avahi
- Update avahi-daemon-check-dns-suse.patch to drop privileges when
  invoking avahi-daemon-check-dns.sh (boo#1180827 CVE-2021-26720).
- Add sudo to requires: used to drop privileges.
bind
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
  negotiation can be targeted by a buffer overflow attack
  [bsc#1182246, CVE-2020-8625, bind-CVE-2020-8625.patch]
csync2
- VUL-1: csync2: bad TLS key generation on installation (bsc#1145032)
  Adapt suggested changes in %post section.
  Do not hide output on standard error during generating the keys.
file
- Add patch 0446fadf.patch to fix bsc#1182138
  * Bug in "/echo 8000 | file -"/ gzip
grub2
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
  * 0028-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
  * 0029-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
  * 0030-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
  * 0031-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
  * 0032-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
  * 0033-util-mkimage-Improve-data_size-value-calculation.patch
  * 0034-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
  * 0035-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
  * 0036-grub-install-common-Add-sbat-option.patch
- Fix CVE-2021-20225 (bsc#1182262)
  * 0019-lib-arg-Block-repeated-short-options-that-require-an.patch
- Fix CVE-2020-27749 (bsc#1179264)
  * 0021-kern-parser-Fix-resource-leak-if-argc-0.patch
  * 0022-kern-parser-Fix-a-memory-leak.patch
  * 0023-kern-parser-Introduce-process_char-helper.patch
  * 0024-kern-parser-Introduce-terminate_arg-helper.patch
  * 0025-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
  * 0026-kern-buffer-Add-variable-sized-heap-buffer.patch
  * 0027-kern-parser-Fix-a-stack-buffer-overflow.patch
- Fix CVE-2021-20233 (bsc#1182263)
  * 0020-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- Fix CVE-2020-25647 (bsc#1177883)
  * 0018-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- Fix CVE-2020-25632 (bsc#1176711)
  * 0017-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
  * 0001-mkimage-Clarify-file-alignment-in-efi-case.patch
  * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
  * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
  * 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
  * 0005-efi-Add-secure-boot-detection.patch
  * 0006-kern-Add-lockdown-support.patch
  * 0007-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
  * 0008-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
  * 0009-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
  * 0010-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
  * 0011-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
  * 0012-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
  * 0013-commands-setpci-Restrict-setpci-command-when-locked-.patch
  * 0014-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
  * 0015-gdb-Restrict-GDB-access-when-locked-down.patch
  * 0016-loader-xnu-Don-t-allow-loading-extension-and-package.patch
  * 0037-squash-Add-secureboot-support-on-efi-chainloader.patch
  * 0038-squash-grub2-efi-chainload-harder.patch
  * 0039-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
  * 0040-squash-linuxefi-fail-kernel-validation-without-shim-.patch
  * 0041-squash-kern-Add-lockdown-support.patch
- Add SBAT metadata section to grub.efi
  * grub2.spec
hawk2
- Update to version 2.6.0:
  * Use fullpath of binary (bsc#1181436)
  * remove %x (bsc#1182163)
jasper
- bsc#1179748 CVE-2020-27828: Fix heap overflow by checking maxrlvls
  Add jasper-CVE-2020-27828.patch
- bsc#1181483 CVE-2021-3272: Fix heap overflow by ensuring number
  of channels matches image components
  Add jasper-CVE-2021-3272.patch
java-1_7_1-ibm
- Update to Java 7.1 Service Refresh 4 Fix Pack 80
  [bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
  * CVE-2020-27221: Potential for a stack-based buffer overflow
    when the virtual machine or JNI natives are converting from
    UTF-8 characters to platform encoding.
  * CVE-2020-14803: Unauthenticated attacker with network access
    via multiple protocols allows to compromise Java SE.
kernel-default
- futex: Fix incorrect should_fail_futex() handling (bsc#969755).
- futex: Avoid freeing an active timer (bsc#969755).
- commit cce36b8
- futex: Handle faults correctly for PI futexes (bsc#969755
  bsc#1181349 CVE-2021-3347).
- futex: Simplify fixup_pi_state_owner() (bsc#969755 bsc#1181349
  CVE-2021-3347).
- futex: Use pi_state_update_owner() in put_pi_state() (bsc#969755
  bsc#1181349 CVE-2021-3347).
- futex: Provide and use pi_state_update_owner() (bsc#969755
  bsc#1181349 CVE-2021-3347).
- futex: Replace pointless printk in fixup_owner() (bsc#969755
  bsc#1181349 CVE-2021-3347).
- futex: Ensure the correct return value from futex_lock_pi()
  (bsc#969755 bsc#1181349 CVE-2021-3347).
- futex: Don't enable IRQs unconditionally in put_pi_state()
  (bsc#969755).
- futex: Handle transient "/ownerless"/ rtmutex state correctly
  (bsc#969755).
- locking/futex: Allow low-level atomic operations to return
  - EAGAIN (bsc#969755).
- futex: Handle early deadlock return correctly (bsc#969755).
- futex: Fix OWNER_DEAD fixup (bsc#969755).
- futex: Avoid violating the 10th rule of futex (bsc#969755).
- futex: Fix more put_pi_state() vs. exit_pi_state_list() races
  (bsc#969755).
- futex: Fix pi_state->owner serialization (bsc#969755).
- futex,rt_mutex: Fix rt_mutex_cleanup_proxy_lock() (bsc#969755).
- futex: Fix small (and harmless looking) inconsistencies
  (bsc#969755).
- futex: Drop hb->lock before enqueueing on the rtmutex
  (bsc#969755).
- futex: Futex_unlock_pi() determinism (bsc#969755).
- futex: Rework futex_lock_pi() to use rt_mutex_*_proxy_lock()
  (bsc#969755).
- futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()
  (bsc#969755).
- futex,rt_mutex: Introduce rt_mutex_init_waiter() (bsc#969755).
- futex: Pull rt_mutex_futex_unlock() out from under hb->lock
  (bsc#969755).
- futex: Rework inconsistent rt_mutex/futex_q state (bsc#969755).
- futex: Change locking rules (bsc#969755).
- futex,rt_mutex: Provide futex specific rt_mutex API
  (bsc#969755).
- commit 3ea3e69
- cifs: do not revalidate mountpoint dentries (bsc#1177440).
- cifs: ignore revalidate failures in case of process gets
  signaled (bsc#1177440).
- commit 92b5fe6
- Use r3 instead of r13 for l1d fallback flush in do_uaccess_fush
  (bsc#1181096 ltc#190883).
- Refresh patches.suse/powerpc-rfi-flush-Move-RFI-flush-fields-out-of-the-p.patch.
  Touching r13 in do_uaccess_flush causes bad memory access in kernel and
  either kernel or running userspace proccess crash. do_uaccess_fush is a
  function so it can use volatile GPRs such as r3 freely. Use it to load
  the PACA_AUX pointer instead of r13.
- commit b0522ed
- netfilter: ctnetlink: add a range check for l3/l4 protonum
  (CVE-2020-25211 bsc#1176395).
- commit e22722d
- Update
  patches.suse/0001-xen-events-add-a-proper-barrier-to-2-level-uevent-un.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0002-xen-events-fix-race-in-evtchn_fifo_unmask.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0003-xen-events-add-a-new-late-EOI-evtchn-framework.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0004-xen-blkback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0005-xen-netback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0006-xen-scsiback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0008-xen-pciback-use-lateeoi-irq-binding.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0009-xen-events-switch-user-event-channels-to-lateeoi-mod.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0010-xen-events-use-a-common-cpu-hotplug-hook-for-event-c.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0011-xen-events-defer-eoi-in-case-of-excessive-number-of-.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/0012-xen-events-block-rogue-events-for-some-time.patch
  (CVE-2020-27673 XSA-332 bsc#1177411).
- Update
  patches.suse/XEN-uses-irqdesc-irq_data_common-handler_data-to-sto.patch
  (CVE-2020-27673 XSA-332 bsc#1065600).
- Update
  patches.suse/xen-events-avoid-removing-an-event-channel-while-han.patch
  (CVE-2020-27675 XSA-331 bsc#1177410).
- Update
  patches.suse/xen-events-don-t-use-chip_data-for-legacy-IRQs.patch
  (CVE-2020-27673 XSA-332 bsc#1065600).
- Added CVE numbers for above patches.
- commit 0258ab9
- mm/userfaultfd: do not access vma->vm_mm after calling
  handle_userfault() (bsc#1179204).
- commit 7318dbe
- IB/hfi1: Ensure correct mm is used at all times (bsc#1179878
  CVE-2020-27835).
- IB/hfi1: Move structure definitions from user_exp_rcv.c to
  user_exp_rcv.h (bsc#1179878).
- IB/hfi1: Fix the bail out code in pin_vector_pages() function
  (bsc#1179878).
- IB/hfi1: Clean up pin_vector_pages() function (bsc#1179878).
- IB/hfi1: Clean up hfi1_user_exp_rcv_setup function
  (bsc#1179878).
- IB/hfi1: Use filedata rather than filepointer (bsc#1179878).
- IB/hfi1: Name function prototype parameters (bsc#1179878).
- commit 96dfbdb
- scsi: iscsi: Fix a potential deadlock in the timeout handler
  (bsc#1178272).
- commit 0435a8c
- Refresh patches.suse/powerpc-Implement-user_access_begin-and-friends.patch.
  Drop unused definition.
- commit 6652b07
- Refresh patches.suse/powerpc-rfi-flush-Move-RFI-flush-fields-out-of-the-p.patch (bsc#1180815).
  Fixup the PACA_AUX handling in entry an uaccess flush.
- commit 3b153a1
- xen: support having only one event pending per watch
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 8958f53
- xen: revert Allow watches discard events before queueing
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit bbbf26c
- xen: revert Add 'will_handle' callback support in
  xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 91d64f5
- xen: revert Support will_handle watch callback (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 9715572
- xen: revert Count pending messages for each watch (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 047dcd1
- xen: revert Disallow pending watch messages (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 3296374
- xen-blkback: set ring->xenblkd to NULL after kthread_stop()
  (bsc#1179509 XSA-350 CVE-2020-29569).
- commit acb25f4
- xenbus/xenbus_backend: Disallow pending watch messages
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit dd5910a
- xen/xenbus: Count pending messages for each watch (bsc#1179508
  XSA-349 CVE-2020-29568).
- commit 8136b44
- xen/xenbus/xen_bus_type: Support will_handle watch callback
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 4582297
- xen/xenbus: Add 'will_handle' callback support in
  xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit d272247
- xen/xenbus: Allow watches discard events before queueing
  (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 0d1044d
- fix regression in "/epoll: Keep a reference on files added to
  the check list"/  (bsc#1180031, git-fixes).
- do_epoll_ctl(): clean the failure exits up a bit
  (bsc#1180031,CVE-2020-0466).
- epoll: Keep a reference on files added to the check list
  (bsc#1180031).
- commit f620437
- Move upstreamed vgacon patch into sorted section
- commit 39c8e9f
- audit: fix error handling in audit_data_to_entry()
  (CVE-2020-0444 bsc#1180027).
- commit 20e9b9f
- mwifiex: Fix possible buffer overflows in
  mwifiex_cmd_802_11_ad_hoc_start (CVE-2020-36158 bsc#1180559).
- commit 6e082c0
- Refresh patches.suse/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-f.patch
  Refresh to upstream version.
- commit bc91473
- tracing: Fix race in trace_open and buffer resize call
  (CVE-2020-27825 bsc#1179960).
- commit e2d61a2
- ring-buffer: speed up buffer resets by avoiding synchronize_rcu
  for each CPU (CVE-2020-27825 bsc#1179960).
- commit 26416a1
- ring-buffer: Make resize disable per cpu buffer instead of
  total buffer (CVE-2020-27825 bsc#1179960).
- commit 324f602
- cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
  (CVE-2020-27068 bsc#1180086).
- commit 4f3308e
- HID: Fix slab-out-of-bounds read in hid_field_extract
  (bsc#1180052).
- commit 4d89452
- HID: core: Sanitize event code and type when mapping input
  (CVE-2020-0465 bsc#1180029).
- commit 396f396
- tty: Fix ->session locking (bsc#1179745 CVE-2020-29660).
- tty: Fix ->pgrp locking in tiocspgrp() (bsc#1179745
  CVE-2020-29661).
- commit 1cc3fb3
- powerpc/rtas: fix typo of ibm,open-errinjct in rtas filter
  (CVE-2020-27777 bsc#1179107 bsc#1179887 ltc#190092).
- commit d1f9480
- media: xirlink_cit: add missing descriptor sanity checks
  (bsc#1168952 CVE-2020-11668).
- commit 3e66aa1
- Update
  patches.fixes/sched-fair-Don-t-free-p-numa_faults-with-concurrent-.patch
  (bsc#1144920, bsc#1179663, CVE-2019-20934).
- commit d9fcab2
- powerpc: Stop exporting __clear_user which is now inlined
  (CVE-2020-4788 bsc#1177666).
- commit 8ac43e7
- ALSA: rawmidi: Change resized buffers atomically (CVE-2018-10902
  bsc#1105322).
- commit 2190948
- kABI workaround for snd_rawmidi buffer_ref field addition
  (CVE-2020-27786 bsc#1179601).
- commit 5bed91c
- ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
  (CVE-2020-27786 bsc#1179601).
- commit 1c1d0c3
- cifs: fix potential use-after-free in cifs_echo_request()
  (bsc#1139944).
- commit 3f7fb1a
- powerpc/64s: flush L1D after user accesses (CVE-2020-4788
  bsc#1177666).
- Refresh patches.suse/0009-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch.
- Refresh patches.arch/kvm-x86-mmu-Apply-global-mitigations-knob-to-ITLB_MULTIHIT.patch.
- Refresh patches.kabi/kABI-powerpc-avoid-including-pgtable.h-in-kup.h.patch.
- powerpc/uaccess: Evaluate macro arguments once, before user
  access is allowed (CVE-2020-4788 bsc#1177666).
- powerpc: Fix __clear_user() with KUAP enabled (CVE-2020-4788
  bsc#1177666).
- powerpc: Implement user_access_begin and friends (CVE-2020-4788
  bsc#1177666).
- powerpc: Add a framework for user access tracking (CVE-2020-4788
  bsc#1177666).
- powerpc/64s: flush L1D on kernel entry (CVE-2020-4788
  bsc#1177666).
- Refresh patches.suse/0009-x86-speculation-taa-Add-documentation-for-TSX-Async-.patch.
- Refresh patches.arch/kvm-x86-mmu-Apply-global-mitigations-knob-to-ITLB_MULTIHIT.patch.
- Refresh patches.suse/powerpc-rfi-flush-Move-RFI-flush-fields-out-of-the-p.patch.
- powerpc/64s: move some exception handlers out of line
  (CVE-2020-4788 bsc#1177666).
- powerpc/64s: Define MASKABLE_RELON_EXCEPTION_PSERIES_OOL
  (CVE-2020-4788 bsc#1177666).
- commit 5decbce
- block: Fix use-after-free in blkdev_get() (bsc#1173834
  bsc#1179141 CVE-2020-15436).
- commit 14ac1a6
- kABI: powerpc: Add back __clear_user (CVE-2020-4788
  bsc#1177666).
- commit 5d98532
- kABI: powerpc: avoid including pgtable.h in kup.h (CVE-2020-4788
  bsc#1177666).
- commit 3c556af
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
  (CVE-2020-15437 bsc#1179140).
- commit 3fe67b6
- powerpc/rtas: Restrict RTAS requests from userspace
  (CVE-2020-27777 bsc#1179107).
- Update config files.
- commit 0dba49d
- vt: Disable KD_FONT_OP_COPY (CVE-2020-28974 bsc#1178589).
- commit c6f98d1
- Fonts: Replace discarded const qualifier (CVE-2020-28915
  bsc#1178886).
- fbcon: Fix global-out-of-bounds read in fbcon_get_font()
  (CVE-2020-28915 bsc#1178886).
- Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
  (CVE-2020-28915 bsc#1178886).
- fbdev, newport_con: Move FONT_EXTRA_WORDS macros into
  linux/font.h (CVE-2020-28915 bsc#1178886).
- commit 0af4cee
- video: hyperv_fb: include vmalloc.h (bsc#1175306).
  Refresh patches.suse/suse-hv-VERSION_WIN10_V5.patch.
  no code changes
- commit 4e8b360
- Refresh
  patches.arch/0002-x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch.
- commit b65cf87
- Input: sunkbd - avoid use-after-free in teardown paths
  (CVE-2020-25669 bsc#1178182).
- commit d1ac9b9
- mm/hugetlb: fix a race between hugetlb sysctl handlers
  (bsc#1176485, CVE-2020-25285).
- commit 17cb8e9
libyui-qt

      
python
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python-base
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
  bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
  _ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
  CVE-2019-20916) in their correct form (bsc#1180686).
python-cryptography
- Add patch CVE-2020-36242-buffer-overflow.patch (bsc#1182066, CVE-2020-36242)
  * Using the Fernet class to symmetrically encrypt multi gigabyte values
    could result in an integer overflow and buffer overflow.
screen
- Fix double width combining char handling that could lead
  to a segfault [bnc#1182092] [CVE-2021-26937]
  new patch: combchar.diff