- libxml2
-
- security update
- added patches
fix CVE-2022-49043 [bsc#1236460], use-after-free in xmlXIncludeAddNode
+ libxml2-CVE-2022-49043.patch
- amazon-ssm-agent
-
- Update to version 3.3.1611.0 (bsc#1235575, CVE-2025-21613)
* Update aws-sdk-go from 1.51.20 to 1.55.5
* Update golang.org/x/crypto from 0.24.0 to 0.32.0
* Update github.com/go-git/go-git/v5 from 5.12.0 to 5.13.1
* Update golang.org/x/net from 0.26.0 to 0.34.0
* Update golang.org/x/oauth2 from 0.0.0-20211005180243-6b3c2da341f1
to 0.24.0
- Update to version 3.3.1345.0
* Revert "Update configurePackage to use fixed download method"
* Revert "Use a single syscall for route table for health check IP"
- from version 3.3.1311.0
* Add alternative to wmic to support Windows 2025
* Add armv7 architecture support for greengrass component
* Add support in ssm-setup-cli for standalone installation
in on-premises environments
* Fail ssm-setup-cli install command if agent config is not loadable
* Implement S3 ownership verification as an optional parameter for plugins
* Mark Session task as cancelled when MGS indicates that session is over
* Update configurePackage to use fixed download method
* Update Docker Engine version and use system environment
variables in installation path
* Update GreenGrass component minor version to 1.3.1
- from version 3.3.1230.0
* Revert compatibility hook for future Windows versions as it
increased CPU consumption for document execution on Windows.
* Revert Increase RunCommand timeout during the registration
process for the on-prem instances
- Update to version 3.3.1142.0
* Fail windows update when installed version does not match
* Reduced length of IMDS errors to shorter format
* Increase the RunCommand timeout during the registration process for the on-prem instances
* Add nil check when calling GetRepository content in aws:downloadContent
* Worker process to exit if they are not successfully started and became idle
* Fix bug where unforeseen failures cause time to be incorrectly displayed in RunCommand
* Update GreenGrass component minor version to 1.3.0
* Ensure agent thread always exit after the corresponding worker process exits
* Fix IPC file filtering bug where usernames or session names containing
tmp causes agent worker to not correctly receive IPC
* Load directly from appconfig file when calling UpdateInstanceInformation
during credential refresher
* Use a single syscall for route table for health check IP
- from version 3.3.987.0
* Update default session logging destination to none
* Specify a minimum of TLS v1.2 in http client calls
* Add web-socket heartbeat to detect connection drops in the web-socket
for control and data channels sooner
* Use exponential retry for document worker, increase retry interval
and attempt count when reading IPC files
* Add wait for cloud-init in the agent updater
* Fix timeouts for update without yum endpoint connectivity
* Change in orchestration directory removal process to reduce disk space usage
* Fix Inventory detailed information invalid value check
* Fix parsing issue with DomainJoin Plugin
* Modify DomainJoin Plugin to use Kerberos REALM in username for RHEL and variants
* Change the SUSE linux zypper commands to quiet mode for the DomainJoin Plugin
* Move high volume info logs to debug level
* Remove deprecated go coverage library (golang.org/x/tools/cmd/cover)
* Add lock on session orchestration cleanup to prevent quadratic file
system lookup for large volume session users
* Upgrade GoLang to version 1.22.7
- from version 3.3.859.0
* Updated snapcraft.yml specification
- from version 3.3.808.0
* Agent updater attempts yum install/uninstall before
falling back to attempt with rpm
* Updated golang.org/x/net from v0.19.0 to v0.26.0
* Upgrade GoLang to version 1.21.11
* Add IPv6 addresses for NTP and EC2Config to default DenyList
* Update Distributor to only use Systems Manager APIs to
fetch package contents
- Update to version 3.3.551.0
* Agent updater attempts yum install/uninstall before falling
back to attempt with rpm
* Updated golang.org/x/net from v0.19.0 to v0.26.0
* Upgrade GoLang to version 1.21.11
* Add IPv6 addresses for NTP and EC2Config to default DenyList
* Update Distributor to only use Systems Manager APIs to fetch package contents
- from version 3.3.484.0
* Update SSM-Setup-CLI logs related to checksum validation of latest version
- from version 3.3.418.0
* Upgrade go-github version from v8 to v61
* Increase timeouts in SSM-Setup-CLI
* Fix darwin build issue in SSM-Setup-CLI
* Fix the command builder bug to handle space char in input value
* Fix an inaccurate log when validating allowDowngrade parameter during Agent update
* Signing SSM Agent vended Windows executables
- from version 3.3.380.0
* Update AWS GO SDK to v1.51.20
- from version 3.3.337.0
* Remove yum as package manager in linux install/uninstall script
* Verify TrustedInstaller status before posting WindowsUpdate
information in aws:softwareInventory plugin
- Update to version 3.3.217.0
* Add alternative outputs for agent package generation scripts
* Add support for Oracle 8.8 & 8.9, Rocky 8.8 & 8.9,
AlmaLinux 8.8 & 8.9, and RHEL 8.9 & 9.3
* Fix flaky integration test
* Fix setup-cli error code for non English systems
* Set IPR creds expiry to 30 mins for ssm agent worker
* Switch installer package manager from rpm to yum on OSes that support yum
* Upgrade GoLang to version 1.21.8
- from version 3.3.131.0
* Add integration tests for control channel and data channel module
* Remove data channel and control channel acknowledgement
functionality in MGS Interactor
- from version 3.2.2303.0
* Add integration tests for control channel module
* Revert data channel and control channel acknowledgement
functionality in MGS Interactor
* Update Greengrass component minor version to 1.2.4
- Update to version 3.3.40.0
* Fix issue to execute aws:updateSSMAgent plugin through aws:rundocument plugin
* Update Messaging module to switch off ec2messages
when ssmmessages connected successfully
* Update SSM Agent Minor version from 3.2 to 3.3
- from version 3.2.2222.0
* Upgrade minimum go version in go.mod file to go 1.19
* Upgrade go-git package to v5.11.0
* Fix for bad default manifest url when updating EC2Config
- from version 3.2.2143.0
* Fixed plugin path traversal logic
* Updated aws:application plugin default param
* Fixed default param in psmodule
* Upgraded GoLang to version 1.21.5
- from version 3.2.2086.0
* Added Agent config to configure session logs destination
* Added data channel acknowledgement functionalities
* Added redirect handler and timeout for HTTP client
* Added steps to verify aws-cli installation for domainJoin plugin
* Added support for Ubuntu 23.04, Debian 11.7 & 12, and SUSE 15.5
* Adjusted random number generator logic used to get filename in downloadContent plugin
* Fixed Agent to gather application inventory from both rpm and
dpkg package managers if present in Unix instances
* Bump golang.org/x/crypto/ssh from 0.14.0 to 0.17.0
- from version 3.2.2016.0
* Added telemetry for agent core in-proc executor usage
* Added retries for Agent installation with snap on Greengrass
* Added code to update Agent config to use only Onprem Identity in Greengrass
* Added support for macOS 14 (Sonoma)
* Added Onprem registration support using ssm-setup-cli
* Fixed docker installation issues in aws:configureDocker plugin
* Fix for document worker and session worker not logging when
custom seelog configuration missing parameters
* Updated allowed regex pattern in S3 URI
* Update Agent IoT Greengrass component minor version
* Updated SUSE version in Seamless Domain Join script
* Updated Greengrass component workflow to get installed Agent version and update
Agent only when the installed Agent version doesn't match with Greengrass
component Agent version
* Upgraded GoLang version that builds agent binaries with to 1.20.11
- Update Go version requirement to 1.21
- Update to version 3.2.1798.0
* Bump golang.org/x/net from 0.15.0 to 0.17.0
* Upgraded GoLang to version 1.20.10
* Fixing race condition in session datachannel unit test
- from version 3.2.1705.0
* Updated MGS Interactor to send 'Failed' status on agentJob parsing error
* Added error handling for Linux DomainJoin when service account credentials empty
* Fix for panic scenario in when running aws:configureDocker plugin
* Upgraded GoLang to version 1.20.8
* Upgraded golang.org/x/net to v0.15.0
* Added support for macOS 13 (Ventura)
- from version 3.2.1630.0
* Fix credential retrieval retry logic in credential refresher
* Reducing retrieval log level to debug in the credential
refresher after more than 3 retrieval retries
* Fix for EC2 credential retrieval errors not being
propagated to the credential refresher
* Fixing agent version input format validation
* Fix downloadPlatformOverride for AlmaLinux
* Fixed issue where removing seelog.xml file doesn't
revert minimum log level back to INFO
* Ignore non-audit files in audit folder
- from version 3.2.1542.0
* Add aws:updateSSMAgent plugin support for Flatcar Linux
* Add fix to resolve manifest url during agent update when using stable keyword
* Fix multiple issues causing tight loops during IPC connection scenarios
* Sign deb and rpm installer packages for Linux instances using new key
* Use file based IPC by default for amazon-ssm-agent
and ssm-agent-worker communication in Darwin
- Update to version 3.2.1478.0
* Added fix to propagate exit code properly when command fails to start
* Added control channel acknowledgement functionalities
* Added flag to specify go version used for gosec and
govulncheck in static analysis script
* Added support for RHEL 8.7, 8.8, 9.1, 9.2
* Added support for Rocky Linux 8.7, 9.0, 9.1, 9.2
* Added support for Oracle Linux 8.7, 9.1, 9.2
* Update go version to 1.20.7
- from version 3.2.1377.0
* Stopped saving instance profile credentials to disk
* Added static agent security scans to makefile
* Updated Greengrass component minor version
- from version 3.2.1297.0
* Added retries to snap uninstall call in setupcli
* Fix for windows shutdown executable not found when compiled with golang1.19+
* Fix to return correct Agent Job ID for ack after AgentJobParseError
* Pass golang contexts for network calls in agent core to terminate cleanly
* Remove credential file dependency in agent workers implemented in 3.2.x.x versions
* Report MGS Connection Channel status to Health table
* Update Dockerfile to use Golang image from ECR repository
- from version 3.2.1241.0
* Get bucket region using signed HeadBucket request
* Updated golang.org/x/net version to 0.10.0 and
golang.org/x/crypto version to 0.9.0
* Update go version to 1.19.10
- from version 3.2.1041.0
* Add retry to handle stream data acknowledge messages
* Support latest as a version in configurePackage plugin
* Updated AWS GO SDK to v1.44.261 and disabled IMDSv1 fallback logic
* Use IP address to connect to destination server in port session
- from version 3.2.985.0
* Add Domain Join support for RHEL 8.7 and AL2022
* Add Support to send aws:updateSSMAgent replies through MGS
* Retrieve and set interface name dynamically in
aws:domainJoin plugin for Ubuntu
- Update to version 3.2.923.0
* Update Dockerfile Go version to 1.19
* Add reporting of MGS connection status
* Add support for updating to agent version marked stable
* Add status code to MGS ack and send on message process failure
* Update golangci-lint configuration
* Add e2e tag to session shell tests
- update to 3.2.815.0:
* Add EC2 credential fallback for AssumeRoleUnauthorizedAccess
error
* Add CloudWatch log upload support for document and session
worker
* Add set-hostname support in domainjoin plugin for windows
* Add wait time in Agent updater to avoid installation issues
caused during reboots initiated by domainjoin plugin
* Add support for AlmaLinux
* Fix KeepHostName parameter without DNS IP address parameter
in domainJoin plugin
* Fix issue where carriage returns cause json conversion to
fail in aws:softwareInventory plugin
* Remove IMDS calls in Onprem during health check
* Remove S3 global endpoint fallback logic
* Update cli descriptions for registration parameters
* Update go version to 1.19.6
- update to 3.2.582.0:
* Modified EC2 credential fallback logic
- update to 3.2.574.0:
* Fixed go-vet issues by passing mocks by value
* Updated domainjoin and cloudwatch executables for windows
- update to 3.2.532.0:
* Removed explicit setting of EC2 aws credential profile
* Added public key to registration info
* Sends non-interactive command errors that occur before
command execution to data channel
* Added instance id verification to registration process
- Update to version 3.2.419.0
+ Added minimum retry sleep for Registrar RegisterManagedInstance calls
+ Explicitly skip AZ info check for on-prem and ECS targets
+ Fix for SSM-Agent that is unable to start on Apple Mac M1's (mac2.metal instances)
+ Ensuring powershell path is set to system directory on Windows
+ Load DLLs with using system/absolute paths on Windows
+ Added workaround for Samba limit when loading Active Directory ids
+ Dynamically get network interface name for SeamlessDomainJoin
+ Added install-yum-rpm to makefile to install agent on host from source code
+ Added logging for specifying credential source
+ Refactored tests to remove mocks from production binaries
+ Updated Windows DomainJoin plugin SharpZipLib and Newtonsoft.json dependencies
- from version 3.2.345.0
+ Updated yaml.v3 dependency
- Update to version 3.2.286.0
+ Separated EC2 identity vault manifest from OnPrem identity vault manifest
+ Fix for credential retrieval blocking os termination signals
+ Fix for agent updater using shared credentials on EC2
+ Added guards against panic for agent identity health checks
+ Added logging around agent module start/stop
- from version 3.2.183.0
+ Added logging when assuming identity
+ Increased retries to ECS metadata endpoint
+ Added linux debug build to makefile
+ Implemented aws sdk logging interface
+ Updated agent minor version to 3.2
+ Added functionality to retrieve agent credentials from Systems Manager on EC2
- from version 3.1.1927.0
+ Update shell for Session Manager on MacOS
- Update to version 3.1.1856.0
+ Lower message length threshold for cloudwatch log streaming
+ Ran gofmt and goimports with golang version 1.19
+ Report AvailabilityZone and AvailabilityZoneId in health pings
+ Update AWS Go SDK to v1.44.78
+ from version 3.1.1767.0
+ Fix samba configuration for sub-domains
+ from version 3.1.1732.0
+ Add code in document/session worker to fallback to default
identity selector when runtime config not present
+ Fix to handle command-line-arguments in document/session
worker when launched by old agent workers
- from version 3.1.1634.0
+ Fallback to file based IPC if named pipe creation times out
+ Increase tls handshake timeout in http download client
+ Log mds client timeout errors as WARN
- from version 3.1.1575.0
+ Added separate metric for snapd running apps failure during update
+ Fixed idle session timeout with smux keep alive configuration based on CLI version
+ Updated AgentTaskComplete message retry
+ Updated go version to 1.18.3
- from version 3.1.1511.0
+ Collect kernel version in InstanceDetailedInformation
+ Support separate output stream for non-interactive session
+ Cleanup default log group name for runcommands
+ Updated rpm spec file to include build id
- from version 3.1.1476.0
+ Fix port session premature close when local server is not connected before timeout
- from version 3.1.1446.0
+ Add created date to AgentJobAck message
+ Disable smux keep alive to use idle session timeout feature
+ Fix unit-tests running on windows
- from version 3.1.1374.0
+ Added timeout for s3 HEAD requests
+ Added vpc address deny to port forwarding
+ Fixed for reboot scenario in configure package plugin
+ Fixed goroutine leak in seelog library
+ Fixed nullpointer segmentation fault in configure package plugin
+ Improved error handling in manifest download in updater
+ Improved worker initialization to improve startup failure logging
- cloud-regionsrv-client
-
- Update to 10.3.11 (bsc#1234050)
+ Send registration code for the extensions, not only base product
- Update to 10.3.8 (bsc#1233333)
+ Fix the package requirements for cloud-regionsrv-client
+ Follow changes to suseconnect error reporting from stdout to stderr
- python-instance-billing-flavor-check
-
- Version 0.1.1 (bsc#1235991, bsc#1235992)
+ Add time stamp to log
- From version 0.1.0
+ Doc improvements clarifying exit staus codes
- rsync
-
- Fix FLAG_GOT_DIR_FLIST collission with FLAG_HLINKED
* Added rsync-fix-FLAG_GOT_DIR_FLIST.patch
- Security update,CVE-2024-12747, bsc#1235475 race condition in handling symbolic links
* Added rsync-CVE-2024-12747.patch
- Security update, fix multiple vulnerabilities:
* CVE-2024-12085, bsc#1234101 - Info Leak via uninitialized Stack contents defeats ASLR
* CVE-2024-12086, bsc#1234102 - Server leaks arbitrary client files
* CVE-2024-12087, bsc#1234103 - Server can make client write files outside of destination directory using symbolic links
* CVE-2024-12088, bsc#1234104 - --safe-links Bypass
* Added rsync-CVE-2024-12085.patch
* Added rsync-CVE-2024-12086_01.patch
* Added rsync-CVE-2024-12086_02.patch
* Added rsync-CVE-2024-12086_03.patch
* Added rsync-CVE-2024-12086_04.patch
* Added rsync-CVE-2024-12087_01.patch
* Added rsync-CVE-2024-12087_02.patch
* Added rsync-CVE-2024-12088.patch
* Added rsync-fix-compilation-do_malloc_fixes.patch
- krb5
-
- Prevent overflow when calculating ulog block size. An authenticated
attacker can cause kadmind to write beyond the end of the mapped
region for the iprop log file, likely causing a process crash;
(CVE-2025-24528); (bsc#1236619).
- Add patch 0017-Prevent-overflow-when-calculating-ulog-block-size.patch
- regionServiceClientConfigEC2
-
- Update to version 4.3.2
+ Fix us-east-1 cert
- Update to version 4.3.1
+ New 4096 certificate for rgnsrv-azure-southeastasia
- kernel-default
-
- Update
patches.suse/af_packet-avoid-erroring-out-after-sock_init_data-in.patch
(CVE-2024-56606 bsc#1235417).
Fix the bug number.
- commit f121592
- drm: adv7511: Fix use-after-free in adv7533_attach_dsi() (CVE-2024-57887 bsc#1235952).
- commit 5c4ee3f
- ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
(bsc#1235964 CVE-2024-57892).
- ocfs2: correct return value of ocfs2_local_free_info()
(bsc#1235964 CVE-2024-57892).
- commit b9a152d
- xen: Fix the issue of resource not being properly released in
xenbus_dev_probe() (CVE-2024-53198 bsc#1234923).
- commit ca6183e
- workqueue: skip lockdep wq dependency in cancel_work_sync()
(bsc#1235918).
- commit 1b19fa3
- workqueue: Do not warn when cancelling WQ_MEM_RECLAIM work from
!WQ_MEM_RECLAIM worker (bsc#1235416 bsc#1235918 CVE-2024-57888).
- commit b01b194
- ftrace: Fix regression with module command in stack_trace_filter
(CVE-2024-56569 bsc#1235031).
- commit e7b7c58
- ALSA: seq: oss: Fix races at processing SysEx messages
(CVE-2024-57893 bsc#1235920).
- commit 7be38f2
- cifs: fix calc signature on big endian systems (bsc#1235888,
bsc#1234921).
- commit 38ecaae
- net/smc: check return value of sock_recvmsg when draining clc
data (CVE-2024-57791 bsc#1235759).
- commit 7c27e5f
- smb: client: fix parsing of SMB3.1.1 POSIX create context
(git-fixes).
- commit bc79049
- s390/cpum_sf: Handle CPU hotplug remove during sampling
(CVE-2024-57849 bsc#1235814).
- commit 0001c5b
- pinmux: Use sequential access to access desc->pinmux data
(CVE-2024-47141 bsc#1235708).
- commit 5d7a944
- mm/swapfile: skip HugeTLB pages for unuse_vma (CVE-2024-50199
bsc#1233112).
- commit 46f452a
- drm/dp_mst: Fix MST sideband message body length check (bsc#1235427 CVE-2024-56616)
- commit a9fa1ed
- bpf, sockmap: Fix race between element replace and close()
(CVE-2024-56664 bsc#1235249).
- commit 58b2a56
- tipc: fix NULL deref in cleanup_bearer() (bsc#1235433).
- commit 45bfce4
- scsi: sg: Fix slab-use-after-free read in sg_release()
(CVE-2024-56631 bsc#1235480).
- commit 7bf64a1
- Fix CVE reference for patches.suse/af_packet-avoid-erroring-out-after-sock_init_data-in.patch (CVE-2024-56606)
- commit 0d64068
- 9p/xen: fix release of IRQ (CVE-2024-56704 bsc#1235584).
- commit f5768af
- mfd: intel_soc_pmic_bxtwc: Use IRQ domain for TMU device
(CVE-2024-56724 bsc#1235577).
- commit fe1aa03
- irqchip/gic-v3-its: Prevent double free on error (bsc#1224697
CVE-2024-35847).
- commit 014f7f5
- smb: client: fix use-after-free of signing key (bsc#1234921,
CVE-2024-53179).
- commit c267f82
- af_packet: avoid erroring out after sock_init_data() in packet_create() (CVE-2024-5660 bsc#123541)
- commit 0fe28c5
- KVM: Always flush async #PF workqueue when vCPU is being
destroyed (CVE-2024-26976 bsc#1223635).
- commit 55809b2
- ovl: Filter invalid inodes with missing lookup function
(bsc#1235035 CVE-2024-56570).
- commit 6e7923c
- net: af_can: do not leave a dangling sk pointer in can_create() (CVE-2024-56603 bsc#1235415)
- commit c85c522
- ubi: fastmap: Fix duplicate slab cache names while attaching (CVE-2024-53172 bsc#1234898)
- commit 9366af4
- NFSv4.0: Fix a use-after-free problem in the asynchronous open()
(CVE-2024-53173 bsc#1234891).
- commit a7e3c22
- tipc: Fix use-after-free of kernel socket in cleanup_bearer()
(CVE-2024-56642 bsc#1235433).
- commit 3768de6
- sctp: properly validate chunk size in sctp_sf_ootb() (CVE-2024-50299 bsc#1233488)
- commit 537e6f9
- drm/amdgpu: fix usage slab after free (CVE-2024-56551
bsc#1235075).
- commit d5ec598
- Bluetooth: L2CAP: do not leave dangling sk pointer on error
in l2cap_sock_create() (CVE-2024-56605 bsc#1235061).
- commit 6ac1393
- net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT
(CVE-2024-53057 bsc#1233551).
- commit 707ad78
- media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE
(CVE-2022-49035 bsc#1215304).
- commit e681ca0
- Revert "fbdev: efifb: Register sysfs groups through driver core"
This reverts commit bff30872a052aab87ee7774e2be9b01e1cc917a9.
(bsc#1232224 CVE-2024-49925)
As Michal Koutný's comment#70 in bsc#1232224, the reason is that kABI
fixup in patches.kabi/driver-core-kABI-workaround-for-dev_groups-in-device.patch
is not restoring original KABI since the (extended) struct device_driver
is embedded in other structs, like platform_driver.
And I agree with Michal's comments, CVE-2024-49925 vulnerability is not
easy to be used by attacker who does not have root permission. So let's
revert the following backported/kabi patches and set CVE-2024-49925 to
WONFIX on SLE12-SP5:
72643096ed46b327a37e55db8130cbdc5dadc513
driver core: Fix error return code in really_probe()
(bsc#1232224 CVE-2024-49925).
993ec78562135da497117ab08d14b980c9f783ac
driver core: kABI workaround for dev_groups in device_driver
(bsc#1232224 CVE-2024-49925).
d16dce7a3af05c2034c4ba6cea77c5fdc32124cd
driver core: add dev_groups to all drivers (bsc#1232224
CVE-2024-49925).
bff30872a052aab87ee7774e2be9b01e1cc917a9
fbdev: efifb: Register sysfs groups through driver core
(bsc#1232224 CVE-2024-49925).
- commit 70f2ffa
- Revert "driver core: add dev_groups to all drivers (bsc#1232224"
This reverts commit d16dce7a3af05c2034c4ba6cea77c5fdc32124cd.
(bsc#1232224 CVE-2024-49925)
As Michal Koutný's comment#70 in bsc#1232224, the reason is that kABI
fixup in patches.kabi/driver-core-kABI-workaround-for-dev_groups-in-device.patch
is not restoring original KABI since the (extended) struct device_driver
is embedded in other structs, like platform_driver.
And I agree with Michal's comments, CVE-2024-49925 vulnerability is not
easy to be used by attacker who does not have root permission. So let's
revert the following backported/kabi patches and set CVE-2024-49925 to
WONFIX on SLE12-SP5:
72643096ed46b327a37e55db8130cbdc5dadc513
driver core: Fix error return code in really_probe()
(bsc#1232224 CVE-2024-49925).
993ec78562135da497117ab08d14b980c9f783ac
driver core: kABI workaround for dev_groups in device_driver
(bsc#1232224 CVE-2024-49925).
d16dce7a3af05c2034c4ba6cea77c5fdc32124cd
driver core: add dev_groups to all drivers (bsc#1232224
CVE-2024-49925).
bff30872a052aab87ee7774e2be9b01e1cc917a9
fbdev: efifb: Register sysfs groups through driver core
(bsc#1232224 CVE-2024-49925).
- commit 4b057cb
- Revert "driver core: kABI workaround for dev_groups in device_driver"
This reverts commit 993ec78562135da497117ab08d14b980c9f783ac.
(bsc#1232224 CVE-2024-49925)
As Michal Koutný's comment#70 in bsc#1232224, the reason is that kABI
fixup in patches.kabi/driver-core-kABI-workaround-for-dev_groups-in-device.patch
is not restoring original KABI since the (extended) struct device_driver
is embedded in other structs, like platform_driver.
And I agree with Michal's comments, CVE-2024-49925 vulnerability is not
easy to be used by attacker who does not have root permission. So let's
revert the following backported/kabi patches and set CVE-2024-49925 to
WONFIX on SLE12-SP5:
72643096ed46b327a37e55db8130cbdc5dadc513
driver core: Fix error return code in really_probe()
(bsc#1232224 CVE-2024-49925).
993ec78562135da497117ab08d14b980c9f783ac
driver core: kABI workaround for dev_groups in device_driver
(bsc#1232224 CVE-2024-49925).
d16dce7a3af05c2034c4ba6cea77c5fdc32124cd
driver core: add dev_groups to all drivers (bsc#1232224
CVE-2024-49925).
bff30872a052aab87ee7774e2be9b01e1cc917a9
fbdev: efifb: Register sysfs groups through driver core
(bsc#1232224 CVE-2024-49925).
- commit eade7d6
- Revert "driver core: Fix error return code in really_probe()"
This reverts commit 72643096ed46b327a37e55db8130cbdc5dadc513.
(bsc#1232224 CVE-2024-49925)
As Michal Koutný's comment#70 in bsc#1232224, the reason is that kABI
fixup in patches.kabi/driver-core-kABI-workaround-for-dev_groups-in-device.patch
is not restoring original KABI since the (extended) struct device_driver
is embedded in other structs, like platform_driver.
And I agree with Michal's comments, CVE-2024-49925 vulnerability is not
easy to be used by attacker who does not have root permission. So let's
revert the following backported/kabi patches and set CVE-2024-49925 to
WONFIX on SLE12-SP5:
72643096ed46b327a37e55db8130cbdc5dadc513
driver core: Fix error return code in really_probe()
(bsc#1232224 CVE-2024-49925).
993ec78562135da497117ab08d14b980c9f783ac
driver core: kABI workaround for dev_groups in device_driver
(bsc#1232224 CVE-2024-49925).
d16dce7a3af05c2034c4ba6cea77c5fdc32124cd
driver core: add dev_groups to all drivers (bsc#1232224
CVE-2024-49925).
bff30872a052aab87ee7774e2be9b01e1cc917a9
fbdev: efifb: Register sysfs groups through driver core
(bsc#1232224 CVE-2024-49925).
- commit 409618d
- nvme-pci: fix freeing of the HMB descriptor table (bsc#1234921
CVE-2024-56756).
- commit a639847
- vfio/pci: Properly hide first-in-list PCIe extended capability
(bsc#1235004 CVE-2024-53214).
- commit 1b7890f
- wifi: ath10k: avoid NULL pointer error during sdio remove
(CVE-2024-56599 bsc#1235138).
- commit 827f8ee
- leds: class: Protect brightness_show() with led_cdev->led_access
mutex (CVE-2024-56587 bsc#1235125).
- commit 654afb9
- net: marvell: mvpp2: phylink requires the link interrupt
(bsc#1117016).
- Delete
patches.suse/net-mvpp2-fix-condition-for-setting-up-link-interrup.patch.
Replace downsteram patch with upstream one
- commit 5355aa8
- Bluetooth: RFCOMM: avoid leaving dangling sk pointer in
rfcomm_sock_alloc() (bsc#1235056 CVE-2024-56604).
- commit 9674234
- Bluetooth: Consolidate code around sk_alloc into a helper
function (bsc#1235056 CVE-2024-56604).
Refresh
patches.suse/Bluetooth-SCO-Fix-UAF-on-sco_sock_timeout.patch.
- commit d4282e9
- Bluetooth: hci_sock: purge socket queues in the destruct()
callback (bsc#1235056 CVE-2024-56604).
- commit a8a4e81
- hfsplus: don't query the device logical block size multiple
times (bsc#1235073 CVE-2024-56548).
- commit ff0cbed
- wifi: ath9k: add range check for conn_rsp_epid in
htc_connect_service() (CVE-2024-53156 bsc#1234846).
- commit 22125f2
- ALSA: 6fire: Release resources at card release (CVE-2024-53239
bsc#1235054).
- ALSA: caiaq: Use snd_card_free_when_closed() at disconnection
(CVE-2024-56531 bsc#1235057).
- commit d3f225e
- NFSD: Prevent a potential integer overflow (CVE-2024-53146
bsc#1234853).
- commit c43d88d
- Refresh
patches.suse/char-virtio-Select-VIRTIO-from-VIRTIO_CONSOLE.patch.
- Refresh
patches.suse/net-packet-fix-overflow-in-tpacket_rcv.patch.
Add upstream references and move to sorted section.
- commit 62678cc
- SUNRPC: 'Directory with parent 'rpc_clnt' already
present!' (bsc#1168202 bsc#1188924).
- commit 511e0dd
- SUNRPC: fix use-after-free in rpc_free_client_work()
(bsc#1168202 bsc#1188924).
- Refresh
patches.suse/SUNRPC-Fix-RPC-client-cleaned-up-the-freed-pipefs-de.patch.
- Refresh
patches.suse/SUNRPC-defer-slow-parts-of-rpc_free_client-to-a-work.patch.
Add upstream reference and move to sorted section. Split a fix-up to a
separate patch so that it also gets its upstream reference. This aligns
with how things were done in other maintained kernel branches.
- commit f5a7a6e
- netfilter: ipset: add missing range check in bitmap_ip_uadt (CVE-2024-53141 bsc#1234381)
- commit 5b1c6de
- RDMA/mlx5: Cancel pkey work before destroying device resources (bsc#1235009 CVE-2024-53224)
- commit 9ac5166
- Update
patches.suse/Bluetooth-hci_event-Align-BR-EDR-JUST_WORKS-paring-w.patch
(git-fixes bsc#1230697 CVE-2024-8805 CVE-2024-53144
bsc#1234690).
- Update
patches.suse/can-bcm-Clear-bo-bcm_proc_read-after-remove_proc_ent.patch
(CVE-2024-46771 bsc#1230766 CVE-2024-47709 bsc#1232048).
- Update
patches.suse/mm-revert-mm-shmem-fix-data-race-in-shmem_getattr.patch
(CVE-2024-50228 bsc#1233204 git fixes (mm/shmem) CVE-2024-53136
bsc#1234161).
- Update
patches.suse/net-relax-socket-state-check-at-accept-time.patch
(git-fixes CVE-2024-36484 bsc#1226872).
- Update
patches.suse/ocfs2-uncache-inode-which-has-failed-entering-the-group.patch
(bsc#1234087 CVE-2024-53112).
- commit 357ae3f
- Refresh
patches.suse/Deprecate-NR_UNSTABLE_NFS-use-NR_WRITEBACK.patch.
- Refresh
patches.suse/MM-replace-PF_LESS_THROTTLE-with-PF_LOCAL_THROTTLE.patch.
- Refresh
patches.suse/mm-Avoid-overflows-in-dirty-throttling-logic.patch.
Add upstream reference to 2 patches, move them to the sorted section and
refresh another patch to solve context conflicts.
- commit 91ba058
- firmware: arm_scpi: Check the DVFS OPP count returned by the
firmware (CVE-2024-53157 bsc#1234827).
- commit 77c498b
- s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct()
(CVE-2024-53210 bsc#1234971).
- commit e1704a7
- ALSA: usb-audio: Fix out of bounds reads when finding clock
sources (CVE-2024-53150 bsc#1234834).
- commit 809edc6
- smb: client: fix OOBs when building SMB2_IOCTL request
(CVE-2024-50151 bsc#1233055).
- commit 5303c51
- xen/netfront: fix crash when removing device (XSA-465
CVE-2024-53240 bsc#1234281).
- commit 6a0455d
- btrfs: qgroup: fix sleep from invalid context bug in
btrfs_qgroup_inherit() (CVE-2022-49033 bsc#1232045).
- commit 1c36522
- Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
(git-fixes, bsc#1230697, CVE-2024-8805).
- commit af6048b
- scsi: pm80xx: Set phy->enable_completion only when we wait
for it (CVE-2024-47666 bsc#1231453).
- commit 3fe50d4
- xfs: don't walk off the end of a directory data block
(bsc#1228405 CVE-2024-41013).
- commit 7e72128
- bpf: Fix out-of-bounds write in trie_get_next_key() (CVE-2024-50262 bsc#1233239)
- commit deb09e1
- can: bcm: Fix UAF in bcm_proc_show() (CVE-2023-52922 bsc#1233977)
- commit a84b421
- media: v4l2-tpg: prevent the risk of a division by zero (CVE-2024-50287 bsc#1233476)
- commit f6101ec
- fs: Fix uninitialized value issue in from_kuid and from_kgid (CVE-2024-53101 bsc#1233769)
- commit a397183
- udf: refactor inode_bmap() to handle error (bsc#1234242
bsc#1233096 CVE-2024-50211).
- commit 20d3a39
- udf: refactor udf_next_aext() to handle error (bsc#1234241).
- commit f098aa9
- udf: refactor udf_current_aext() to handle error (bsc#1234240).
- commit b64184f
- udf: fix uninit-value use in udf_get_fileshortad (bsc#1234243
bsc#1233038 CVE-2024-50143).
- commit 67400f8
- udf: Handle error when adding extent to a file (bsc#1234437).
- commit f03c52b
- kabi/severities: ignore intermodule symbols between fsl_fman and fsl_dpaa_eth
- commit eb515fb
- fsl/fman: Fix refcount handling of fman-related devices
(CVE-2024-50166 bsc#1233050).
- fsl/fman: Save device references taken in mac_probe()
(CVE-2024-50166 bsc#1233050).
- net: fman: Unregister ethernet device on removal (CVE-2024-50166
bsc#1233050).
- commit f22236a
- rtnetlink: make sure to refresh master_dev/m_ops in
__rtnl_newlink() (CVE-2022-48742 bsc#1226694).
- commit 8931ec3
- Update References: field, and keep KABI consistency of bioset_exit(),
patches.suse/dm-cache-fix-flushing-uninitialized-delayed_work-on--1354.patch
(bsc#1233467, CVE-2024-50278, bsc#1233469, CVE-2024-50280).
- commit 4bed2c0
- netfilter: nf_reject_ipv6: fix potential crash in
nf_send_reset6() (CVE-2024-50256 bsc#1233200).
- commit c62ba75