mass-cve: Exclude partial commits
Commit references with various decorations like '(partial)' are treated
conservatively, i.e. do not assume we have a functional patch.
- commit 0391bef
- scripts/check-kernel-fix: add support for -r (metadata refresh)
- scripts/common-functions:
- commit c47714a
- scripts/check-kernel-fix: drop -s mode (not really useful)
- commit 837a2ae
- scripts/check-kernel-fix: drop -c parameter and search cve branches by default
- scripts/common-functions:
- commit 5031df0
- scripts/check-kernel-fix: improve help message
- commit 426748a
- scripts/check-kernel-fix: Make the check of CVSS affected branches more reliable
Make the check of branches ignoring lower CVSS score more reliable
by the checking matching also the dash.
Also rename the function to make more clear what success means.
- commit 9a730a8
- scripts/check-kernel-fix: Remove unused check_branch_references function
It did not provide any helpful information
- commit 9be7356
- wifi: ath10k: fix NULL pointer dereference in
ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336
CVE-2023-7042).
- commit 1463c4a
- scripts/cve_tools/cve2metadata.sh: s@VULNS_GIT_PATH@VULNS_GIT@
to be more in line with git tree env vars
- commit e3ddb5d
- scripts/check-kernel-fix: add cvss based filtering
TODO GA kernels are not settled yet
- commit 5ea28e0
- scripts/common-functions: cope with redirects in fetch_cache
- commit 0b72687
- scripts/sequence-patch.sh: add missing template to find -exec
Recent fix for space handling lacks the '{}' template in find -exec command
so that this command fails and no chmod is executed.
Fixes: 622d2088f344 ("scripts/sequence-patch.sh: handle spaces in file names")
- commit 26808f8
- x86/CPU/AMD: Update the Zenbleed microcode revisions (git-fixes).
- commit 11a703b
- kabi fix for pNFS: Fix the pnfs block driver's calculation of
layoutget size (git-fixes).
- commit 188e451
- pNFS: Fix the pnfs block driver's calculation of layoutget size
(git-fixes).
- NFS: Fix O_DIRECT locking issues (git-fixes).
- NFS: Fix direct WRITE throughput regression (git-fixes).
- commit 53dafcd
- NFS: Fix an off by one in root_nfs_cat() (git-fixes).
- net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()
(git-fixes).
- SUNRPC: fix a memleak in gss_import_v2_context (git-fixes).
- NFS: More O_DIRECT accounting fixes for error paths (git-fixes).
- NFS: Fix error handling for O_DIRECT write scheduling
(git-fixes).
- nfs: only issue commit in DIO codepath if we have uncommitted
data (git-fixes).
- NFS: Fix a request reference leak in
nfs_direct_write_clear_reqs() (git-fixes).
- NFS: Fix O_DIRECT commit verifier handling (git-fixes).
- NFS: commit errors should be fatal (git-fixes).
- commit c3fe0ca
- scripts/sequence-patch.sh: handle spaces in file names
The "find | xargs" pattern without -print0 and -0 does not handle file
names with spaces correctly. As there is no actual need for xargs, rewrite
the line to uses "find -exec" instead.
- commit 622d208
- scripts/check-kernel-fix: allow CVE argument
- commit 9f07d91
- scripts/check-kernel-fix: simplify to only get sha argument and resolve references automagically
- commit c317a1e
- scripts/common-functions: implement cve2sha and sha2cve
- commit d016ea0
- scripts/check-kernel-fix: Enhancements and cleanups
Allow to check which branches have a given reference without
passing a particular sha. Actions are not printed in this case.
Show actions when "sha" is passed by default.
Add [-q] option to do not show progress when checking
state of each branch.
Do not show action for a branch when the merge branch
already has the patch with all references.
Check each branch only once for the given sha and all references.
It allowed to reduce git grep calls. Also it removed the need
to merge branch states. It improved speed and simplified
the logic.
- commit 0278113
- Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
(bsc#1219170 CVE-2024-22099).
- commit f6c10f5
- scripts/patch-tag: remove bitkeeper format handling
Drop code that deals with bk-style comments and tags. The last branch to
include any patch exported from bk was SLE10-SP4, and it is not likely
that we will need to handle bk again in the future.
- commit 1c94ff0
- scsi: qla2xxx: Update version to 10.02.09.200-k (bsc1221816).
- scsi: qla2xxx: Delay I/O Abort on PCI error (bsc1221816).
- scsi: qla2xxx: Change debug message during driver unload
(bsc1221816).
- scsi: qla2xxx: Fix double free of fcport (bsc1221816).
- scsi: qla2xxx: Fix double free of the ha->vp_map pointer
(bsc1221816).
- scsi: qla2xxx: Fix command flush on cable pull (bsc1221816).
- scsi: qla2xxx: NVME|FCP prefer flag not being honored
(bsc1221816).
- scsi: qla2xxx: Update manufacturer detail (bsc1221816).
- scsi: qla2xxx: Split FCE|EFT trace control (bsc1221816).
- scsi: qla2xxx: Fix N2N stuck connection (bsc1221816).
- scsi: qla2xxx: Prevent command send on chip reset (bsc1221816).
- commit 61951e8
- drm: bridge/panel: Cleanup connector on bridge detach (bsc#1220777, CVE-2021-47063)
Backporting changes:
- add patch at the top of panel_bridge_detach()
- commit 760a99d
- aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
(bsc#1218562 CVE-2023-6270).
- commit 4e659c8
- scripts/common-functions:
- scripts/cve_tools/cve2metadata.sh:
cve2cvss do not assume consumer and do not preformat the output
- commit 8a1b4cc
- scripts/cve_tools/cve2metadata.sh: resolve CVE or sha into metadata
Examples
$ ./scripts/cve_tools/cve2metadata.sh CVE-2021-46975
2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 score: 3.2 CVE-2021-46975 bsc#1220505
./scripts/cve_tools/cve2metadata.sh CVE-2021-46907
04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a score: unknown CVE-2021-46907 bsc#1220422
- commit 5e5b19b
- scripts/common-functions: silence fetch_cache
- commit dfd8093
- scripts/common-functions: implement cve->cvss
- commit 4d69061
- scripts/common-functions: implement cve -> bsc mapping
- commit 2b5ac8e
- scripts/common-functions: abstract CACHED_BRANCHES downloading
we will have more cached files to use
- commit 3194c25
- net: Fix features skip in for_each_netdev_feature() (git-fixes).
- commit b1996ba
- rename(): avoid a deadlock in the case of parents having no
common ancestor (bsc#1221044 CVE-2023-52591).
- commit 16f9b33
- kill lock_two_inodes() (bsc#1221044 CVE-2023-52591).
- commit c8410b2
- rename(): fix the locking of subdirectories (bsc#1221044
CVE-2023-52591).
- commit b34d065
- f2fs: Avoid reading renamed directory if parent does not change
(bsc#1221044 CVE-2023-52591).
- commit 95ecb76
- ext4: don't access the source subdirectory content on
same-directory rename (bsc#1221044 CVE-2023-52591).
- commit e81c5d2
- ext2: Avoid reading renamed directory if parent does not change
(bsc#1221044 CVE-2023-52591).
- commit 47af51c
- udf_rename(): only access the child content on cross-directory
rename (bsc#1221044 CVE-2023-52591).
- commit 3e77e59
- ocfs2: Avoid touching renamed directory if parent does not
change (bsc#1221044 CVE-2023-52591).
- commit ef44829
- reiserfs: Avoid touching renamed directory if parent does not
change (git-fixes bsc#1221044 CVE-2023-52591).
Refresh patches.suse/reiserfs-add-check-to-detect-corrupted-directory-entry.patch
Refresh patches.suse/reiserfs-don-t-panic-on-bad-directory-entries.patch
- commit 304c6b9
- fs: don't assume arguments are non-NULL (bsc#1221044
CVE-2023-52591).
- commit 74a158f
- fs: Restrict lock_two_nondirectories() to non-directory inodes
(bsc#1221044 CVE-2023-52591).
- commit 2042147
- fs: ocfs2: check status values (bsc#1221044 CVE-2023-52591).
- commit 24568a1
- fs: no need to check source (bsc#1221044 CVE-2023-52591).
- commit 95711fd
- fs: Lock moved directories (bsc#1221044 CVE-2023-52591).
- commit 2b2136e
- fs: Establish locking order for unrelated directories
(bsc#1221044 CVE-2023-52591).
- commit c49cfde
- fs: introduce lock_rename_child() helper (bsc#1221044
CVE-2023-52591).
- commit 84b4b7d
- dwc3: switch to a global mutex (bsc#1220628 CVE-2021-46941).
- commit d93342d
- usb: dwc3: core: Do core softreset when switch mode (bsc#1220628
CVE-2021-46941).
- blacklist.conf: needed after all for a CVE
- Refresh
patches.suse/USB-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch.
- Refresh
patches.suse/usb-dwc3-Fix-race-between-dwc3_set_mode-and-__dwc3_s.patch.
- commit 7ca4d31
- Input: add bounds checking to input_set_capability()
(bsc#1218220 CVE-2022-48619).
- commit f42351b
- NFSD: Retransmit callbacks after client reconnects (git-fixes).
- NFSD: Reset cb_seq_status after NFS4ERR_DELAY (git-fixes).
- SUNRPC: fix some memleaks in gssx_dec_option_array (git-fixes).
- NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT
(git-fixes).
- SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
(git-fixes).
- nfsd: lock_rename() needs both directories to live on the same
fs (git-fixes).
- pNFS/flexfiles: Check the layout validity in
ff_layout_mirror_prepare_stats (git-fixes).
- commit 311216b
- mass-cve: Switch to cve2bugzilla database
The map cve2bugzilla is not unique, add only first bug to references
- commit 8b6d26b
- perf/x86/lbr: Filter vsyscall addresses (bsc#1220703,
CVE-2023-52476).
- commit ff86f16
- net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829).
- net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829).
- net/sched: Add module aliases for cls_,sch_,act_ modules
(bsc#1210335 CVE-2023-1829).
- net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829).
- commit 609fe5f
- mass-cve: Add processing of all known history
- commit 1e9ec1d
- x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set (bsc#1213456 CVE-2023-28746).
- commit c5b2dec
- Sort patches that are already upstream
- Refresh
patches.suse/Documentation-hw-vuln-Add-documentation-for-RFDS.patch.
- Refresh
patches.suse/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch.
- Refresh
patches.suse/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch.
- commit 031146a
- mass-cve: Parametrize with branch and do commit
- mass-cve: Add add-missing-reference helper
- commit aba83bd
- mass-cve: Add bsc# resolution
- commit 3cd075a
- iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs
(git-fixes).
- commit ea9ae09
- iommu: Check if group is NULL before remove device (git-fixes).
- commit a7b6fa2
- iommu/amd: Silence warnings under memory pressure (git-fixes).
- commit cdec216
- iommu/amd: Increase interrupt remapping table limit to 512
entries (git-fixes).
- commit c290a72
- iommu/amd: Mark interrupt as managed (git-fixes).
- commit 34b8fef
- ARM: 9064/1: hw_breakpoint: Do not directly check the event's
overflow_handler hook (bsc#1220751 CVE-2021-47006).
- commit 605e3a7
- Refresh patches.kabi/team-Hide-new-member-header-ops.patch.
Fix for kABI workaround.
- commit f1bcdf5
- mass-cve: Add Makefile to process vulns.git database
- commit 5a5d01b
- scripts: Remove unused script gen-aseries
- commit 03b8697
- scripts: Remove unused patch-report
- commit fa154b6
- usb: typec: class: fix typec_altmode_put_partner to put plugs
(git-fixes).
- commit 4350c0c
- ceph: fix deadlock or deadcode of misusing dget() (bsc#1221058
CVE-2023-52583).
- commit a413cb6
- usb: hub: Guard against accesses to uninitialized BOS
descriptors (bsc#1220790 CVE-2023-52477).
- commit bf5af19
- Refresh patches.kabi/cpufeatures-kabi-fix.patch. (bsc#1221287)
X86_FEATURE_LFENCE_RDTSC became an extended bit and was set via
cpu_set_cap as opposed to setup_force_cpu_cap. So extend the
infrastructure to also cover cpu_set_cap.
- commit 3fcb500
- net: lan78xx: fix runtime PM count underflow on link stop
(git-fixes).
- commit 7281e3e
- lan78xx: Fix race conditions in suspend/resume handling
(git-fixes).
- commit 91c55e5
- lan78xx: Fix partial packet errors on suspend/resume
(git-fixes).
- commit 99adbef
- lan78xx: Add missing return code checks (git-fixes).
- Refresh
patches.suse/bsc1084332-0003-lan78xx-Enable-LEDs-and-auto-negotiation.patch.
- Refresh
patches.suse/lan78xx-Fix-exception-on-link-speed-change.patch.
- commit 5704b69
- scripts: Add check-kernel-fix
- commit 9ef3bf8
- scripts: Add commond-functions
- scripts: Support log2 --no-edit option
This allows "unattended" calls of scripts/log
- commit 2516937
- lan78xx: Fix exception on link speed change (git-fixes).
- commit dbfd125
- lan78xx: Fix white space and style issues (git-fixes).
- commit eb3a9cf
- net: usb: lan78xx: Remove lots of set but unused 'ret' variables
(git-fixes).
- commit 378d7a7
- net: lan78xx: remove set but not used variable 'event'
(git-fixes).
- commit b7f01b9
- net: lan78xx: Merge memcpy + lexx_to_cpus to get_unaligned_lexx
(git-fixes).
- lan78xx: Do not access skb_queue_head list pointers directly
(git-fixes).
- commit f2cbfb9
- net: lan78xx: Make declaration style consistent (git-fixes).
- commit be1816d
- net:usb: Use ARRAY_SIZE instead of calculating the array size
(git-fixes).
- commit 360121f
- net: lan78xx: Allow for VLAN headers in timeout calcs
(git-fixes).
- commit d43b68c
- lan78xx: Modify error messages (git-fixes).
- commit afd21b5
- lan78xx: Add support to dump lan78xx registers (git-fixes).
- commit c4b2e78
- lan78xx: enable auto speed configuration for LAN7850 if no
EEPROM is detected (git-fixes).
- commit 3edfed0
- drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() (bsc#1220413 CVE-2023-52470).
- commit f1a2e90
- drivers/amd/pm: fix a use-after-free in kv_parse_power_table (bsc#1220411 CVE-2023-52469).
- commit 3357315
- group-source-files.pl: Quote filenames (boo#1221077).
The kernel source now contains a file with a space in the name.
Add quotes in group-source-files.pl to avoid splitting the filename.
Also use -print0 / -0 when updating timestamps.
- commit a005e42
- blacklist.conf: update blacklist
The entries added in the commit are temporary ones so once
MU is done I'll revert the commit
- commit 874c87d
- Update
patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch
(bsc#1220416 bsc#1220418 CVE-2021-46905 CVE-2021-46904).
Added second CVE reference
- commit f72c3a5
- gve: Fix skb truesize underestimation (git-fixes).
- commit 983edc4
- Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"
(git-fixes).
- commit 3ea2575
- phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600)
- commit 20e2c08
- RDMA/rxe: Clear all QP fields if creation failed (bsc#1220863 CVE-2021-47078)
- commit f8dcd39
- RDMA/rxe: Return CQE error if invalid lkey was supplied (bsc#1220860 CVE-2021-47076)
- commit 3f60a4e
- ACPI: extlog: fix NULL pointer dereference check (bsc#1221039
CVE-2023-52605).
- commit b0968bd
- scripts/git_sort/git_sort.py: Add perf-tools and perf-tools-next repos
- commit 32e922e
- blacklist.conf: Add d4ccd54d28d3 exit: Put an upper limit on how often we can oops
and its dependant.
- commit 64ce341
- KVM: s390: fix setting of fpc register (bsc#1221040
CVE-2023-52597).
- commit 0f89ca1
- net: hso: fix NULL-deref on disconnect regression (bsc#1220416
CVE-2021-46904).
- commit fe1eee0
- net: hso: fix null-ptr-deref during tty device unregistration
(bsc#1220416 CVE-2021-46904).
- commit d61504e
- kernel-binary: Fix i386 build
Fixes: 89eaf4cdce05 ("rpm templates: Move macro definitions below buildrequires")
- commit f7c6351
- net: usb: dm9601: fix wrong return value in dm9601_mdio_read
(git-fixes).
- commit d69a5b8
- net: nfc: llcp: Add lock when modifying device list (git-fixes).
- commit b462198
- igb: clean up in all error paths when enabling SR-IOV
(git-fixes).
- commit 0f0e6a7
- net/sched: tcindex: search key must be 16 bits (git-fixes).
- commit 190e0f5
- stmmac: fix potential division by 0 (git-fixes).
- commit 40876e6
- kcm: fix strp_init() order and cleanup (git-fixes).
- commit b31a598
- ipv6: fix typos in __ip6_finish_output() (git-fixes).
- commit 54553b6
- kabi: team: Hide new member header_ops (bsc#1220870
CVE-2023-52574).
- commit 9fab77a
- blacklist.conf: update blacklist
- commit 9263a68
- wcn36xx: fix RX BD rate mapping for 5GHz legacy rates
(git-fixes).
- commit c4e8a82
- wcn36xx: Fix discarded frames due to wrong sequence number
(git-fixes).
- commit 8553436
- x86/srso: Add SRSO mitigation for Hygon processors (bsc#1220735
CVE-2023-52482).
- commit c7d3dd8
- Revert "wcn36xx: Disable bmps when encryption is disabled"
(git-fixes).
- commit e5924b8
- vt: fix memory overlapping when deleting chars in the buffer
(bsc#1220845 CVE-2022-48627).
- commit 6d7d615
- wcn36xx: Fix (QoS) null data frame bitrate/modulation
(git-fixes).
- commit 405ced7
- ipv6: Fix handling of LLA with VRF and sockets bound to VRF
(git-fixes).
- commit 519a8b2
- kcm: Call strp_stop before strp_done in kcm_attach (git-fixes).
- commit b01e9bb
- blacklist.conf: update blacklist
- commit 347e348
- kernel-binary: vdso: fix filelist for non-usrmerged kernel
Fixes: a6ad8af207e6 ("rpm templates: Always define usrmerged")
- commit fb3f221
- KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746).
- commit 789616b
- x86/rfds: Mitigate Register File Data Sampling (RFDS) (bsc#1213456 CVE-2023-28746).
- Update config files.
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
- commit 47b68f4
- Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746).
- commit 959a93f
- NFS: add atomic_open for NFSv3 to handle O_TRUNC correctly
(bsc#1219847).
- commit 43a81fc
- scsi: qedf: Add pointer checks in qedf_update_link_speed()
(bsc#1220861 CVE-2021-47077).
- commit 499d19e
- Refresh patches.suse/0001-powerpc-pseries-memhp-Fix-access-beyond-end-of-drmem.patch.
Refresh patch metadata and sort.
- commit 15cb428
- ravb: Fix use-after-free issue in ravb_tx_timeout_work()
(bsc#1212514 CVE-2023-35827).
- team: fix null-ptr-deref when team device type is changed
(bsc#1220870 CVE-2023-52574).
- commit 36ef587
- net: mana: Fix TX CQE error handling (bsc#1220932
CVE-2023-52532).
- commit d388327
- Update reference of bpf-Fix-masking-negation-logic-upon-negative-dst-reg.patch
(bsc#1186484,CVE-2021-33200,bsc#1220700,CVE-2021-46974).
- commit d334f65
- nfsd: Do not refuse to serve out of cache (bsc#1220957).
- commit 828470f
- wifi: mac80211: fix potential key use-after-free (CVE-2023-52530
bsc#1220930).
- wifi: iwlwifi: mvm: Fix a memory corruption issue
(CVE-2023-52531 bsc#1220931).
- commit 4749167
- USB: serial: option: add Fibocom L7xx modules (git-fixes).
- commit 5053dd2
- USB: serial: option: don't claim interface 4 for ZTE MF290
(git-fixes).
- commit a0c4a2e
- usb: storage: set 1.50 as the lower bcdDevice for older "Super
Top" compatibility (git-fixes).
- commit 680e979
- net: nfc: fix races in nfc_llcp_sock_get() and
nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831).
- commit d0dd97d
- tls: fix race between tx work scheduling and socket close
(CVE-2024-26585 bsc#1220187).
- commit 2d824be
- kabi: restore return type of dst_ops::gc() callback
(CVE-2023-52340 bsc#1219295).
- ipv6: remove max_size check inline with ipv4 (CVE-2023-52340
bsc#1219295).
- commit dd00c24
- netfilter: nf_tables: fix 64-bit load issue in
nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- netfilter: nf_tables: fix pointer math issue in
nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- commit b635ad7
- Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch
(CVE-2022-20154 CVE-2021-46929 bsc#1200599 bsc#1220482).
- commit 23c3231
- tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825
CVE-2024-26622).
- commit e934259
- doc/README.SUSE: Update information about module support status
(jsc#PED-5759)
Following the code change in SLE15-SP6 to have externally supported
modules no longer taint the kernel, update the respective documentation
in README.SUSE:
* Describe that support status can be obtained at runtime for each
module from /sys/module/$MODULE/supported and for the entire system
from /sys/kernel/supported. This provides a way how to now check that
the kernel has any externally supported modules loaded.
* Remove a mention that externally supported modules taint the kernel,
but keep the information about bit 16 (X) and add a note that it is
still tracked per module and can be read from
/sys/module/$MODULE/taint. This per-module information also appears in
Oopses.
- commit 9ed8107
- Bluetooth: hci_ll: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit 8e9750e
- Bluetooth: hci_h5: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit e3ec875
- scripts/git-commit-msg: Detect renames (hides some references changes)
The following change
| --- a/patches.suse/drm-amd-Stop-evicting-resources-on-APUs-in-suspend.patch
| +++ b/patches.kernel.org/6.7.7-001-drm-amd-Stop-evicting-resources-on-APUs-in-susp.patch
| @@ -1,12 +1,14 @@
| From: Mario Limonciello <mario.limonciello@amd.com>
| Date: Wed, 7 Feb 2024 23:52:55 -0600
| -Subject: drm/amd: Stop evicting resources on APUs in suspend
| +Subject: [PATCH] drm/amd: Stop evicting resources on APUs in suspend
| MIME-Version: 1.0
| Content-Type: text/plain; charset=UTF-8
| Content-Transfer-Encoding: 8bit
| +Patch-mainline: 6.7.7
| +References: bsc#1012628 https://gitlab.freedesktop.org/drm/amd/-/issues/3132
| Git-commit: 3a9626c816db901def438dc2513622e281186d39
| -Patch-mainline: 6.8-rc5
| -References: https://gitlab.freedesktop.org/drm/amd/-/issues/3132
is detected as a rename by git and scripts/log would filter the added
reference. Therefore apply git's rename detection also in git-commit-msg
hook to avoid having the check more strict than the generator.
(After going through all of this, I realize script/log should be
actually implemented via prepare-commit-msg hook.)
- commit 99e1385
- scripts/git-commit-msg: Ignore empty message that cancels commit
- commit 8bcca6f
- locking/qrwlock: Fix ordering in queued_write_lock_slowpath()
(CVE-2021-46921 bsc#1220468 bsc#1185041).
- commit 9f2e845
- locking/barriers: Introduce smp_cond_load_relaxed() and
atomic_cond_read_relaxed() (bsc#1220468 bsc#1050549).
- commit 76b2073
- scripts/git-commit-msg: Count changed references globally, not per file
Per-file counting would be too strict in requirement on commit message
since it would miss source file of a possible rename.
- commit 45a8c42
- Bluetooth: hci_bcsp: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit 3114978
- Bluetooth: hci_qca: don't call kfree_skb() under
spin_lock_irqsave() (git-fixes).
- commit 40c2728
- Input: appletouch - initialize work before device registration
(CVE-2021-46932 bsc#1220444).
- commit 02010d5
- powerpc/pseries/memhp: Fix access beyond end of drmem array
(bsc#1220250,CVE-2023-52451).
- commit 22d7587
- ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe
failure (bsc#1220599 CVE-2021-46953).
- commit 69d8de2
- scripts/update-symvers: Fix reading symtypes after usrmerge
symytypes file is stored in /usr/lib/modules/* now.
- commit cbf0ce3
- mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
(bsc#1220238 CVE-2023-52449).
- commit a845e8b
- Input: powermate - fix use-after-free in
powermate_config_complete (CVE-2023-52475 bsc#1220649).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
(CVE-2023-52478 bsc#1220796).
- commit 6daf909
- i2c: Fix a potential use after free (bsc#1220409
CVE-2019-25162).
- commit 0be34df
- i2c: cadence: fix reference leak when pm_runtime_get_sync fails
(bsc#1220570 CVE-2020-36784).
- commit 8727379
- bus: qcom: Put child node before return (CVE-2021-47054
bsc#1220767).
- commit 0c0fa8d
- NFC: st21nfca: Fix memory leak in device probe and remove
(CVE-2021-46924 bsc#1220459).
- commit 01b7814
- netfilter: nft_limit: avoid possible divide error in
nft_limit_init (CVE-2021-46915 bsc#1220436).
- commit 9130a3d
- HID: usbhid: fix info leak in hid_submit_ctrl (CVE-2021-46906
bsc#1220421).
- commit 1d243b9
- media: pvrusb2: fix use after free on context disconnection
(CVE-2023-52445 bsc#1220241).
- commit f8f3542
- media: dvbdev: Fix memory leak in dvb_media_device_free()
(CVE-2020-36777 bsc#1220526).
- commit cd311ab
- apparmor: avoid crash when parsed profile name is empty
(CVE-2023-52443 bsc#1220240).
- commit 8387a56
- nfc: nci: fix possible NULL pointer dereference in
send_acknowledge() (bsc#1219125 CVE-2023-46343).
- commit 7ff1724
- md: bypass block throttle for superblock update (git-fixes).
- commit e6ba7c9
- blacklist.conf: add non-backport md git-fixes commits.
- commit d3c59de
- tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd (bsc#1218450).
- commit 4a3997c
- netfilter: nftables: avoid overflows in nft_hash_buckets()
(CVE-2021-46992 bsc#1220638).
- commit c79b980
- netfilter: nft_set_hash: add nft_hash_buckets() (CVE-2021-46992
bsc#1220638).
- commit 5542c1b
- net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
(CVE-2021-47013 bsc#1220641).
- commit a848ac2
- net: fec: Better handle pm_runtime_get() failing in .remove()
(git-fixes).
- commit 60e6dbc
- net: fec: fix use-after-free in fec_drv_remove (git-fixes).
- commit 192ab42
- i40e: Fix use-after-free in i40e_client_subtask()
(CVE-2021-46991 bsc#1220575).
- commit 27d6f39
- KVM: s390: vsie: fix race during shadow creation (git-fixes
bsc#1220613).
- commit a2a5381
- s390: use the correct count for __iowrite64_copy() (git-fixes
bsc#1220607).
- commit 0823e37
- mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in
error path (bsc#1220344 CVE-2024-26595).
- commit 71c942e
- net: fec: fix clock count mis-match (git-fixes).
- commit 90008dd
- net: hns3: add compatible handling for MAC VLAN switch parameter
configuration (git-fixes).
- commit 9cbe2e0
- scripts/git-commit-msg: Skip References: check in merge commits
Merging a branch may bring many new references but we don't need them in
merge commit's message. Disable the check if it is triggered as part of
merge commit message creation.
Also make parsing more robust to references delimited with commas.
- commit 5af4476
- net: phy: initialise phydev speed and duplex sanely (git-fixes).
- commit 5fc404a
- bnx2x: Fix PF-VF communication over multi-cos queues
(git-fixes).
- commit 58f28c6
- ixgbe: protect TX timestamping from API misuse (git-fixes).
- commit c740900
- net: phy: dp83867: enable robust auto-mdix (git-fixes).
- commit 51f918b
- net: fec: add missed clk_disable_unprepare in remove
(git-fixes).
- commit 26193da
- e1000: fix memory leaks (git-fixes).
- commit 63cea05
- igb: Fix constant media auto sense switching when no cable is
connected (git-fixes).
- commit ecbd46c
- net: hisilicon: Fix usage of uninitialized variable in function
mdio_sc_cfg_reg_write() (git-fixes).
- commit 467a700
- net: hns3: not allow SSU loopback while execute ethtool -t dev
(git-fixes).
- commit feac716
- net/mlx5e: ethtool, Avoid setting speed to 56GBASE when autoneg
off (git-fixes).
- commit 38e0f13
- blacklist.conf: update blacklist
- commit 803afb1
- blacklist.conf: add ep93xx_eth
the config option is not enabled
- commit aed74c8
- blacklist.conf: add emac_rockchip
the config option is not enabled
- commit 27c4413
- Update metadata
- commit fca1f53
- net: openvswitch: limit the number of recursions from action
sets (bsc#1219835 CVE-2024-1151).
- commit 9353f4f
- EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330, CVE-2023-52464)
- commit a228c17
- rpm templates: Always define usrmerged
usrmerged is now defined in kernel-spec-macros and not the distribution.
Only check if it's defined in kernel-spec-macros, not everywhere where
it's used.
- commit a6ad8af
- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- commit 7dad6e2
- blacklist.conf: Blacklist a clang fix
- commit e954d52
- net: lpc-enet: fix printk format strings (git-fixes).
- commit dcd5e66
- net: tundra: tsi108: use spin_lock_irqsave instead of
spin_lock_irq in IRQ context (git-fixes).
- commit 3fddc2a
- net: hisilicon: Fix dma_map_single failed on arm64 (git-fixes).
- commit 65f9c53
- net: hisilicon: fix hip04-xmit never return TX_BUSY (git-fixes).
- commit b56984b
- net: hisilicon: make hip04_tx_reclaim non-reentrant (git-fixes).
- Refresh
patches.suse/net-hisilicon-Fix-ping-latency-when-deal-with-high-t.patch.
- commit 1de9297
- net: sfp: add mutex to prevent concurrent state checks
(git-fixes).
- commit 4badb38
- blacklist.conf: update blacklist
- commit eb0a485
- rpm templates: Move macro definitions below buildrequires
Many of the rpm macros defined in the kernel packages depend directly or
indirectly on script execution. OBS cannot execute scripts which means
values of these macros cannot be used in tags that are required for OBS
to see such as package name, buildrequires or buildarch.
Accumulate macro definitions that are not directly expanded by mkspec
below buildrequires and buildarch to make this distinction clear.
- commit 89eaf4c
- media: usb: dvd-usb: fix uninit-value bug in
dibusb_read_eeprom_byte() (git-fixes).
- commit 4772961
- media: uvcvideo: Set capability in s_param (git-fixes).
- commit df9234c
- media: dw2102: Fix use after free (git-fixes).
- commit 6909f5e
- media: dw2102: make dvb_usb_device_description structures const
(git-fixes).
- Refresh
patches.suse/media-dw2102-Fix-memleak-on-sequence-of-probes.patch.
- commit cfe8bf2
- media: dvb-usb: Add memory free on error path in dw2102_probe()
(git-fixes).
- Refresh
patches.suse/media-dw2102-Fix-memleak-on-sequence-of-probes.patch.
- commit 60bfc4d
- [media] media drivers: annotate fall-through (git-fixes).
- commit 550adce
- rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE
Introduced by commit 68fb3ca0e408 ("update workarounds for gcc "asm
goto" issue").
- commit be1bdab
- media: rc: ir-rc6-decoder: enable toggle bit for Kathrein
RCU-676 remote (git-fixes).
- commit 40a7cdd
- media: rc: do not remove first bit if leader pulse is present
(git-fixes).
- commit 055036d
- blacklist.conf: feature fixed hasn't been backported
- commit 299071b
- media: coda: reuse coda_s_fmt_vid_cap to propagate format in
coda_s_fmt_vid_out (git-fixes).
- commit 346be28
- media: coda: set min_buffers_needed (git-fixes).
- commit 9e4f67c
- media: coda: constify platform_device_id (git-fixes).
- commit da6a628
- media: coda: reduce iram size to leave space for suspend to ram
(git-fixes).
- commit 015f50d
- media: coda: explicitly request exclusive reset control
(git-fixes).
- commit 19dcce2
- media: coda: wake up capture queue on encoder stop after output
streamoff (git-fixes).
- Refresh
patches.suse/media-coda-fix-last-buffer-handling-in-V4L2_ENC_CMD_.patch.
- commit 4fba70d
- [media] coda: simplify optional reset handling (git-fixes).
- commit bc3f552
- [media] media: platform: coda: remove variable self assignment
(git-fixes).
- commit 6d6901a
- blacklist.conf: driver not backported
- commit c5ae253
- media: dvb-usb: dw2102: fix uninit-value in
su3000_read_mac_address (git-fixes).
- commit abccca4
- media: dvb-usb: m920x: Fix a potential memory leak in
m920x_i2c_xfer() (git-fixes).
- commit 4716702
- media: m920x: don't use stack on USB reads (git-fixes).
- commit 45368d1
- media: dw2102: Fix memleak on sequence of probes (git-fixes).
- commit d5c69b6
- blacklist.conf: false positive
- commit 7722626
- blacklist.conf: renames a module. direct breakage of user space
- commit bf0df5d
- usb: musb: dsps: Fix the probe error path (git-fixes).
- commit 2f6dfb0
- usb: musb: tusb6010: check return value after calling
platform_get_resource() (git-fixes).
- commit 3b8e34e
- usb: musb: musb_dsps: request_irq() after initializing musb
(git-fixes).
- commit 9ef2688
- usb: host: fotg210: fix the actual_length of an iso packet
(git-fixes).
- commit bcd63df
- usb: host: fotg210: fix the endpoint's transactional
opportunities calculation (git-fixes).
- commit f16fc26
- compute-PATCHVERSION: Do not produce output when awk fails
compute-PATCHVERSION uses awk to produce a shell script that is
subsequently executed to update shell variables which are then printed
as the patchversion.
Some versions of awk, most notably bysybox-gawk do not understand the
awk program and fail to run. This results in no script generated as
output, and printing the initial values of the shell variables as
the patchversion.
When the awk program fails to run produce 'exit 1' as the shell script
to run instead. That prevents printing the stale values, generates no
output, and generates invalid rpm spec file down the line. Then the
problem is flagged early and should be easier to diagnose.
- commit 8ef8383
- x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (git-fixes).
- commit 55e0925
- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (git-fixes).
- commit aebeb2d
- KVM: x86: synthesize CPUID leaf 0x80000021h if useful (git-fixes).
- commit 9c96097
- KVM: x86: add support for CPUID leaf 0x80000021 (git-fixes).
- commit 5a997a6
- x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes).
- commit 54b16df
- KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes).
- KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes).
- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes).
Also add mds_user_clear to kABI severity as it's used purely for
mitigation so it's low risk.
- x86/entry_32: Add VERW just before userspace transition (git-fixes).
- x86/entry_64: Add VERW just before userspace transition (git-fixes).
- x86/bugs: Add asm helpers for executing VERW (bsc#1213456).
- commit 7cd11ce
- net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
(bsc#1219127 CVE-2024-23849).
- commit e941df3
- USB: hub: check for alternate port before enabling
A_ALT_HNP_SUPPORT (bsc#1218527).
- commit aaefb30
- blacklist.conf: add macsonic ethernet driver
- commit 1c0cfbf
- kernel-binary: Move build script to the end
All other spec templates have the build script at the end, only
kernel-binary has it in the middle. Align with the other templates.
- commit 98cbdd0
- blacklist.conf: update blacklist
- commit b541c7e
- rpm templates: Aggregate subpackage descriptions
While in some cases the package tags, description, scriptlets and
filelist are located together in other cases they are all across the
spec file. Aggregate the information related to a subpackage in one
place.
- commit 8eeb08c
- net: bonding: debug: avoid printing debug logs when bond is
not notifying peers (git-fixes).
- commit f58ad69
- rpm templates: sort rpm tags
The rpm tags in kernel spec files are sorted at random.
Make the order of rpm tags somewhat more consistent across rpm spec
templates.
- commit 8875c35
- usb: typec: tcpci: clear the fault status bit (git-fixes).
- commit fbeda7b
- PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD
device (git-fixes).
- commit 2012056
- Update to add CVE-2024-23851 tag,
patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch
(bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851).
- commit 7dd5c42
- blacklist.conf: cleanup of comments
- commit d4049bd
- blacklist.conf: documentation only
- commit 3d84250
- audit: fix possible soft lockup in __audit_inode_child()
(git-fixes).
- commit a347e97
- blacklist.conf: not a fix but a cleanup
- commit a5da3c1
- blacklist.conf: only comments cleanup
- commit 2e15690
- blacklist.conf: at this time kerneldocs no longer matter
- commit ed23d03
- ASN.1: Fix check for strdup() success (git-fixes).
- commit 26b2327
- blacklist.conf: attributed to wrong commit id in fixes tag
- commit 652fa5d
- dm: limit the number of targets and parameter size area
(bsc#1219827, bsc#1219146, CVE-2023-52429).
- commit 3ddaf98
- scripts/PMU: Add option to skip livepatch submission
Kernel resubmissions that don't involve livepatches can be done without
kgraft package(s) and channel updates.
- commit 8373df8
- cups
-
- cups-1.7.5-CVE-2024-35235.patch for CUPS 1.7.5 in SLE12
is derived from our cups-2.2.7-CVE-2024-35235.patch for SLE15
which was derived from the upstream patch for CUPS 2.5
to behave backward compatible for CUPS 1.7.5 in SLE12
to fix CVE-2024-35235
"cupsd Listen port arbitrary chmod 0140777"
without the more secure but backward-incompatible behaviour
of the upstream patch for CUPS 2.5
that ignores domain sockets specified in 'Listen' entries
in /etc/cups/cupsd.conf when cupsd is lauched via systemd
(in particular when launched on-demand by systemd)
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
bsc#1225365
- krb5
-
- Fix warning executing %postun scriptlet; (bsc#1223122);
- Fix memory leaks, add patch 0015-Fix-two-unlikely-memory-leaks.patch
* CVE-2024-26458, bsc#1220770
* CVE-2024-26461, bsc#1220771
- Update to krb5 1.16.3 (jsc#PED-7884). Most relevant changes:
* Remove the triple-DES and RC4 encryption types from the default
value of supported_enctypes, which determines the default key
and salt types for new password-derived keys. By default, keys
will only created only for AES128 and AES256. This mitigates
some types of password guessing attacks.
* Add support for the AES-SHA2 enctypes, which allows sites to
conform to Suite B crypto requirements.
- Removed patches, useless or upstreamed
* krb5-1.10-kpasswd_tcp.patch
* krb5-1.7-doublelog.patch
* krb5-1.9-kprop-mktemp.patch
* krb5-1.10-ksu-access.patch
* krb5-kvno-230379.patch
* krb5-1.12-doxygen.patch
* bnc#897874-CVE-2014-5351.diff
* krb5-1.13-work-around-replay-cache-creation-race.patch
* 0104-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
* 0105-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
* 0106-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
* 0109-Preserve-GSS-context-on-init-accept-failure.patch
* 0115-Remove-incorrect-KDC-assertion.patch
* 0116-Implement-GSS_KRB5_CRED_NO_CI_FLAGS_X-cred-option.patch
* 0117-Add-tests-for-GSS_KRB5_CRED_NO_CI_FLAGS_X.patch
* 0118-Implement-GSS_KRB5_CRED_NO_CI_FLAGS_X-for-SPNEGO.patch
* 0119-Load-mechglue-config-files-from-etc-gss-mech.d.patch
* 0120-Document-etc-gss-mech.d-.conf.patch
* 0121-Fix-impersonate_name-to-work-with-interposers.patch
* 0122-Use-preauth-options-when-changing-password.patch
* 0123-Improve-extended-gic-option-support.patch
* 0124-Use-responder-for-non-preauth-AS-requests.patch
- New patches:
* 0011-Fix-KDC-null-deref-on-bad-encrypted-challenge.patch
* Fix KDC null pointer dereference via a FAST inner body that
lacks a server field; (CVE-2021-37750); (bsc#1189929);
0012-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch
- Renamed patches:
* Patch krb5-1.12-pam.patch -> 0001-krb5-1.12-pam.patch
* Patch krb5-1.9-manpaths.dif -> 0002-krb5-1.9-manpaths.patch
* Patch krb5-1.12-buildconf.patch -> 0003-krb5-1.12-buildconf.patch
* Patch krb5-1.6.3-gssapi_improve_errormessages.dif ->
0004-krb5-1.6.3-gssapi_improve_errormessages.patch
* Patch krb5-1.6.3-ktutil-manpage.dif ->
0005-krb5-1.6.3-ktutil-manpage.patch
* Patch krb5-1.12-api.patch -> 0006-krb5-1.12-api.patch
* Patch krb5-1.12-ksu-path.patch -> 0007-krb5-1.12-ksu-path.patch
* Patch krb5-1.12-selinux-label.patch -> 0008-krb5-1.12-selinux-label.patch
* Patch krb5-1.9-debuginfo.patch -> 0009-krb5-1.9-debuginfo.patch
* Patch 0125-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch ->
0010-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
* Patch 0126-Fix-integer-overflows-in-PAC-parsing.patch ->
0013-Fix-integer-overflows-in-PAC-parsing.patch
* Patch 0127-Ensure-array-count-consistency-in-kadm5-RPC.patch ->
0014-Ensure-array-count-consistency-in-kadm5-RPC.patch
- gcc13
-
- Update to GCC 13.3 release
- Update to gcc-13 branch head, b7a2697733d19a093cbdd0e200, git8761
- Removed gcc13-pr111731.patch now included upstream
- Add gcc13-amdgcn-remove-fiji.patch removing Fiji support from
the GCN offload compiler as that is requiring Code Object version 3
which is no longer supported by llvm18.
- Add gcc13-pr101523.patch to avoid combine spending too much
compile-time and memory doing nothing on s390x. [boo#1188441]
- Make requirement to lld version specific to avoid requiring the
meta-package.
- Add gcc13-pr111731.patch to fix unwinding for JIT code.
[bsc#1221239]
- Revert libgccjit dependency change. [boo#1220724]
- Fix libgccjit-devel dependency, a newer shared library is OK.
- Fix libgccjit dependency, the corresponding compiler isn't required.
- Use %patch -P N instead of %patchN.
- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
crypt and crypt_r interceptors. The crypt API change in SLE15 SP3
breaks them. [bsc#1219520]
- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
- Add gcc13-pr88345-min-func-alignment.diff to add support for
- fmin-function-alignment. [bsc#1214934]
- Use %{_target_cpu} to determine host and build.
- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
* Includes fix for building TVM. [boo#1218492]
- Add cross-X-newlib-devel requires to newlib cross compilers.
[boo#1219031]
- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
in gcc13-devel. [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
are linked against libstdc++6.
- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205
- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
* Includes fix for building mariadb on i686. [bsc#1217667]
* Remove pr111411.patch contained in the update.
- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
%product_libs_llvm_ver where available and adjust tool discovery
accordingly. This should also properly trigger re-builds when
the patchlevel version of llvmVER changes, possibly changing
the binary names we link to. [bsc#1217450]
- wget
-
- Fix mishandled semicolons in the userinfo subcomponent could lead to an
insecure behavior in which data that was supposed to be in the userinfo
subcomponent is misinterpreted to be part of the host subcomponent.
[bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]
- python-base
-
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Switch to using the system libexpat (bsc#1219559,
CVE-2023-52425)
- Make sure to remove all embedded versions of other packages
(including expat).
- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
removing failing test fixing bpo#3151, which we just not
support.
- Remove patches over those embedded packages (cffi):
- python-2.7-libffi-aarch64.patch
- sparc_longdouble.patch
- Modify CVE-2023-27043-email-parsing-errors.patch to fix the
unicode string handling in email.utils.parseaddr()
(bsc#1222537).
- Revert CVE-2022-48560-after-free-heappushpop.patch, the fix was
unneeded.
- Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306)
- Build with -std=gnu89 to build correctly with gcc14, bsc#1220970
- util-linux-systemd
-
- Properly neutralize escape sequences in wall
(util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
and its prerequisites: util-linux-fputs_careful1.patch,
util-linux-wall-migrate-to-memstream.patch
util-linux-fputs_careful2.patch).
- regionServiceClientConfigEC2
-
- Version 4.2.0
Replace certs (length 4096):
rgnsrv-gce-asia-northeast1 -> 162.222.182.90 expires in 9 years
rgnsrv-gce-us-central1 -> 35.187.193.56 expires in 10 years
- cpio
-
- Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238
* fix-bsc1219238.patch
- _product:SLES-release
-
n/a
- python3-base
-
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Add CVE-2023-52425-libexpat-2.6.0-backport.patch fixing etree
XMLPullParser tests for Expat >=2.6.0 with reparse deferral
(fixing CVE-2023-52425 or bsc#1219559).
- python
-
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Switch to using the system libexpat (bsc#1219559,
CVE-2023-52425)
- Make sure to remove all embedded versions of other packages
(including expat).
- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
removing failing test fixing bpo#3151, which we just not
support.
- Remove patches over those embedded packages (cffi):
- python-2.7-libffi-aarch64.patch
- sparc_longdouble.patch
- Modify CVE-2023-27043-email-parsing-errors.patch to fix the
unicode string handling in email.utils.parseaddr()
(bsc#1222537).
- Revert CVE-2022-48560-after-free-heappushpop.patch, the fix was
unneeded.
- Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306)
- Build with -std=gnu89 to build correctly with gcc14, bsc#1220970
- openldap2
-
- bsc#1217985 - Null pointer deref in referrals as part of
ldap_chain_response()
* 0229-ITS-9262-check-referral.patch
- bsc#1220787 - increase DH param minimums to 2048 bits
* 0228-bsc-1220787-increase-dh-param-minimums.patch
- qemu
-
- Fix: bsc#1190011 (CVE-2021-3750), bsc#1190011 (CVE-2021-3750),
bsc#1190011 (CVE-2021-3750), bsc#1213925 (CVE-2023-3180),
bsc#1212850 (CVE-2023-3354), bsc#1207205 (CVE-2023-0330)
- Properly fix: bsc#1198038, CVE-2022-0216
- Fix the build with updated binutils
- Sync patches between qemu and qemu-linux-user
and qemu-testsuite
* Patches added:
0260-scsi-lsi53c895a-fix-use-after-free-.patch
0273-io-remove-io-watch-if-TLS-channel-i.patch
0274-virtio-crypto-verify-src-dst-buffer.patch
0275-softmmu-physmem-Introduce-MemTxAttr.patch
0276-memory-prevent-dma-reentracy-issues.patch
0277-disable-reentrancy-guard-on-ppc.patch
2007-librm-Use-explicit-operand-size-whe.patch
7000-Make-keycode-gen-output-reproducibl.patch
* Patches renamed:
0260-scsi-lsi53c895a-really-fix-use-afte.patch -->
0261-scsi-lsi53c895a-really-fix-use-afte.patch
0261-libqos-usb-hcd-ehci-use-32-bit-writ.patch -->
0262-libqos-usb-hcd-ehci-use-32-bit-writ.patch
0262-libqos-pci-pc-use-32-bit-write-for-.patch -->
0263-libqos-pci-pc-use-32-bit-write-for-.patch
0263-memory-Revert-memory-accept-mismatc.patch -->
0264-memory-Revert-memory-accept-mismatc.patch
0264-xhci-fix-valid.max_access_size-to-a.patch -->
0265-xhci-fix-valid.max_access_size-to-a.patch
0265-acpi-accept-byte-and-word-access-to.patch -->
0266-acpi-accept-byte-and-word-access-to.patch
0266-hw-char-bcm2835_aux-Allow-less-than.patch -->
0267-hw-usb-hcd-xhci-Fix-unbounded-loop-.patch
0267-hw-char-bcm2835_aux-Allow-less-than.patch -->
0268-hw-usb-hcd-xhci-Fix-unbounded-loop-.patch
0268-hw-sd-sdcard-Update-coding-style-to.patch -->
0269-hw-sd-sdcard-Update-coding-style-to.patch
0269-hw-sd-sdcard-Do-not-switch-to-Recei.patch -->
0270-hw-sd-sdcard-Do-not-switch-to-Recei.patch
0270-9pfs-prevent-opening-special-files-.patch -->
0271-9pfs-prevent-opening-special-files-.patch
0271-hw-scsi-lsi53c895a-Fix-reentrancy-i.patch -->
0272-hw-scsi-lsi53c895a-Fix-reentrancy-i.patch
- runc
-
- Add upstream patch <https://github.com/opencontainers/runc/pull/4219> to
properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050
+ 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
+ 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
+ 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
- docker
-
[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.5-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2505> bsc#1223409
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
- 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- Update --add-runtime to point to correct binary path.
[NOTE: This update was only ever released in SLES and Leap.]
- Add patch to fix bsc#1220339
* 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
- Allow to disable apparmor support (ALP supports only SELinux)
- Update to Docker 25.0.3-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2503>
- Fixes:
* bsc#1219267 - CVE-2024-23651
* bsc#1219268 - CVE-2024-23652
* bsc#1219438 - CVE-2024-23653
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
- 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
- fdupes
-
- Apply "toctou-race-allows-arbitrary-file-deletion.patch" to fix a
race condition that could be exploited to delete arbitrary files.
This patch is a back-ported and simplified version of the commit
https://github.com/adrianlopezroche/fdupes/commit/85680897148f1ac33b55418e00334116e419717f
introduced upstream in release 2.2.0. [bsc#1200381]
- glibc
-
- nscd-Fix-use-after-free-in-addgetnetgrentX.patch: nscd: Fix
use-after-free in addgetnetgrentX (BZ #23520)
- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch:
nscd: Stack-based buffer overflow in netgroup cache
(CVE-2024-33599, bsc#1223423, BZ #31677)
- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch:
nscd: Avoid null pointer crashes after notfound response
(CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch:
nscd: Do not send missing not-found response in addgetnetgrentX
(CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch:
netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601,
CVE-2024-33602, bsc#1223425, BZ #31680)
- nscd-netgroup-cache-timeout.patch: Use time_t for return type of
addgetnetgrentX (CVE-2024-33602, bsc#1223425)
- elf-ifunc-subtests-nonpie.patch: elf: Disable some subtests of
ifuncmain1, ifuncmain5 for !PIE
- iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound
writes when writing escape sequence (CVE-2024-2961, bsc#1222992)
- python3
-
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Add CVE-2023-52425-libexpat-2.6.0-backport.patch fixing etree
XMLPullParser tests for Expat >=2.6.0 with reparse deferral
(fixing CVE-2023-52425 or bsc#1219559).
- lifecycle-data-sle-module-toolchain
-
- Added expiration data for GCC 12 yearly update for the Toolchain/Development modules.
(bsc#1221352)
- glib2
-
- Add patches to fix CVE-2024-34397 (boo#1224044):
glib2-CVE-2024-34397-add-ref-count-types.patch
glib2-allocate-SignalSubscriber-structs-individually.patch
glib2-CVE-2024-34397.patch (glgo#GNOME/glib#3268).
glib2-fix-ibus-regression.patch (glgo#GNOME/glib#3353)
- vim
-
- Updated to version 9.1 with patch level 0330, fixes the following problems
* Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1
- refreshed vim-7.3-filetype_spec.patch
- refreshed vim-7.3-filetype_ftl.patch
- Update spec.skeleton to use autosetup in place of setup macro.
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330
- curl
-
- Security fix: [bsc#1221665, CVE-2024-2004]
* Usage of disabled protocol
* Add curl-CVE-2024-2004.patch
- Security fix: [bsc#1221667, CVE-2024-2398]
* curl: HTTP/2 push headers memory-leak
* Add curl-CVE-2024-2398.patch
- openssh
-
- also remember the active state of the service, so openssh8.4
can pick it up. bsc#1220110
- handle these when we do go from openssh8.4-server back to openssh
- openssl-1_0_0
-
- Security fix: [bsc#1219243, CVE-2024-0727]
* Add NULL checks where ContentInfo data can be NULL
* Add openssl-CVE-2024-0727.patch
- python-idna
-
- Add CVE-2024-3651.patch, backported from upstream commit
gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7
(bsc#1222842, CVE-2024-3651)
- util-linux
-
- fix Xen virtualization type misidentification bsc#1215918
lscpu-fix-parameter-order-for-ul_prefix_fopen.patch
- Properly neutralize escape sequences in wall
(util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
and its prerequisites: util-linux-fputs_careful1.patch,
util-linux-wall-migrate-to-memstream.patch
util-linux-fputs_careful2.patch).
- avahi
-
- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in
avahi_rdata_parse (bsc#1216853, CVE-2023-38472).
- Add avahi-CVE-2023-38470.patch: Ensure each label is at least one
byte long (bsc#1215947, CVE-2023-38470).
- Add avahi-CVE-2023-38471.patch: Extract host name usin
avahi_unescape_label (bsc#1216594, CVE-2023-38471).
- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
records (bsc#1216598, CVE-2023-38469).