- bind
-
- Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service
condition. This has been fixed. (CVE-2023-50387)
[bsc#1219823, bind-CVE-2023-50387-CVE-2023-50868.patch]
* Preparing an NSEC3 closest encloser proof could cause excessiv
CPU load, leading to a denial-of-service condition. This has
been fixed. (CVE-2023-50868)
[bsc#1219826, bind-CVE-2023-50387-CVE-2023-50868.patch]
* Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
[bsc#1219851, bind-CVE-2023-4408.patch]
- libzypp
-
- Url: Hide known password entires when writing the query part
(bsc#1050625 bsc#1177583, CVE-2017-9271)
- version 16.22.13 (0)
- _product:sle-sdk-release
-
n/a
- mozilla-nss
-
- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
- Updated nss-fips-approved-crypto-non-ec.patch and
nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
bsc#1222828, bsc#1222834.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.
- update to NSS 3.101.1
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
* bmo#1900413 - add diagnostic assertions for SFTKObject refcount.
* bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed
* bmo#1899883 - fix formatting issues.
* bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS.
* bmo#1899593 - remove invalid acvp fuzz test vectors.
* bmo#1898830 - pad short P-384 and P-521 signatures gtests.
* bmo#1898627 - remove unused FreeBL ECC code.
* bmo#1898830 - pad short P-384 and P-521 signatures.
* bmo#1898825 - be less strict about ECDSA private key length.
* bmo#1854439 - Integrate HACL* P-521.
* bmo#1854438 - Integrate HACL* P-384.
* bmo#1898074 - memory leak in create_objects_from_handles.
* bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1748105 - clean up escape handling
* bmo#1896353 - Use lib::pkix as default validator instead of the old-one
* bmo#1827444 - Need to add high level support for PQ signing.
* bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1893404 - Allow for non-full length ecdsa signature when using softoken
* bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects
* bmo#1793811 - Implement support for PBMAC1 in PKCS#12
* bmo#1897487 - disable VLA warnings for fuzz builds.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1893334 - add PK11_ReadDistrustAfterAttribute.
* bmo#215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update
* bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile.
* bmo#1830415 - Switch to the mozillareleases/image_builder image
- Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain)
- Remove part of nss-fips-zeroization.patch that got removed upstream
- update to NSS 3.100
- bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for
faster Xyber operations.
- bmo#1893752 - remove ckcapi.
- bmo#1893162 - avoid a potential PK11GenericObject memory leak.
- bmo#671060 - Remove incomplete ESDH code.
- bmo#215997 - Decrypt RSA OAEP encrypted messages.
- bmo#1887996 - Fix certutil CRLDP URI code.
- bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
- bmo#676118 - Add ability to encrypt and decrypt CMS messages using ECDH.
- bmo#676100 - Correct Templates for key agreement in smime/cmsasn.c.
- bmo#1548723 - Moving the decodedCert allocation to NSS.
- bmo#1885404 - Allow developers to speed up repeated local execution
of NSS tests that depend on certificates.
- update to NSS 3.99
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
- update to NSS 3.98
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
in TLS
* bmo#1879513 - Certificate Compression: enabling the check that
the compression was advertised
* bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
* bmo#1879945 - Remove Email trust bit from OISTE WISeKey
Global Root GC CA
* bmo#1877344 - Replace `distutils.spawn.find_executable` with
`shutil.which` within `mach` in `nss`
* bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
support Certificate compression
* bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
* bmo#1875356 - Add valgrind annotations to freebl kyber operations
for constant-time execution tests
* bmo#1870673 - Set nssckbi version number to 2.66
* bmo#1874017 - Add Telekom Security roots
* bmo#1873095 - Add D-Trust 2022 S/MIME roots
* bmo#1865450 - Remove expired Security Communication RootCA1 root
* bmo#1876179 - move keys to a slot that supports concatenation in
PK11_ConcatSymKeys
* bmo#1876800 - remove unmaintained tls-interop tests
* bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
flags
* bmo#1874937 - bogo: add support for the -curves shim flag and
update Kyber expectations
* bmo#1874937 - bogo: adjust expectation for a key usage bit test
* bmo#1757758 - mozpkix: add option to ignore invalid subject
alternative names
* bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
* bmo#1876390 - take ownership of ecckilla shims
* bmo#1874458 - add valgrind annotations to freebl/ec.c
* bmo#864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* bmo#1875965 - Update zlib to 1.3.1
- Use %patch -P N instead of deprecated %patchN.
- update to NSS 3.97
* bmo#1875506 - make Xyber768d00 opt-in by policy
* bmo#1871631 - add libssl support for xyber768d00
* bmo#1871630 - add PK11_ConcatSymKeys
* bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken
* bmo#1871152 - add a FreeBL API for Kyber
* bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo
* bmo#1835828 - Removing the calls to RSA Blind from loader.*
* bmo#1874111 - fix worker type for level3 mac tasks
* bmo#1835828 - RSA Blind implementation
* bmo#1869642 - Remove DSA selftests
* bmo#1873296 - read KWP testvectors from JSON
* bmo#1822450 - Backed out changeset dcb174139e4f
* bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* bmo#1871219 - Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
* bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
* bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
* bmo#1867408 - add a defensive check for large ssl_DefSend return values
* bmo#1869378 - Add dependency to the taskcluster script for Darwin
* bmo#1869378 - Upgrade version of the MacOS worker for the CI
- add nss-allow-slow-tests-s390x.patch: "certutil dump keys with
explicit default trust flags" test needs longer than the allowed
6 seconds on s390x
- update to NSS 3.95
* bmo#1842932 - Bump builtins version number.
* bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion
Firmaprofesional CIF A62634068 root cert.
* bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS.
* bmo#1850982 - Remove Camerfirma root certificates from NSS.
* bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional
Certificate.
* bmo#1860670 - Add four Commscope root certificates to NSS.
* bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
* bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL*
* bmo#1861728 - Include P-256 Scalar Validation from HACL*.
* bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes
256 ECC without DER wrapping at the softoken level
* bmo#1837987 - Add means to provide library parameters to C_Initialize
* bmo#1573097 - clang format
* bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
* bmo#1858241 - Typo in ssl3_AppendHandshakeNumber
* bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber
* bmo#1573097 - Fix Invalid casts in instance.c
- update to NSS 3.94
* bmo#1853737 - Updated code and commit ID for HACL*
* bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
current NSS
* bmo#1827303 - Softoken C_ calls should use system FIPS setting
to select NSC_ or FC_ variants
* bmo#1774659 - NSS needs a database tool that can dump the low level
representation of the database
* bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
* bmo#1852179 - avoid implicit conversion for ByteString
* bmo#1818766 - update rust version for acvp docker
* bmo#1852011 - Moving the init function of the mpi_ints before
clean-up in ec.c
* bmo#1615555 - P-256 ECDH and ECDSA from HACL*
* bmo#1840510 - Add ACVP test vectors to the repository
* bmo#1849077 - Stop relying on std::basic_string<uint8_t>
* bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
- Update to NSS 3.93:
* bmo#1849471 - Update zlib in NSS to 1.3.
* bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
* bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
- update to NSS 3.92
* bmo#1822935 - Set nssckbi version number to 2.62
* bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS
* bmo#1839992 - Add 4 SSL.com Root CA certificates
* bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates
* bmo#1840437 - Add LAWtrust Root CA2 (4096)
* bmo#1822936 - Remove E-Tugra Certification Authority root
* bmo#1827224 - Remove Camerfirma Chambers of Commerce Root.
* bmo#1840505 - Remove Hongkong Post Root CA 1
* bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3
* bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
* bmo#1837431 - Implementation of the HW support check for ADX instruction
* bmo#1836925 - Removing the support of Curve25519
* bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
* bmo#1839327 - Adding args to enable-legacy-db build
* bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
default trust flags"
* bmo#1837617 - Initialize flags in slot structures
* bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
* bmo#1829112 - Followup Fixes
* bmo#1784253 - avoid processing unexpected inputs by checking for
m_exptmod base sign
* bmo#1826652 - add a limit check on order_k to avoid infinite loop
* bmo#1834851 - Update HACL* to commit 5f6051d2
* bmo#1753026 - add SHA3 to cryptohi and softoken
* bmo#1753026 - HACL SHA3
* bmo#1836781 - Disabling ASM C25519 for A but X86_64
- removed upstreamed patch nss-fix-bmo1836925.patch
- update to NSS 3.90.3
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1748105 - clean up escape handling.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1836925 - Disable ASM support for Curve25519.
* bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64.
- remove upstreamed nss-fix-bmo1836925.patch
- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
when using FIPS-mode (bsc#1223724).
- Added "Provides: nss" so other RPMs that require 'nss' can
be installed (jira PED-6358).
- python3
-
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Add CVE-2023-52425-libexpat-2.6.0-backport.patch fixing etree
XMLPullParser tests for Expat >=2.6.0 with reparse deferral
(fixing CVE-2023-52425 or bsc#1219559).
- libfastjson
-
- fix CVE-2020-12762 integer overflow and out-of-bounds write via a
large JSON file (bsc#1171479)
add 0001-Fix-CVE-2020-12762.patch
- cups
-
- cups-1.7.5-CVE-2024-35235.patch for CUPS 1.7.5 in SLE12
is derived from our cups-2.2.7-CVE-2024-35235.patch for SLE15
which was derived from the upstream patch for CUPS 2.5
to behave backward compatible for CUPS 1.7.5 in SLE12
to fix CVE-2024-35235
"cupsd Listen port arbitrary chmod 0140777"
without the more secure but backward-incompatible behaviour
of the upstream patch for CUPS 2.5
that ignores domain sockets specified in 'Listen' entries
in /etc/cups/cupsd.conf when cupsd is lauched via systemd
(in particular when launched on-demand by systemd)
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
bsc#1225365
- openldap2
-
- bsc#1217985 - Null pointer deref in referrals as part of
ldap_chain_response()
* 0229-ITS-9262-check-referral.patch
- bsc#1220787 - increase DH param minimums to 2048 bits
* 0228-bsc-1220787-increase-dh-param-minimums.patch
- google-cloud-sap-agent
-
- Update to version 3.4 (bsc#1227134, bsc#1227135)
* Adding project to exclusion list
* Add machine type to configure instance proto for WLM metric collection.
* Add test channel for Guest Actions. Make default channel the registered channel.
* Set backup object's customTime field as part of backint backups
* Add workload discovery to configure command
* Add multiple workers support in parallelreader for parallel downloading during restore.
* `configureinstance` with `overrideVersion` set should log a warning and continue.
* Minor log change in balanceirq
* Add common function to parse parameters for guest action handlers
* BalanceIRQ OTE added to Agent for SAP
* Remove output from stdout for DIAGNOSE
* Small hyperThreading change for configureinstance
* Add initial steps to initialize the SystemDiscovery OTE in IIOTE and command mode.
* Adding single worker support in parallelreader for download.
* Read encryption key from file if specified in parameters file
* Run configureinstance OTE only on supported instances during WLM metric collection.
* Add instance ID to user agent string for SAP Agent.
* Return `UsageError` as exit status instead of `Failure` in case of invalid parameters
* Bumping up the agent version
* Use json marshalling instead of manually parsing from map in configure handler
* Move metric override modules to metricoverrides.go for general use
* Updating the gcbdr proto
* Updating param names to make it more clear in performance diagnostics
* Add DiskSizeGb to Disk for disk creation.
* Add Demo Metrics for Process Metrics
* Add warning message for configureinstance overrideVersion
* Add 3.3 to configureinstance versioning
* Fix log message in configureinstance
* Rename scope and param file to type and backint-param-file to avoid confusion
* Add new OTE structure for SystemDiscovery.
* Allows SAP system data to be read from an override file instead
of discovered from the system. Useful for testing.
* Refactor buildSupportBundleCommand by marshalling command parameters
* Remove cluster member check for cluster collection
* Add connectParameters as a function parameter in restoreFile function to have
multiple bucket handles in parallelreader for parallel downloading.
* Enable auto discovery of disks and make datadiskname and zone optional parameters
* Add support for performancediagnostics OTE guest action handler
* Add override version flag to configureinstance
* Rename LVM volume group of restored disk to that of the target disk.
* Sleep during TestCommunicateWithUAP to only execute intended
code path once instead of many times.
* Update grub configuration for X4 configureinstance
* Extend result-bucket support to support bundle guest action
* Add provisioned-iops and provisioned-throughput labels
to snapshots and extract them during restore.
* Configureinstance updates for SAP ECS
* Add sequential in parallel download functionality for restore to SAP Agent.
* Implement hanadiskbackup guest action handler
* Add operation_id to UAP status labels.
* Add user agent overrides for cloud monitoring
* Updating generated protobufs
* Update sanity check for fast collector metric
* Reliability Metrics - Use the usage metrics instead of
internal cloud monitoring metrics
* Fix restoreFromGroupSnapshot and restoreFromSingleSnapshot logic
* Implement support bundle handler. This CL follows a pattern for
implementing handler which was developed in cl/636640791
* Move timeseries.go and cloudmonitoring.go to shared/
* Only stop HANA monitoring if successive errors are auth related
* Use flag names for command parameters in configureHandler
* Add check and apply finished metrics to configureinstance
* Add snapshot / group backup name to success log message
* Better handling of experimental flag in hanamonitoring
* Return error if physical device is empty
* Added an experiemntal flag to control role based awareness in hana monitoring
* Adding role based awareness logic in HANA Monitoring
* Add upload feature to support bundle
* Add context to onetime logging functions
* Fix logging and make confirm-data-snapshot-after-create true by default
* Add debug logs for hanabackup to help troubleshoot issues.
* Remove HDB User requirement when HDBUserstore key is passed for hanadiskbackup
* Append labels to detached disk in hanadiskrestore
* Add placeholder for parallel reader in Backint
* Modify restore handlers to be able to restore from either
source snapshot or group snapshot.
* Modify checking preconditions and adding fakes for group snapshot restore.
* Add initial support for restoring from group snapshot.
* Add UAP Communication to startdaemon (gated by a configuration).
* Fixing the commands in perfdiag
* Refactor handleAgentCommand with guestActionsHandlers map
* Add replication sites to system component proto
* Build updated to use -mod=vendor during build
* Updated go.mod and go.sum with dependencies for safetext,
using go mod vendor for github action
* Adding changes for target based config in hana monitoring
* Overriding the user agent for Cloud Logging API calls
* Fix typo in guestactions.proto
* WLM Hana Full Backup Validation Metric collection
* Add configure command to guest actions. Establish how the new proto
format will be used in message handling.
* Add ping check to HANA monitoring
* [commandlineexecutor] Add the ability to directly pass data into Stdin, avoiding
the need for intermediary piping commands, such as "echo 'data' | my_app".
- Update to version 3.3 (bsc#1225166, bsc#1225558)
* Build updated to use -mod=vendor during build
* Updated go.mod and go.sum with dependencies for safetext,
using go mod vendor for github action
* Add actual values and comments to usagemetrics.go to ensure that
error and action codes are only appended to the end of the list.
* Remove usage metrics from configureinstance.go
* Add a hard Disable for reliability metrics collection
until the namespace is created and tested.
* Adding metrics for time taken by each query
* Add SHA224 of labels as a new label.
* Remove collect_reliability_metrics from configuration.json
* Small tweaks to backint log and inquire path generation
* Fix for unmarshalling backint configuration.
* Implementation of instant snapshot group backup workflow
* Backint changes around shorten_folder_path
* Rename max_diagnose_size_gb to diagnose_file_max_size_gb
* Adding start and finish logs in performance diagnostics
* Validate that all disks mapped to /hana/data belong to the same consistency group.
* Rename backint monitoring metrics parameter
* Trim folder prefix for Backint INQUIRE output.
* Add the ability to test the database connection
* Reduce log level of some storage messages to debug.
* Finalize guest action request and response format.
* Backint dashboard fix logs
* Add scorecards to backint dashboard
* Making proto changes for HANA Monitoring support
for multiple tennats and ha setup
* Add total upload/download time to log.
* Add HANA indexserver.ini metrics to WLM metric collection.
* Add Netweaver role metrics as part of process metrics
* Rotate old support bundles.
* Update the default value of confirm-data-snapshot-after-create
to false. and add to usage()
* Add option to confirm HANA snapshot as successful before disk snapshot is uploaded.
* Change log level from warn to info for non-critical messages.
* Add diagnose_folder parameter to Backint
* Add a 1 GB buffer to needed bytes for diagnostic
* Add labels to group snapshot backup.
* Enable the show status and restart agent functions for Windows.
* Add WLM metric collection for num_completion_queues and num_submit_queues.
* Collect support bundle on Backint errors.
* Adding usage metrics to performance diagnostics
* Collect agent-only support bundle on failure of backint and hanadiskbackup.
* Minor Backint improvements
* Add ability collect only agent logs using agent-logs-only flag to supportbundle
* Bump version to 3.3
* Add Backint metrics dashboard
* DO NOT remove log files on uninstall
* Adding more unit tests
* Changing location of zipped file to within the
final folder identified by unique timestamp.
* Minor refactorings and improvements with increasing code coverage
* Make sure DB instance number is recorded in System data.
* Change configuration.json to 0664 to ensure world cannot write.
* Add Netweaver Java discovery to SAP Agent.
* Add a new version of functions to read cloud properties from metadata server.
* Updating generated protos to proc-gen-go v1.34.1
* Updating runConfigureInstance method and adding unit tests
for covering configure instance ote invocation
* Zip the final bundle and add upload functionality
* Record database SID alongside tenant DB SIDs
* Reduce log severity in discovery
* Add HANA version to product version data
* Fix race condition in tests
* Read disk mapping from instance info if source disk
is not provided to hanadiskbackup
* Add option to shorten the folder path in the bucket.
* Add SSL support for cmdline-based querying and some bugfixes
* Move recovery package to shared directory.
* Update protoc-gen-go version to v1.34.0 in multiple protos
* Adding FIO commands to performance diagnostics
* Remove error logs when errors are being returned
* Adding perfdiag to performance diagnostics
* Add AppInstance data to discovery data uploads.
* Introduce protos for guestactions messages and responses.
Support multiple commands per message.
* Update wording for HANA Insights rules.
* Configureinstance updates.
* Adding a check for retention policy before performing backup operation.
* Remove the unused loglevel flag from logusage OTE
* Change the language around the default parameters being
optimized for performance in backint
* Add instance role to SAP System properties
* Increase wait time for index server to stop.
* Integrating backint OTE into performancediagnostics
* Update wording around configureinstance unsupported machine type.
* Pass the right disk name to check if disk is attached
* Integrating new DB Handle and hdbuserstore key support
with remaining HANA DB dependant workflows
* Refactor HANA and filesystems specific code to a common hanabackup package
* Bumps x/net dependency to v0.23
* Append HANA Insights rule to WLM fake metrics file in script to generate WLM rule.
* Integrating configure instance ote in performance diagnostics
* Update disk backup OTE to parse paths even with /dev/mapper
in the middle of path, not necessarily as a prefix
* Adding a few missing labels to wlm-fake-metrics.yaml
* Changing loglevel for onetime.Init() calls
* Refactor change - Move PD related functions to gce.go
* Fix agentcommunication import replace statements
* Update replace functions for new open source dependencies.
* Set up scaffolding for guest actions handling in SAP Agent along with UAP library code
* Backint upload/download metrics sent to cloud monitoring.
* Cleaning up the performance diagntics file wth recent changes
* Fixes to usage strings in OTEs for optional params
* Integrating new database connector with HANA Monitoring
and adding support for HDBUserstore Key
* Implement hdbsql commandline result parsing
* SAP Discovery - Add SAP Instance Numbers to instance properties
* Updating OTEs to include params for when OTE is invoked internally
* Modifying flags to follow design changes
* Create fake WLM metric overrides for testing
* Implement constructors and query functions for querying
HANA DB via hdbuserstore using cmdline
* Skeleton for querying HANA DB via hdbuserstore using cmdline
* Parameterize Backint Diagnose max file size.
* Metadata parameter added to Backint.
* Adding initial layout for performance diagnostics OTE
* Create a new API CreateClient() in shared logging which
returns an error in case of failures
* Backint no longer writes ERROR if temporary chunk failed to delete.
* Create onetime.Init() to condense reused code.
* Fixing a typo in a process metrics retry logic comment
* Rename workload_validation param with workload_evaluation in configure OTE
* Send agent version in Write Insight requests
* Ensuring /sap/cluster/resources covers all the nodes.
- avahi
-
- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in
avahi_rdata_parse (bsc#1216853, CVE-2023-38472).
- Add avahi-CVE-2023-38470.patch: Ensure each label is at least one
byte long (bsc#1215947, CVE-2023-38470).
- python-requests
-
- Add CVE-2024-35195.patch (CVE-2024-35195, bsc#1224788)
- Add httpbin.patch to fix a test failure caused by the previous patch.
- tiff
-
- security update:
* CVE-2023-3164 [bsc#1212233]
Fix heap buffer overflow in tiffcrop
+ tiff-CVE-2023-3164.patch
- google-guest-oslogin
-
- Fix file permissions for google_authorized_principals binary (bsc#1222171)
- Update to version 20240311.00 (bsc#1218548, bsc#1221900, bsc#1221901)
* pam: Bring back pam's account management implementation (#133)
* Change error messages when checking login policy (#129)
* Remove quintonamore from OWNERS (#128)
- wicked
-
- arp: increase arp-send retry value to avoid address configuration
failure due to ENOBUF reported by kernel while duplicate address
detection with underlying bonding in 802.3ad mode reporting link
"up & running" too early (bsc#1218668, gh#openSUSE/wicked#1020,
gh#openSUSE/wicked#1022).
[+ 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]
- client: fix ifreload to pull UP ports/links again when the config
of their master/lower changed (bsc#1224100,gh#openSUSE/wicked#1014).
[+ 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
- Update to version 0.6.75:
- cleanup: fix ni_fsm_state_t enum-int-mismatch warnings
- cleanup: fix overflow warnings in a socket testcase on i586
- ifcheck: report new and deleted configs as changed (bsc#1218926)
- man: improve ARP configuration options in the wicked-config.5
- bond: add ports when master is UP to avoid port MTU revert (bsc#1219108)
- cleanup: fix interface dependencies and shutdown order (bsc#1205604)
- Remove port arrays from bond,team,bridge,ovs-bridge (redundant)
and consistently use config and state info attached to the port
interface as in rtnetlink(7).
- Cleanup ifcfg parsing, schema configuration and service properties
- Migrate ports in xml config and policies already applied in nanny
- Remove "missed config" generation from finite state machine, which
is completed while parsing the config or while xml config migration.
- Issue a warning when "lower" interface (e.g. eth0) config is missed
while parsing config depending on it (e.g. eth0.42 vlan).
- Resolve ovs master to the effective bridge in config and wickedd
- Implement netif-check-state require checks using system relations
from wickedd/kernel instead of config relations for ifdown and add
linkDown and deleteDevice checks to all master and lower references.
- Add a `wicked <ifup|ifdown|ifreload> --dry-run …` option to show the
system/config interface hierarchies as notice with +/- marked
interfaces to setup and/or shutdown.
- Removed patches included in the source archive:
[- 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
[- 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
[- 0003-move-all-attribute-definitions-to-compiler-h.patch]
[- 0004-hide-secrets-in-debug-log-bsc-1221194.patch]
[- 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]
- suseconnect-ng
-
- Update to version 1.9.0
* Fix certificate import for Yast when using a registration proxy with
self-signed SSL certificate (bsc#1223107)
- gcc13
-
- Update to GCC 13.3 release
- Update to gcc-13 branch head, b7a2697733d19a093cbdd0e200, git8761
- Removed gcc13-pr111731.patch now included upstream
- Add gcc13-amdgcn-remove-fiji.patch removing Fiji support from
the GCN offload compiler as that is requiring Code Object version 3
which is no longer supported by llvm18.
- Add gcc13-pr101523.patch to avoid combine spending too much
compile-time and memory doing nothing on s390x. [boo#1188441]
- Make requirement to lld version specific to avoid requiring the
meta-package.
- Add gcc13-pr111731.patch to fix unwinding for JIT code.
[bsc#1221239]
- Revert libgccjit dependency change. [boo#1220724]
- Fix libgccjit-devel dependency, a newer shared library is OK.
- Fix libgccjit dependency, the corresponding compiler isn't required.
- Use %patch -P N instead of %patchN.
- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
crypt and crypt_r interceptors. The crypt API change in SLE15 SP3
breaks them. [bsc#1219520]
- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
- Add gcc13-pr88345-min-func-alignment.diff to add support for
- fmin-function-alignment. [bsc#1214934]
- Use %{_target_cpu} to determine host and build.
- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
* Includes fix for building TVM. [boo#1218492]
- Add cross-X-newlib-devel requires to newlib cross compilers.
[boo#1219031]
- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
in gcc13-devel. [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
are linked against libstdc++6.
- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205
- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
* Includes fix for building mariadb on i686. [bsc#1217667]
* Remove pr111411.patch contained in the update.
- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
%product_libs_llvm_ver where available and adjust tool discovery
accordingly. This should also properly trigger re-builds when
the patchlevel version of llvmVER changes, possibly changing
the binary names we link to. [bsc#1217450]
- util-linux
-
- fix Xen virtualization type misidentification bsc#1215918
lscpu-fix-parameter-order-for-ul_prefix_fopen.patch
- python3-base
-
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Add CVE-2023-52425-libexpat-2.6.0-backport.patch fixing etree
XMLPullParser tests for Expat >=2.6.0 with reparse deferral
(fixing CVE-2023-52425 or bsc#1219559).
- xfsprogs
-
- xfs_copy: bail out early when superblock cannot be verified
(bsc#1227150)
- add xfs_copy-bail-out-early-when-superblock-cannot-be-ve.patch
- shim
-
- Update shim to 15.8-150300.4.20.2 from SLE15-SP3
+ Version: 15.8, "Thu Apr 18 2024"
+ Update the SLE signatures
+ Include the fixes for (bsc#1215099,CVE-2023-40546),
(bsc#1215098,CVE-2023-40547), (bsc#1215103,CVE-2023-40551),
(bsc#1215102,CVE-2023-40550), (bsc#1215101,CVE-2023-40549),
(bsc#1215100,CVE-2023-40548), bsc#1205588, bsc#1202120, bsc#1201066,
(bsc#1198458, CVE-2022-28737), bsc#1198101, bsc#1193315, bsc#1193282
- shadow
-
- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
Add shadow-CVE-2013-4235.patch
- ocfs2-tools
-
- OCFS2 writes delay on large volumes - slow la window lookup from global_bitmap (bsc#1219224)
* bsc1219224-debugfs.ocfs2-support-recording-gd-bg_contig_free_bi.patch
- fsck.ocfs2: add the ability to clear jbd2 errno (bsc#1216834)
+ bsc1216834-fsck.ocfs2-add-the-ability-to-clear-jbd2-errno.patch
- google-guest-agent
-
- Update to version 20240314.00 (bsc#1221900, bsc#1221901)
* NetworkManager: only set secondary interfaces as up (#378)
* address manager: make sure we check for oldMetadata (#375)
* network: early setup network (#374)
* NetworkManager: fix ipv6 and ipv4 mode attribute (#373)
* Network Manager: make sure we clean up ifcfg files (#371)
* metadata script runner: fix script download (#370)
* oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369)
* Dynamic vlan (#361)
* Check for nil response (#366)
* Create NetworkManager implementation (#362)
* Skip interface manager on Windows (#363)
* network: remove ignore setup (#360)
* Create wicked network service implementation and its respective unit (#356)
* Update metadata script runner, add tests (#357)
* Refactor guest-agent to use common retry util (#355)
* Flush logs before exiting #358 (#359)
- Refresh patches for new version
* dont_overwrite_ifcfg.patch
- No need for double %setup.
- Use %patch -P N instead of deprecated %patchN.
- regionServiceClientConfigGCE
-
- Update to version 4.1.0
+ Replace 162.222.182.90 and 35.187.193.56 (length 4096):
rgnsrv-gce-asia-northeast1 -> 162.222.182.90 expires in 9 years
rgnsrv-gce-us-central1 -> 35.187.193.56 expires in 10 years
- SAPHanaSR
-
- Version bump to 0.162.4
* unify global.ini examples
* add demo script SAPHanaSR-upgrade-to-angi-demo
* update man pages:
SAPHanaSR_basic_cluster.7
SAPHanaSR_maintenance_examples.7
SAPHanaSR_upgrade_to_angi.7
SAPHanaSR-manageProvider.8
SAPHanaSR-upgrade-to-angi-demo.8
SAPHanaSR.py.7
- python36
-
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
condition in ssl.SSLContext certificate store methods.
- Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109,
gh#python/cpython!16557) fixes syslog making default "ident"
from sys.argv[0].
- Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that
it uses features sniffing, not just comparing version number
(bsc#1220664, bsc#1219559, bsc#1221563, bsc#1222075).
- Remove support-expat-CVE-2022-25236-patched.patch, which was
the previous name of this patch.
- Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping
failing tests.
- Refresh patches:
- CVE-2023-27043-email-parsing-errors.patch
- fix_configure_rst.patch
- skip_if_buildbot-extend.patch
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Add bh42369-thread-safety-zipfile-SharedFile.patch (from
gh#python/cpython!26974) required by the previous patch.
- Add expat-260-test_xml_etree-reparse-deferral.patch to make the
interpreter work with patched libexpat in our distros.
- Move all patches from locally sourced to the branch
opensuse-3.6 branch at GitHub repo, and move all metadata to
commits themselves (readable in the headers of each patch).
- Add bpo-41675-modernize-siginterrupt.patch to make Python build
cleanly even on more recent SPs of SLE-15
(gh#python/cpython#85841).
- Remove patches:
- bpo36263-Fix_hashlib_scrypt.patch - fix against bug in
OpenSSL fixed in 1.1.1c (gh#openssl/openssl!8483), so this
patch is redundant on all SUSE-supported distros
- python-3.3.0b1-test-posix_fadvise.patch - protection
against the kernel issues which has been fixed in
gh#torvalds/linux@3d3727cdb07f, which has been included in
all our kernels more recent than SLE-11.
- python-3.3.3-skip-distutils-test_sysconfig_module.patch -
skips a test, which should be relevant only for testing on
Mac OS X systems with universal builds. I have no valid
record, that this test would be ever problematic on Linux.
- bpo-36576-skip_tests_for_OpenSSL-111.patch, which was
included already in Python 3.5.
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into
skip_SSL_tests.patch, and make them include all conditionals.
- release-notes-sles
-
- 12.5.20240614 (tracked in bsc#933411)
- Added note about openSSH 8.4 (bsc#1222298)
- Added note about unsupported hibernate/suspend on Xen (bsc#1214405)
- Added note about chrony 4.1 (jsc#SLE-22248)
- Added note about adcli --dont-expire-password (jsc#SLE-21223)
- Added note about sudo -U -l restriction (jsc#SLE-22569)
- Added note about nodejs16 addition (jsc#SLE-21234)
- Added note about rsyslog 8.2106 (jsc#SLE-21522)
- Added note about tcl 8.6.12 (jsc#SLE-21015)
- Added note about sudo 1.8.27 update (jsc#SLE-17083)
- gdk-pixbuf
-
- Add CVE-2022-48622.patch: ANI: Reject files with multiple anih
chunks(bsc#1219276, CVE-2022-48622, glgo#GNOME/gdk-pixbuf#202).
- _product:sle-live-patching-release
-
n/a
- lifecycle-data-sle-live-patching
-
- Added data for 4_12_14-122_212, 4_12_14-122_216, 4_12_14-122_219. (bsc#1020320)
- Added data for 4_12_14-122_201. (bsc#1020320)
- glibc
-
- nscd-Fix-use-after-free-in-addgetnetgrentX.patch: nscd: Fix
use-after-free in addgetnetgrentX (BZ #23520)
- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch:
nscd: Stack-based buffer overflow in netgroup cache
(CVE-2024-33599, bsc#1223423, BZ #31677)
- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch:
nscd: Avoid null pointer crashes after notfound response
(CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch:
nscd: Do not send missing not-found response in addgetnetgrentX
(CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch:
netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601,
CVE-2024-33602, bsc#1223425, BZ #31680)
- nscd-netgroup-cache-timeout.patch: Use time_t for return type of
addgetnetgrentX (CVE-2024-33602, bsc#1223425)
- elf-ifunc-subtests-nonpie.patch: elf: Disable some subtests of
ifuncmain1, ifuncmain5 for !PIE
- iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound
writes when writing escape sequence (CVE-2024-2961, bsc#1222992)
- fdupes
-
- Apply "toctou-race-allows-arbitrary-file-deletion.patch" to fix a
race condition that could be exploited to delete arbitrary files.
This patch is a back-ported and simplified version of the commit
https://github.com/adrianlopezroche/fdupes/commit/85680897148f1ac33b55418e00334116e419717f
introduced upstream in release 2.2.0. [bsc#1200381]
- python
-
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Switch to using the system libexpat (bsc#1219559,
CVE-2023-52425)
- Make sure to remove all embedded versions of other packages
(including expat).
- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
removing failing test fixing bpo#3151, which we just not
support.
- Remove patches over those embedded packages (cffi):
- python-2.7-libffi-aarch64.patch
- sparc_longdouble.patch
- Modify CVE-2023-27043-email-parsing-errors.patch to fix the
unicode string handling in email.utils.parseaddr()
(bsc#1222537).
- Revert CVE-2022-48560-after-free-heappushpop.patch, the fix was
unneeded.
- Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306)
- Build with -std=gnu89 to build correctly with gcc14, bsc#1220970
- python-typing
-
- Update to 3.10.0.0
* Implement TypeGuard (PEP 649)
* backport ParamSpecArgs/Kwargs
* Fixed required/optional keys with old-style TypedDict
* Bring in protocol’s __init__ behaviour same like in python > 3.8
* Support PEP 612 in typing_extensions (Python 3)
* Also run python 3.9 in CI
* Add OrderedDict to typing_extensions
* Only allow installing this package for Python 2.7 and 3.4
* Document availability of Annotated
* Update test_typing_extensions.py
* Apply get_args fix from bpo-40398 to typing_extensions
* Fix tests failing with 3.10.0a2+
* Fix stray close paren
* Update README
* Disable 3.5.1 build -- can't install psutils needed by pytest-xdist
* Bump typing_extensions version to 3.7.4.3
* Remove extra 'use' in readme
- from version 3.7.4.3
* Revert last two changes; bump version to 3.7.4.3
- from version 3.7.4.2
* Disallow installation on 3.5+
* Add tox.ini for typing_extensions
* Add PEP 613 TypeAlias to typing_extensions
* Make tests for Annotated work with Python 3.9
* Remove Python 3.3 from tox.ini
* Fix flake8 failure by using Python 3.8
* Add SupportsIndex, added in Python 3.8
* Update package metadata
* Bump typing_extensions version to 3.7.4.2
* Fix ForwardRef hash and equality checks
* Fix required and optional keys inheritance for TypedDict
* Replace asyncio.coroutine with async-await
* Reuse stdlib PEP 593 implementation in typing_extensions if present
* Add .vscode and .egg-info to gitignore
* Backport get_origin() and get_args()
* Add clarification to package description
* Track optional TypdeDict keys
* Accept arbitrary keyword names in NamedTuple() and TypedDict()
* Bump typing_extensions version
* Add missing objects in typing_extensions/README.rst
- from version 3.7.4.1
* Fix isinstance() with generic protocol subclasses after subscripting
* Try fixing Travis build
+ fix tests for non-default interpreters
* Use environment marker to specify typing dependency
* Fix unions of protocols on Python 2
* Bump typing_extensions version and typing dependency version
- from version 3.7.4
* Fix subclassing builtin protocols on older Python versions
* Move Protocol, runtime_checkable, Final, final, Literal, and TypedDict to typing
* Add support for Python 3.8 in typing_extensions
* Unify the implementation of annotated in src_py2 and src_py3
* Add Annotated in python2
* Pep 593 py3
* Drop support of Python 3.3
* [typing-extensions] Simple implementation for IntVar
* Add a python 3.7+ version of Annotated to typing_extensions
* Add SupportsIndex
* Add TypedDict to typing_extensions
* .travis.yml: The 'sudo' tag is now deprecated in Travis CI
* Add Final to the README
* Run the tests using the current Python executable
* Fix GeneralMeta.__instancecheck__() for old style classes
* Bump typing_extensions version
* Add Literal[...] types to typing_extensions
* Fix instance/subclass checks of functions against runtime protocols
* Bump typing_extension version
* Improve PyPI entry for typing_extensions
* Add Final to typing_extensions
- from version 3.6.6
* Include license file for typing-extensions and in wheels
* Fix IO.closed to be property
* Backport Generic.__new__ fix
* Bump typing_extensions version before release
* Add missing 'NoReturn' to __all__ in typing.py
* Add annotations to NamedTuple children __new__ constructors
* Fix typing_extensions to support PEP 560
* Fix for issue #524
* Pass *args and **kwargs to superclass in Generic.__new__
- Rename README.rst to README.md in %doc section
- kernel-default
-
- ACPI: video: check for error while searching for backlight
device parent (bsc#1224686 CVE-2023-52693).
- commit aafdad5
- ACPI: LPIT: Avoid u32 multiplication overflow (bsc#1224627
CVE-2023-52683).
- commit 57dc5ae
- x86/kprobes: Fix optprobe optimization check with CONFIG_RETHUNK (git-fixes).
- commit 90918cd
- netfilter: nft_set: preserve kabi (bsc#1215420 CVE-2023-4244).
- commit 4994a14
- netfilter: take a reference when looking up nft_sets
(bsc#1215420 CVE-2023-4244).
- commit 3f2e165
- netfilter: Implement reference counting for nft_sets
(bsc#1215420 CVE-2023-4244).
- commit b5c850d
- Fix the warning:
* return makes pointer from integer without a cast [enabled by default] in ../drivers/infiniband/hw/mlx5/srq.c in mlx5_ib_create_srq
../drivers/infiniband/hw/mlx5/srq.c: In function 'mlx5_ib_create_srq':
../drivers/infiniband/hw/mlx5/srq.c:259:3: warning: return makes pointer from integer without a cast [enabled by default]
- commit d292fa8
- x86/kprobes: Fix kprobes instruction boudary check with CONFIG_RETHUNK (git-fixes).
- commit 29d18ef
- fbdev: savage: Handle err return when savagefb_check_var failed (bsc#1227435 CVE-2024-39475)
- commit 3cf493f
- kgdb: Move the extern declaration kgdb_has_hit_break() to generic kgdb.h (git-fixes).
- commit 4c96601
- kgdb: Add kgdb_has_hit_break function (git-fixes).
- commit 096e8f7
- x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git-fixes).
- commit 51d4d78
- blacklist.conf: Blacklist unapplicable commit
- commit 8985317
- x86/numa: Use cpumask_available instead of hardcoded NULL check (git-fixes).
- commit 53fc2d1
- x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes (git-fixes).
- commit 4cbd29b
- x86/fpu: Return proper error codes from user access functions (git-fixes).
- commit 16cc345
- x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs (git-fixes).
- commit 530272a
- blacklist.conf: We don't support clang so black list related commit
- commit 0b88169
- x86/boot/e820: Fix typo in e820.c comment (git-fixes).
- commit 3e224a7
- x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys (git-fixes).
- commit f7c83aa
- x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 (git-fixes).
- commit fe70714
- PM: hibernate: x86: Use crc32 instead of md5 for hibernation e820 integrity check (git-fixes).
- commit 63895f5
- can: pch_can: pch_can_rx_normal: fix use after free (bsc#1225431
CVE-2021-47520).
- commit 0efd10b
- wifi: nl80211: don't free NULL coalescing rule (bsc#1225835 CVE-2024-36941).
- commit 6927c00
- powerpc/rtas: Prevent Spectre v1 gadget construction in
sys_rtas() (bsc#1227487).
- commit 564651d
- SUNRPC: Fix loop termination condition in
gss_free_in_token_pages() (git-fixes).
- sunrpc: fix NFSACL RPC retry on soft mount (git-fixes).
- SUNRPC: Fix gss_free_in_token_pages() (git-fixes).
- nfs: Handle error of rpc_proc_register() in nfs_net_init()
(git-fixes).
- commit 823e515
- btrfs: do not BUG_ON in link_to_fixup_dir (bsc#1222005
CVE-2021-47145).
- commit fb0f08c
- soc: fsl: qbman: Use raw spinlock for cgr_lock (bsc#1224683
CVE-2024-35819).
- commit 4f6a315
- soc: fsl: qbman: Add CGR update function (bsc#1224683
CVE-2024-35819).
- commit 3b2ce3f
- soc: fsl: qbman: Add helper for sanity checking cgr ops
(bsc#1224683 CVE-2024-35819).
- commit b33b9fc
- soc: fsl: qbman: Always disable interrupts when taking cgr_lock
(bsc#1224683 CVE-2024-35819).
- commit 99e6ba5
- drm/amdgpu/debugfs: fix error code when smc register accessors are NULL (git-fixes).
- commit a2420fb
- blacklist.conf: Add c7fcb99877f9 sched/rt: Fix sysctl_sched_rr_timeslice intial value
- commit 71427f6
- blacklist.conf: Add a57415f5d1e4 sched/deadline: Fix sched_dl_global_validate()
- commit b39262b
- sched/deadline: Fix BUG_ON condition for deboosted tasks
(bsc#1227407).
- commit 58fafac
- dyndbg: fix old BUG_ON in >control parser (bsc#1224647
CVE-2024-35947).
- commit 52ffbf7
- net: tulip: de4x5: fix the problem that the array 'lp->phy'
may be out of bound (bsc#1225505 CVE-2021-47547).
- commit 605a3ba
- drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL (CVE-2023-52817 bsc#1225569).
- commit d2e5a64
- blacklist.conf: cd90511557fd drm/amdgpu/vkms: fix a possible null pointer dereference
- commit d0def0c
- blacklist.conf: 80285ae1ec87 drm/amdgpu: Fix potential null pointer derefernce
- commit 95c5571
- blacklist.conf: 406e8845356d drm/amd: check num of link levels when update pcie param
- commit f93c72c
- drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga (CVE-2023-52819 bsc#1225532).
- commit d196cd8
- drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 (CVE-2023-52818 bsc#1225530).
- commit d67dcd9
- blacklist.conf: 282c1d793076 drm/amdkfd: Fix shift out-of-bounds issue
- commit cc813e8
- drm/amd/display: Avoid NULL dereference of timing generator (CVE-2023-52753 bsc#1225478).
- commit f316fd9
- blacklist.conf: 31729e8c21ec drm/amd/pm: fixes a random hang in S4 for SMU v13.0.4/11
- commit 785f136
- blacklist.conf: add 2a19b28f7929866e1cec92a3619f4de9f2d20005.
- commit a4c7fa2
- drm/arm/malidp: fix a possible null pointer dereference (CVE-2024-36014 bsc#1225593).
- commit 3f35223
- llc: make llc_ui_sendmsg() more robust against bonding changes
(CVE-2024-26636 bsc#1221659).
- commit 727fec1
- llc: Drop support for ETH_P_TR_802_2 (CVE-2024-26635
bsc#1221656).
- commit 4792924
- wifi: libertas: fix some memleaks in lbs_allocate_cmd_buffer()
(bsc#1224622 CVE-2024-35828).
- commit 9f39e76
- nfc: nci: assert requested protocol is valid (bsc#1220833, CVE-2023-52507).
- commit 78bd01e
- md: fix resync softlockup when bitmap size is less than array
size (CVE-2024-38598, bsc#1226757).
- commit e578184
- dm snapshot: fix lockup in dm_exception_table_exit (bsc#1224743,
CVE-2024-35805).
- dm: call the resume method on internal suspend (bsc#1223188,
CVE-2024-26880).
- dm rq: don't queue request to blk-mq during DM suspend
(bsc#1225357, CVE-2021-47498).
- bcache: avoid oversized read request in cache missing code path
(bsc#1224965, CVE-2021-47275).
- bcache: remove bcache device self-defined readahead
(bsc#1224965, CVE-2021-47275).
- commit 0df91b9
- net/mlx5e: nullify cq->dbg pointer in mlx5_debug_cq_remove() (bsc#1225229 CVE-2021-47438)
- commit dd90392
- net/mlx5e: Fix memory leak in mlx5_core_destroy_cq() error path (bsc#1225229 CVE-2021-47438)
- commit eebb92a
- usb-storage: alauda: Check whether the media is initialized
(CVE-2024-38619 bsc#1226861).
- commit 8f69e1a
- iavf: free q_vectors before queues in iavf_disable_vf
(CVE-2021-47201 bsc#1222792).
- commit 5fa75c2
- blacklist.conf: 9cb46b31f3d0 drm/xe/xe_migrate: Cast to output precision before multiplying operands
- commit 6d5246f
- ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
(CVE-2024-26641 bsc#1221654).
- commit 785d6bf
- hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021
CVE-2024-26863).
- net: hsr: fix placement of logical operator in a multi-line
statement (bsc#1223021).
- hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021
CVE-2024-26863).
- net: hsr: fix placement of logical operator in a multi-line
statement (bsc#1223021).
- commit bea7af4
- ip6_tunnel: fix NEXTHDR_FRAGMENT handling in
ip6_tnl_parse_tlv_enc_lim() (CVE-2024-26633 bsc#1221647).
- commit 6bed746
- blacklist.conf: ecedd99a9369 drm/amd/display: Skip on writeback when it's not applicable
- commit 7f9ee16
- net: sock: preserve kabi for sock (bsc#1221010 CVE-2021-47103).
- commit 00f2734
- inet: fully convert sk->sk_rx_dst to RCU rules (bsc#1221010
CVE-2021-47103).
- commit 955aaf2
- Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
(bsc#1224177 CVE-2024-27399).
- commit f1f5272
- ACPI: processor_idle: Fix memory leak in
acpi_processor_power_exit() (bsc#1223043 CVE-2024-26894).
- commit 69014d4
- scsi: bnx2fc: Remove spin_lock_bh while releasing resources
after upload (bsc#1224767 CVE-2024-36919).
- scsi: lpfc: Move NPIV's transport unregistration to after
resource clean up (bsc#1225898 CVE-2024-36592).
- scsi: bnx2fc: Remove spin_lock_bh while releasing resources
after upload (bsc#1224767 CVE-2024-36919).
- scsi: lpfc: Move NPIV's transport unregistration to after
resource clean up (bsc#1225898 CVE-2024-36592).
- commit 011e140
- selinux: fix double free of cond_list on error paths
(bsc#1226699 CVE-2022-48740).
- commit c27761a
- fs/9p: fix uninitialized values during inode evict (bsc#1225815
CVE-2024-36923).
- commit fccda1c
- btrfs: fix crash on racing fsync and size-extending write into
prealloc (bsc#1227101 CVE-2024-37354).
- btrfs: add helper to truncate inode items when logging inode
(bsc#1227101 CVE-2024-37354).
- btrfs: don't set the full sync flag when truncation does not
touch extents (bsc#1227101 CVE-2024-37354).
- btrfs: fix misleading and incomplete comment of btrfs_truncate()
(bsc#1227101 CVE-2024-37354).
- btrfs: make btrfs_truncate_inode_items take btrfs_inode
(bsc#1227101 CVE-2024-37354).
- commit 25e24a4
- blacklist.conf: kABI
- commit 2c68edf
- usb: typec: tcpm: Skip hard reset when in error recovery
(git-fixes).
- commit 74f41bf
- blacklist.conf: false positive
- commit b55e7fd
- bpf, scripts: Correct GPL license name (git-fixes).
- commit d41908e
- Update
patches.suse/0006-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch
(git-fixes CVE-2021-47600 bsc#1226575).
- Update
patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch
(git-fixes CVE-2021-47617 bsc#1226614).
- Update
patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch
(git-fixes CVE-2022-48760 bsc#1226712).
- Update
patches.suse/audit-improve-robustness-of-the-audit-queue-handling.patch
(bsc#1204514 CVE-2021-47603 bsc#1226577).
- Update
patches.suse/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
(CVE-2022-22942 bsc#1195065 CVE-2022-48771 bsc#1226732).
- Update patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch
(git-fixes CVE-2021-47589 bsc#1226557).
- Update
patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch
(bsc#1191958 CVE-2021-43389 CVE-2021-4439 bsc#1226670).
- Update
patches.suse/net-ieee802154-ca8210-Stop-leaking-skb-s.patch
(git-fixes CVE-2022-48722 bsc#1226619).
- Update
patches.suse/netfilter-complete-validation-of-user-input.patch
(git-fixes CVE-2024-35896 bsc#1224662 CVE-2024-35962
bsc#1224583).
- Update patches.suse/phylib-fix-potential-use-after-free.patch
(bsc#1119113 FATE#326472 CVE-2022-48754 bsc#1226692).
- Update
patches.suse/ring-buffer-Fix-a-race-between-readers-and-resize-checks.patch
(bsc#1222893 CVE-2024-38601 bsc#1226876).
- Update
patches.suse/scsi-bnx2fc-Flush-destroy_work-queue-before-calling-bnx2fc_interface_put
(git-fixes CVE-2022-48758 bsc#1226708).
- Update patches.suse/scsi-bnx2fc-Make-bnx2fc_recv_frame-mp-safe
(git-fixes CVE-2022-48715 bsc#1226621).
- Update
patches.suse/scsi-libfc-Fix-potential-NULL-pointer-dereference-in-fc_lport_ptp_setup.patch
(git-fixes CVE-2023-52809 bsc#1225556).
- Update
patches.suse/scsi-qla2xxx-Fix-off-by-one-in-qla_edif_app_getstats.patch
(git-fixes CVE-2024-36025 bsc#1225704).
- Update
patches.suse/scsi-scsi_debug-Sanity-check-block-descriptor-length-in-resp_mode_select
(git-fixes CVE-2021-47576 bsc#1226537).
- Update
patches.suse/scsi-target-core-Add-TMF-to-tmr_list-handling.patch
(bsc#1223018 CVE-26845 CVE-2024-26845).
- Update
patches.suse/tipc-improve-size-validations-for-received-domain-re.patch
(bsc#1195254 CVE-2022-0435 CVE-2022-48711 bsc#1226672).
- commit c2edf0b
- tcp: do not accept ACK of bytes we never sent (CVE-2023-52881
bsc#1225611).
- commit d93d95b
- usb: port: Don't try to peer unused USB ports based on location
(git-fixes).
- commit c96b5c5
- blacklist.conf: logging only
- commit b17cfa5
- x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
(bsc#1222015 bsc#1226962).
- commit c9f769c
- iommu/vt-d: Allocate local memory for page request queue
(git-fixes).
- commit 541ce64
- iommu/amd: Fix sysfs leak in iommu init (git-fixes).
- commit cdae1dd
- KVM: x86: Handle SRCU initialization failure during page track
init (CVE-2021-47407, bsc#1225306).
- commit 61b3e37
- xen/events: close evtchn after mapping cleanup (CVE-2024-26687,
bsc#1222435).
- commit c56fe01
- net/9p: fix uninit-value in p9_client_rpc() (CVE-2024-39301 bsc#1226994).
- commit 1a033be
- media: lgdt3306a: Add a check against null-pointer-def
(CVE-2022-48772 bsc#1226976).
- commit 79e986b
- fpga: manager: add owner module and take its refcount
(CVE-2024-37021 bsc#1226950).
- commit 580ed12
- fpga: region: add owner module and take its refcount
(CVE-2024-35247 bsc#1226948).
- commit 75fbd8f
- fpga: bridge: add owner module and take its refcount
(CVE-2024-36479 bsc#1226949).
- commit 410068f
- enic: Validate length of nl attributes in enic_set_vf_port
(CVE-2024-38659 bsc#1226883).
- net: fec: remove .ndo_poll_controller to avoid deadlocks
(CVE-2024-38553 bsc#1226744).
- net/mlx5e: Fix netif state handling (CVE-2024-38608
bsc#1226746).
- eth: sungem: remove .ndo_poll_controller to avoid deadlocks
(CVE-2024-38597 bsc#1226749).
- net: amd-xgbe: Fix skb data length underflow (CVE-2022-48743
bsc#1226705).
- net: systemport: Add global locking for descriptor lifecycle
(CVE-2021-47587 bsc#1226567).
- commit 6fa5a1e
- usb: xhci-plat: fix crash when suspend if remote wake enable
(CVE-2022-48761 bsc#1226701).
- commit 6918857
- virtio-blk: fix implicit overflow on virtio_max_dma_size
(bsc#1225573 CVE-2023-52762).
- commit 630807b
- btrfs: fix use-after-free after failure to create a snapshot
(bsc#1226718 CVE-2022-48733).
- commit bc8f6e2
- vfio/platform: Create persistent IRQ handlers (bsc#1222809
CVE-2024-26813).
- commit a912042
- Update to fix a compiling error,
patches.suse/raid1-fix-use-after-free-for-original-bio-in-raid1_-fcf3.patch.
- commit 4738bf0
- s390/ap: Fix crash in AP internal function modify_bitmap()
(CVE-2024-38661 bsc#1226996 git-fixes).
- commit 642fe77
- block: fix overflow in blk_ioctl_discard() (bsc#1225770
CVE-2024-36917).
- commit fb1867c
- epoll: be better about file lifetimes (bsc#1226610
CVE-2024-38580).
- commit da86de7
- KVM: allow KVM_BUG/KVM_BUG_ON to handle 64-bit cond (git-fixes).
- commit 63ce06d
- drm/nouveau: fix off by one in BIOS boundary checking (bsc#1226716 CVE-2022-48732)
- commit bed5212
- Update references tag
patches.suse/Bluetooth-Disconnect-if-E0-is-used-for-Level-4.patch
(bsc#1171988 CVE-2020-10135 bsc#1218148 CVE-2023-24023).
- commit b41c397
- mm: Avoid overflows in dirty throttling logic (bsc#1222364
CVE-2024-26720).
- commit 6f98632
- media: stk1160: fix bounds checking in stk1160_copy_video()
(CVE-2024-38621 bsc#1226895).
- commit 617f122
- dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
(CVE-2024-38780 bsc#1226886).
- commit 0a1e3b6
- nvmet: fix ns enable/disable possible hang (git-fixes).
- commit 128ca3f
- ecryptfs: Fix buffer size for tag 66 packet (bsc#1226634, CVE-2024-38578).
- commit 41891c0
- stm class: Fix a double free in stm_register_device()
(CVE-2024-38627 bsc#1226857).
- commit b4ea481
- blacklist.conf: kABI
- commit 516146e
- crypto: bcm - Fix pointer arithmetic (bsc#1226637
CVE-2024-38579).
- commit be1545d
- drm/amd/display: Fix potential index out of bounds in color (bsc#1226767 CVE-2024-38552)
- commit fdaaa54
- drm/mediatek: Add 0 size check to mtk_drm_gem_obj (bsc#1226735 CVE-2024-38549)
- commit b67d29d
- drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable (bsc#1226698 CVE-2022-48756)
- commit bd95a05
- net: usb: rtl8150 fix unintiatilzed variables in
rtl8150_get_link_ksettings (git-fixes).
- commit 996e5c4
- RDMA/hns: Fix UAF for cq async event (bsc#1226595 CVE-2024-38545)
- commit 68cd4b9
- RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt (bsc#1226597 CVE-2024-38544)
- commit da8c605
- RDMA/mlx5: Add check for srq max_sge attribute (git-fixes)
- commit 6ee55be
- drm: vc4: Fix possible null pointer dereference (CVE-2024-38546
bsc#1226593).
- commit f5c6e94
- wifi: carl9170: add a proper sanity check for endpoints
(CVE-2024-38567 bsc#1226769).
- rpmsg: char: Fix race between the release of rpmsg_ctrldev
and cdev (CVE-2022-48759 bsc#1226711).
- commit 1d933f6
- wifi: ar5523: enable proper endpoint verification
(CVE-2024-38565 bsc#1226747).
- commit 7f113b6
- mac80211: track only QoS data frames for admission control
(CVE-2021-47602 bsc#1226554).
- commit 6d84852
- ALSA: timer: Set lower bound of start tick time (CVE-2024-38618
bsc#1226754).
- commit ea3c02c
- blacklist.conf: Add 7af443ee16976 sched/core: Require cpu_active() in select_task_rq(), for user tasks
- commit 35a10db
- bsc#1225894: Fix build warning
Fix the following build warning.
* unused-variable (i) in ../drivers/gpu/drm/amd/amdkfd/kfd_device.c in kgd2kfd_resume
../drivers/gpu/drm/amd/amdkfd/kfd_device.c: In function 'kgd2kfd_resume':
../drivers/gpu/drm/amd/amdkfd/kfd_device.c:621:11: warning: unused variable 'i' [-Wunused-variable]
- commit e16e5ba
- bsc#1225894: Fix patch references
- commit 7b4670a
- net/mlx5: Properly link new fs rules into the tree (bsc#1224588
CVE-2024-35960).
- commit 14f14ea
- net/mlx5e: fix a double-free in arfs_create_groups (bsc#1224605
CVE-2024-35835).
- commit 2cc5781
- firmware: arm_scpi: Fix string overflow in SCPI genpd driver (bsc#1226562 CVE-2021-47609)
- commit 4642449
- Fix compilation
- commit 3f5119e
- net: ena: Fix incorrect descriptor free behavior (bsc#1224677
CVE-2024-35958).
- commit 8f4768d
- bonding: stop the device in bond_setup_by_slave() (bsc#1224946
CVE-2023-52784).
- commit da74b6f
- blacklist.conf: bsc#1225555 CVE-2023-52808
patches code not present
- commit 35c5de8
- blacklist.conf: bsc#1223013 CVVE-2024-26482
does not apply
- commit c785e5a
- blacklist.conf: bsc#1222879 CVE-2021-47193
breaks kABI
- commit 5ac2f95
- blacklist.conf: bsc#1225559 CVE-2023-5281
Does not apply cleanly at all, and addresses
a corner case that it knows is rare.
- commit 66930cf
- scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
(bsc#1224651 CVE-2024-35930).
- scsi: target: core: Add TMF to tmr_list handling (bsc#1223018
CVE-26845).
- scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()
(bsc#122286 CVE-2021-47191).
- commit 3100b52
- usb: fix various gadget panics on 10gbps cabling (CVE-2021-47267
bsc#1224993).
- commit 3336e4a
- amd/amdkfd: sync all devices to wait all processes being evicted (bsc#1225872 CVE-2024-36949)
- commit aa91737
- drm/amdkfd: Rework kfd_locked handling (bsc#1225872)
- commit 030a69d
- drm/vmwgfx: Fix invalid reads in fence signaled events (bsc#1225872 CVE-2024-36960)
- commit fe8da4d
- nfsd: optimise recalculate_deny_mode() for a common case
(bsc#1217912).
- commit 90c611c
- NFSv4: Always clear the pNFS layout when handling ESTALE
(bsc#1221791).
- NFSv4: nfs_set_open_stateid must not trigger state recovery
for closed state (bsc#1221791).
- PNFS for stateid errors retry against MDS first (bsc#1221791).
- commit fcd364d
- block: prevent division by zero in blk_rq_stat_sum()
(bsc#1224661 CVE-2024-35925).
- commit 7fd346a
- ext4: fix corruption during on-line resize (bsc#1224735
CVE-2024-35807).
- commit 8431549
- fat: fix uninitialized field in nostale filehandles (git-fixes
CVE-2024-26973 bsc#1223641).
- commit 8b4f3fd
- ext4: avoid online resizing failures due to oversized flex bg
(bsc#1222080 CVE-2023-52622).
- commit a81bee5
- nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
(CVE-2021-47518 bsc#1225372).
- commit d0fabf7
- net_sched: fix NULL deref in fifo_set_limit()
(CVE-2021-47418 bsc#1225337).
- commit 54048d4
- net: validate lwtstate->data before returning from skb_tunnel_info()
(CVE-2021-47309 bsc#1224967).
- commit 2b76537
- net: fix uninit-value in caif_seqpkt_sendmsg
(CVE-2021-47297 bsc#1224976).
- commit 39164d4
- net/sched: act_skbmod: Skip non-Ethernet packets
(CVE-2021-47293 bsc#1224978).
- commit aedefe0
- netrom: Decrease sock refcount when sock timers expire
(CVE-2021-47294 bsc#1224977).
- commit 44bce11
- ipv6: Fix infinite recursion in fib6_dump_done() (CVE-2024-35886
bsc#1224670).
- commit 5d20998
- tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
(CVE-2024-36016 bsc#1225642).
- commit f5c4f31
- net: macb: fix use after free on rmmod (CVE-2021-47372
bsc#1225184).
- commit 5bb5ee7
- btrfs: use correct compare function of dirty_metadata_bytes (git-fixes)
- commit d51a7ff
- Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() (git-fixes)
- commit 4b455f0
- btrfs: fix describe_relocation when printing unknown flags (git-fixes)
- commit a147519
- btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (git-fixes)
- commit 0487247
- btrfs: fix crash when trying to resume balance without the resume flag (git-fixes)
- commit f0fa7bc
- Btrfs: clean up resources during umount after trans is aborted (git-fixes)
- commit c78d131
- Btrfs: bail out on error during replay_dir_deletes (git-fixes)
- commit 7a8f6ce
- Btrfs: fix NULL pointer dereference in log_dir_items (git-fixes)
- commit 02cab92
- Btrfs: send, fix issuing write op when processing hole in no data mode (git-fixes)
- Refresh
patches.suse/btrfs-send-fix-incorrect-file-layout-after-hole-punching-beyond-eof.patch.
- commit f710800
- Btrfs: fix unexpected EEXIST from btrfs_get_extent (git-fixes)
- commit 82c1e6b
- btrfs: tree-check: reduce stack consumption in check_dir_item (git-fixes)
- commit 36aca35
- btrfs: fix false EIO for missing device (git-fixes)
- Refresh
patches.suse/btrfs-ensure-that-a-dup-or-raid1-block-group-has-exactly-two-stripes.patch
- commit 01544ea
- USB: serial: option: add Quectel EG912Y module support
(git-fixes).
- commit a8d3e25
- blacklist.conf: pure cleanup
- commit c59c78d
- USB: serial: option: add Quectel RM500Q R13 firmware support
(git-fixes).
- commit b3dedc2
- USB: serial: option: add Foxconn T99W265 with new baseline
(git-fixes).
- commit 51f747d
- net: usb: smsc95xx: fix changing LED_SEL bit value updated
from EEPROM (git-fixes).
- commit d6ed297
- ocfs2: fix sparse warnings (bsc#1219224).
- ocfs2: speed up chain-list searching (bsc#1219224).
- ocfs2: adjust enabling place for la window (bsc#1219224).
- ocfs2: improve write IO performance when fragmentation is high
(bsc#1219224).
- commit d862a97
- smb: client: fix use-after-free bug in
cifs_debug_data_proc_show() (bsc#1225487, CVE-2023-52752).
- commit b2bff17
- blkcg: Fix multiple bugs in blkcg_activate_policy()
(CVE-2021-47379 bsc#1225203).
- blkcg: blkcg_activate_policy() should initialize ancestors first
(CVE-2021-47379 bsc#1225203).
- commit 5e6941f
- blacklist.conf: bsc#1225047 CVE-2021-47328: breaks kABI
Also, does not apply.
- commit 55744fb
- blk-cgroup: fix UAF by grabbing blkcg lock before destroying
blkg pd (CVE-2021-47379 bsc#1225203).
- commit 26f8206
- blacklist.conf: Blacklist 618f003199c61
- commit f552be9
- atl1c: Work around the DMA RX overflow issue (CVE-2023-52834
bsc#1225599).
- commit c880bf0
- btrfs: lock the inode in shared mode before starting fiemap
(bsc#1225484 CVE-2023-52737).
- commit e4a79d3
- ext4: correct offset of gdb backup in non meta_bg group to
update_backups (bsc#1224735 CVE-2024-35807).
- commit 57ba8ce
- raid1: fix use-after-free for original bio in raid1_write_request()
(bsc#1221097, bsc#1224572, CVE-2024-35979).
- commit daf8372
- fs/9p: only translate RWX permissions for plain 9P2000
(bsc#1225866 CVE-2024-36964).
- commit 7cf061b
- media: imon: fix access to invalid resource for the second
interface (CVE-2023-52754 bsc#1225490).
- commit 0f818a4
- firewire: ohci: mask bus reset interrupts between ISR and
bottom half (CVE-2024-36950 bsc#1225895).
- commit 342de59
- pinctrl: core: delete incorrect free in pinctrl_enable()
(CVE-2024-36940 bsc#1225840).
- commit 6103cd4
- staging: rtl8192e: Fix use after free in
_rtl92e_pci_disconnect() (CVE-2021-47571 bsc#1225518).
- commit 9243acc
- media: gspca: cpia1: shift-out-of-bounds in set_flicker
(CVE-2023-52764 bsc#1225571).
- wifi: mac80211: don't return unset power in
ieee80211_get_tx_power() (CVE-2023-52832 bsc#1225577).
- commit 74cf739
- Bluetooth: qca: add missing firmware sanity checks
(CVE-2024-36880 bsc#1225722).
- commit 1f313de
- drm/msm: Fix null pointer dereference on pointer edp (bsc#1225261 CVE-2021-47445)
- commit 7365fdb
- rpm/kernel-obs-build.spec.in: Add iso9660 (bsc#1226212)
Some builds don't just create an iso9660 image, but also mount it during
build.
- commit aaee141
- llc: verify mac len before reading mac header
(CVE-2023-52843 bsc#1224951).
- commit 048fdd1
- drm/sched: Avoid data corruptions (bsc#1225140 CVE-2021-47354)
- commit 735d57e
- nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
(CVE-2024-36915 bsc#1225758).
- commit d2aa3fc
- rpm/kernel-obs-build.spec.in: Add networking modules for docker
(bsc#1226211)
docker needs more networking modules, even legacy iptable_nat and _filter.
- commit 415e132
- Bluetooth: Add more enc key size check (bsc#1218148
CVE-2023-24023).
- commit 8b7d4c7
- rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
(CVE-2024-36017 bsc#1225681).
- commit eee2828
- netfilter: complete validation of user input
(git-fixes CVE-2024-35896 bsc#1224662).
- commit bd2bc6c
- tcp: fix page frag corruption on page fault
(CVE-2021-47544 bsc#1225463).
- commit 0c69f93
- netfilter: validate user input for expected length
(CVE-2024-35896 bsc#1224662).
- commit d09d89a
- Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt
(bsc#1218148 CVE-2023-24023).
- commit be61b35
- arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
(git-fixes).
- commit a33c0aa
- fbmon: prevent division by zero in fb_videomode_from_videomode() (bsc#1224660 CVE-2024-35922)
- commit 9990cdc
- bna: ensure the copied buf is NUL terminated (CVE-2024-36934
bsc#1225760).
- commit 5e5c793
- tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
(CVE-2023-52845 bsc#1225585).
- commit 28beea5
- blacklist.conf: Add 1971d13ffa84a "af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc()."
- commit 9ab8e4f
- HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent
lock-up (bsc#1224552 CVE-2024-35997).
- commit 31522d3
- wifi: nl80211: reject iftype change with mesh ID change
(CVE-2024-27410 bsc#1224432).
- commit 18882c6
- fix compat handling of FICLONERANGE, FIDEDUPERANGE and
FS_IOC_FIEMAP (bsc#1225848).
- blacklist.conf:
- fs: make fiemap work from compat_ioctl (bsc#1225848).
- commit e6c580c
- perf/core: Bail out early if the request AUX area is out of
bound (bsc#1225602 CVE-2023-52835).
- commit 0b197bf
- powerpc/imc-pmu: Add a null pointer check in
update_events_in_group() (bsc#1224504 CVE-2023-52675).
- commit 5ed0541
- blacklist.conf: CVE-2024-35956 bsc#1224674: not applicable bsc#1225945
Quoting bsc#1225945#c11:
"So the upstream 6.5 kernel commit (1b53e51a4a8f ("btrfs: don't commit
transaction for every subvol create")
) was never backported to SLE, so that fix eb96e221937a ("btrfs: fix
unwritten extent buffer after snapshotting a new subvolume") was never
backported."
- commit 13b6119
- usb: gadget: f_fs: Fix race between aio_cancel() and AIO
request complete (CVE-2024-36894 bsc#1225749).
- commit 66229f2
- proc/vmcore: fix clearing user buffer by properly using
clear_user() (CVE-2021-47566 bsc#1225514).
- commit 4f35255
- usb: dwc2: fix possible NULL pointer dereference caused by
driver concurrency (CVE-2023-52855 bsc#1225583).
- commit 304ea43
- Refresh patches.kabi/net-preserve-kabi-for-sk_buff.patch.
- commit fa7929b
- net: preserve kabi for sk_buff (CVE-2024-26921 bsc#1223138).
- commit 726f363
- inet: inet_defrag: prevent sk release while still in use
(CVE-2024-26921 bsc#1223138).
- commit 7846939
- xhci: Fix commad ring abort, write all 64 bits to CRCR register
(CVE-2021-47434 bsc#1225232).
- commit d92fac3
- xhci: Fix command ring pointer corruption while aborting a
command (CVE-2021-47434 bsc#1225232).
- blacklist.conf: taken so that the correct fix applies
- commit ea90837
- xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
(bsc#1224575 CVE-2024-35976).
- commit 641c7c4
- usb: fix various gadgets null ptr deref on 10gbps cabling
(CVE-2021-47270 bsc#1224997).
- commit 00c58e2
- usb: udc: remove warning when queue disabled ep (CVE-2024-35822
bsc#1224739).
- commit dcaf30a
- blacklist.conf: add cleanup fix that breaks kABI
- commit cae1961
- bpf, skmsg: Fix NULL pointer dereference in
sk_psock_skb_ingress_enqueue (bsc#1225761 CVE-2024-36938).
- commit 24fab08
- drm/client: Fully protect modes with dev->mode_config.mutex (CVE-2024-35950 bsc#1224703).
- commit f0cb811
- smb: client: fix potential deadlock when releasing mids
(bsc#1225548, CVE-2023-52757).
- commit 00dc86e
- smb: client: fix potential UAF in is_valid_oplock_break()
(bsc#1224763, CVE-2024-35863).
- commit be79366
- smb: client: fix potential UAF in cifs_stats_proc_write()
(bsc#1224678, CVE-2024-35868).
- commit 7c5946d
- smb: client: fix potential UAF in cifs_stats_proc_show()
(bsc#1224664, CVE-2024-35867).
- commit adb391f
- smb: client: fix potential UAF in cifs_debug_files_proc_show()
(bsc#1223532, CVE-2024-26928).
- commit 92bb153
- smb: client: fix UAF in smb2_reconnect_server() (bsc#1224672,
CVE-2024-35870).
- commit 4eabe16
- smb: client: fix potential UAF in smb2_is_valid_lease_break()
(bsc#1224765, CVE-2024-35864).
- commit 688ad5f
- smb: client: fix potential UAF in smb2_is_network_name_deleted()
(bsc#1224764, CVE-2024-35862).
- commit 6bbd54b
- smb3: fix lock ordering potential deadlock in
cifs_sync_mid_result (bsc#1224549, CVE-2024-35998).
- commit fbe7cb6
- smb: client: fix potential UAF in smb2_is_valid_oplock_break()
(bsc#1224668, CVE-2024-35865).
- commit 77a46ab
- nvme-tcp: fix UAF when detecting digest errors (CVE-2022-48686 bsc#1223948).
Update blacklist.conf: remove entry
- commit f159215
- nvme-loop: fix memory leak in nvme_loop_create_ctrl() (CVE-2021-47074 bsc#1220854).
Update blacklist.conf: remove entry
- commit 5f6a5df
- nvme-rdma: destroy cm id before destroy qp to avoid use after
free (CVE-2021-47378 bsc#1225201).
- commit 599a36a
- nvmet: fix a use-after-free (CVE-2022-48697 bsc#1223922).
Update blacklist.conf: drop entry from it
- commit 5e496a4
- nvme-fc: do not wait in vain when unloading module
(CVE-2024-26846 bsc#1223023).
- commit 365a6dd
- blacklist.conf: add d380ce70058a4ccddc3e5f5c2063165dc07672c6
netrom: Fix data-races around sysctl_net_busy_read
(CVE-2024-27419 bsc#1224759)
- commit 9b21914
- net/tls: Fix flipped sign in tls_err_abort() calls
(CVE-2021-47496 bsc#1225354)
- commit af28ae7
- Update
patches.suse/0004-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch
(git-fixes bsc#1225247 CVE-2021-47435).
- Update
patches.suse/0022-dm-btree-remove-assign-new_root-only-when-removal-su.patch
(git fixes bsc#1225155 CVE-2021-47343).
- Update
patches.suse/0066-virtio-blk-Fix-memory-leak-among-suspend-resume-procedure.patch
(git-fixes bsc#1225054 CVE-2021-47319).
- Update
patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch
(git-fixes bsc#1207186 bsc#1225303 CVE-2021-47404).
- Update
patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch
(git-fixes bsc#1225438 CVE-2021-47523).
- Update
patches.suse/IB-mlx5-Fix-initializing-CQ-fragments-buffer.patch
(git-fixes bsc#1224954 CVE-2021-47261).
- Update
patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch
(git-fixes bsc#1224904 CVE-2021-47485).
- Update
patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch
(git-fixes bsc#1225318 CVE-2021-47391).
- Update
patches.suse/RDMA-cma-Fix-rdma_resolve_route-memory-leak.patch
(git-fixes bsc#1225157 CVE-2021-47345).
- Update
patches.suse/SUNRPC-Fix-RPC-client-cleaned-up-the-freed-pipefs-de.patch
(git-fixes bsc#1225008 CVE-2023-52803).
- Update
patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch
(bsc#1191452 bsc#1225193 CVE-2021-47375).
- Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch
(git-fixes bsc#1225256 CVE-2021-47456).
- Update
patches.suse/cifs-Fix-use-after-free-in-rdata-read_into_pages-.patch
(bsc#1190317 bsc#1225479 CVE-2023-52741).
- Update
patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch
(bsc#1185902 bsc#1224961 CVE-2021-47307).
- Update
patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch
(git-fixes bsc#1224968 CVE-2021-47305).
- Update
patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch
(git-fixes bsc#1224982 CVE-2021-47280).
- Update
patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch
(git-fixes bsc#1224966 CVE-2021-47276).
- Update patches.suse/gfs2-ignore-negated-quota-changes.patch
(git-fixes bsc#1225560 CVE-2023-52759).
- Update
patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch
(bsc#1101816 FATE#325147 FATE#325149 bsc#1225367
CVE-2021-47424).
- Update
patches.suse/igb-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224916 CVE-2021-47301).
- Update
patches.suse/igc-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224917 CVE-2021-47302).
- Update
patches.suse/ipv4-ipv6-Fix-handling-of-transhdrlen-in-__ip-6-_app.patch
(git-fixes bsc#1220928 CVE-2023-52527).
- Update
patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch
(git-fixes bsc#1224987 CVE-2021-47284).
- Update
patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch
(bsc#1194591 bsc#1225198 CVE-2021-47478).
- Update
patches.suse/kprobes-Fix-possible-use-after-free-issue-on-kprobe-registration.patch
(git-fixes bsc#1224676 CVE-2024-35955).
- Update
patches.suse/l2tp-pass-correct-message-length-to-ip6_append_data.patch
(git-fixes bsc#1222667 CVE-2024-26752).
- Update
patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch
(git-fixes bsc#1225143 CVE-2021-47356).
- Update
patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch
(git-fixes bsc#1224922 CVE-2021-47344).
- Update
patches.suse/net-USB-Fix-wrong-direction-WARNING-in-plusb.c.patch
(git-fixes bsc#1225482 CVE-2023-52742).
- Update
patches.suse/net-hns3-do-not-allow-call-hns3_nic_net_open-repeate.patch
(git-fixes bsc#1225329 CVE-2021-47400).
- Update
patches.suse/net-mdiobus-Fix-memory-leak-in-__mdiobus_register.patch
(git-fixes bsc#1225189 CVE-2021-47472).
- Update
patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch
(git-fixes bsc#1225453 CVE-2021-47541).
- Update
patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch
(git-fixes bsc#1224981 CVE-2021-47285).
- Update patches.suse/net-qcom-emac-fix-UAF-in-emac_remove.patch
(git-fixes bsc#1225010 CVE-2021-47311).
- Update patches.suse/net-ti-fix-UAF-in-tlan_remove_one.patch
(git-fixes bsc#1224959 CVE-2021-47310).
- Update
patches.suse/net-usb-kalmia-Don-t-pass-act_len-in-usb_bulk_msg-er.patch
(git-fixes bsc#1225549 CVE-2023-52703).
- Update
patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch
(git-fixes bsc#1225058 CVE-2021-47320).
- Update
patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch
(git-fixes bsc#1225404 CVE-2021-47506).
- Update
patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch
(bsc#1190795 bsc#1225251 CVE-2021-47460).
- Update
patches.suse/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
(bsc#1197760 bsc#1225252 CVE-2021-47458).
- Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes
bsc#1225336 CVE-2021-47416).
- Update
patches.suse/ppdev-Add-an-error-check-in-register_device.patch
(git-fixes bsc#1225640 CVE-2024-36015).
- Update
patches.suse/s390-dasd-protect-device-queue-against-concurrent-access.patch
(git-fixes bsc#1217519 bsc#1225572 CVE-2023-52774).
- Update
patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list
(git-fixes bsc#1225164 CVE-2021-47369).
- Update
patches.suse/s390-qeth-fix-deadlock-during-failing-recovery
(bsc#1206213 LTC#200742 bsc#1225207 CVE-2021-47382).
- Update
patches.suse/scsi-core-Fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid
(git-fixes bsc#1224926 CVE-2021-47337).
- Update
patches.suse/scsi-core-Put-LLD-module-refcnt-after-SCSI-device-is-released
(git-fixes bsc#1225322 CVE-2021-47480).
- Update
patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch
(bsc#1188616 bsc#1224963 CVE-2021-47308).
- Update
patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test
(git-fixes bsc#1225384 CVE-2021-47565).
- Update
patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els
(git-fixes bsc#1225192 CVE-2021-47473).
- Update
patches.suse/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
(bsc#1221977 CVE-2021-47162 bsc#1225764 CVE-2024-36954).
- Update
patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch
(git-fixes bsc#1224990 CVE-2021-47274).
- Update
patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch
(git-fixes CVE-2024-26920).
- Update
patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
(bsc#1222619 CVE-2023-52880).
- Update
patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch
(git-fixes bsc#1225084 CVE-2021-47330).
- Update
patches.suse/udf-Fix-NULL-pointer-dereference-in-udf_symlink-func.patch
(bsc#1206646 bsc#1225128 CVE-2021-47353).
- Update
patches.suse/usb-config-fix-iteration-issue-in-usb_get_bos_descri.patch
(git-fixes bsc#1225092 CVE-2023-52781).
- Update
patches.suse/usb-dwc2-check-return-value-after-calling-platform_g.patch
(git-fixes bsc#1225330 CVE-2021-47409).
- Update
patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch
(git-fixes bsc#1224996 CVE-2021-47269).
- Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch
(git-fixes bsc#1225244 CVE-2021-47436).
- Update patches.suse/usbnet-sanity-check-for-maxpacket.patch
(git-fixes bsc#1225351 CVE-2021-47495).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch
(git-fixes bsc#1225060 CVE-2021-47321).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch
(git-fixes bsc#1225030 CVE-2021-47324).
- Update
patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch
(git-fixes bsc#1225026 CVE-2021-47323).
- Update
patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
(git-fixes bsc#1225177 CVE-2021-47347).
- commit 8975a47
- powerpc/pseries/lparcfg: drop error message from guest name
lookup (bsc#1187716 ltc#193451 git-fixes).
- commit 62b0891
- blacklist.conf: PPC fsl_msi is not used
- commit bbad33b
- netfilter: nft_compat: explicitly reject ERROR and standard
target (git-fixes).
- commit 46fdab6
- netfilter: x_tables: set module owner for icmp(6) matches
(git-fixes).
- commit 8835e2a
- netfilter: nf_queue: augment nfqa_cfg_policy (git-fixes).
- commit d5734cd
- rds: avoid unenecessary cong_update in loop transport
(git-fixes).
- commit 758da4a
- cls_rsvp: check user supplied offsets (CVE-2023-42755
bsc#1215702).
- commit b722f7c
- l2tp: pass correct message length to ip6_append_data
(git-fixes).
- commit 5edafdb
- net: 9p: avoid freeing uninit memory in p9pdu_vreadf
(git-fixes).
- commit fdb6a12
- wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
- commit 58724e2
- ipv4, ipv6: Fix handling of transhdrlen in
__ip{,6}_append_data() (git-fixes).
- commit 7f0cb3d
- rxrpc: Fix a memory leak in rxkad_verify_response() (git-fixes).
- commit 301026e
- wifi: radiotap: fix kernel-doc notation warnings (git-fixes).
- commit a96badd
- net: tcp: fix unexcepted socket die when snd_wnd is 0
(git-fixes).
- commit 66b602a
- tcp: tcp_make_synack() can be called from process context
(git-fixes).
- commit 1171bb0
- net/smc: fix fallback failed while sendmsg with fastopen
(git-fixes).
- commit 85612f4
- nfc: change order inside nfc_se_io error path (git-fixes).
- commit 92d40f5
- ila: do not generate empty messages in
ila_xlat_nl_cmd_get_mapping() (git-fixes).
- commit bd4b08a
- rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp
(git-fixes).
- commit 30e8bf8
- rxrpc: Work around usercopy check (git-fixes).
- commit f1a8d7a
- rxrpc: Don't put crypto buffers on the stack (git-fixes).
- commit d4118f5
- rxrpc: Provide a different lockdep key for call->user_mutex
for kernel calls (git-fixes).
- commit 256d44f
- rxrpc: The mutex lock returned by rxrpc_accept_call() needs
releasing (git-fixes).
- commit 56d0a26
- net: atlantic: eliminate double free in error handling logic
(CVE-2023-52664 bsc#1224747).
- ipvlan: add ipvlan_route_v6_outbound() helper (CVE-2023-52796
bsc#1224930).
- net/mlx5e: Fix page reclaim for dead peer hairpin
(CVE-2021-47246 bsc#1224831).
- commit e8481e2
- ceph: blocklist the kclient when receiving corrupted snap trace
(bsc#1225222 CVE-2023-52732).
- commit afa0bf6
- btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() (CVE-2024-35936 bsc#1224644)
- commit 7904756
- btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() (CVE-2024-35936 bsc#1224644)
- commit 64d6920
- ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array (bsc#1225506 CVE-2021-47548)
- commit e4002ca
- mmc: sdhci-msm: pervent access to suspended controller (bsc#1225708 CVE-2024-36029)
- commit 0915583
- llc: call sock_orphan() at release time
(CVE-2024-26625 bsc#1221086)
- commit 1715209
- blacklist.conf: not affected by CVE-2024-35984
- commit 19bc954
- virtio-net: Add validation for used length (CVE-2021-47352
bsc#1225124).
- commit 91c03a8
- calipso: fix memory leak in netlbl_calipso_add_pass()
(CVE-2023-52698 bsc#1224621)
- commit 008f52c
- blacklist.conf: Add c5b0a7eefc70 sched/fair: Remove sysctl_sched_migration_cost condition
- commit dbc3425
- ppdev: Add an error check in register_device (git-fixes).
- commit d524561
- drm/amdgpu: fix gart.bo pin_count leak (CVE-2021-47431 bsc#1225390).
- commit 1e38f4d
- btrfs: send: handle path ref underflow in header iterate_inode_ref() (CVE-2024-35935 bsc#1224645)
- commit 0b2d17e
- cifs: fix underflow in parse_server_interfaces() (bsc#1223084,
CVE-2024-26828).
- commit 7164147
- drm/nouveau/debugfs: fix file release memory leak (CVE-2021-47423 bsc#1225366).
- commit 5f7b5c9
- drm/radeon: fix a possible null pointer dereference (CVE-2022-48710 bsc#1225230).
- commit ee59a3e
- nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
(bsc#1225355 CVE-2021-47497).
- commit 30121bc
- drm/vc4: don't check if plane->state->fb == state->fb (CVE-2024-35932 bsc#1224650).
- commit 4fdcf5e
- iio: mma8452: Fix trigger reference couting (bsc#1225360
CVE-2021-47500).
- commit a0d87d5
- PCI/PM: Drain runtime-idle callbacks before driver removal
(CVE-2024-35809 bsc#1224738).
- commit 9f4d35b
- tty: Fix out-of-bound vmalloc access in imageblit
(CVE-2021-47383 bsc#1225208).
- commit a21c750
- ALSA: pcm: oss: Fix negative period/buffer sizes (CVE-2021-47511
bsc#1225411).
- commit 748d8c1
- ALSA: pcm: oss: Limit the period size to 16MB (CVE-2021-47509
bsc#1225409).
- commit 8f92260
- x86/mm/pat: fix VM_PAT handling in COW mappings (bsc#1224525
CVE-2024-35877).
- commit d228bf6
- batman-adv: Avoid infinite loop trying to resize local TT
(CVE-2024-35982 bsc#1224566)
- commit 4f15041
- ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
(CVE-2024-35969 bsc#1224580)
- commit bcaf17a
- blacklist.conf: Add SPI fix commit to be ignored (CVE-2021-47469 bsc#1225347)
SLE12-SP5 has no devm spi controller allocation, hence it's superfluous
- commit 939a6a5
- kABI workaround for spi_controller (CVE-2021-47469 bsc#1225347).
- commit af00c9b
- spi: Fix deadlock when adding SPI controllers on SPI buses
(CVE-2021-47469 bsc#1225347).
- commit 575a8d4
- kvm: avoid speculation-based attacks from out-of-range memslot
accesses (bsc#1224960, CVE-2021-47277).
- commit 7198007
- KVM: SVM: Flush pages under kvm->lock to fix UAF in
svm_register_enc_region() (bsc#1224725, CVE-2024-35791).
- commit 818a70e
- ipack: ipoctal: fix stack information leak (CVE-2021-47401
bsc#1225242).
- commit 3e8997b
- drm/radeon: possible buffer overflow (CVE-2023-52867 bsc#1225009).
- commit 45094e6
- drm/panel: fix a possible null pointer dereference (CVE-2023-52821 bsc#1225022).
- commit 109e7f1
- RDMA: Verify port when creating flow rule (CVE-2021-47265 bsc#1224957)
- commit c0cbaec
- drm/amd/pm: Update intermediate power state for SI (CVE-2021-47362 bsc#1225153).
- commit 318c627
- mcb: fix error handling in mcb_alloc_bus() (CVE-2021-47361
bsc#1225151).
- commit 813b8ac
- platform/x86: wmi: Fix opening of char device (CVE-2023-52864
bsc#1225132).
- commit b207efb
- pinctrl: single: fix potential NULL dereference (CVE-2022-48708
bsc#1224942).
- commit feac349
- VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
(CVE-2024-35944 bsc#1224648).
- commit a03c425
- net: ipv4: fix memory leak in ip_mc_add1_src
(CVE-2021-47238 bsc#1224847)
- commit 4ce368a
- mmc: sdio: fix possible resource leaks in some error paths
(CVE-2023-52730 bsc#1224956).
- commit 8629def
- atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
(CVE-2021-47355 bsc#1225141).
- commit 111c5b1
- netfilter: synproxy: Fix out of bounds when parsing TCP options
(CVE-2021-47245 bsc#1224838)
- commit 3bf50df
- of: module: prevent NULL pointer dereference in vsnprintf()
(CVE-2024-35878 bsc#1224671).
- commit dcde1a4
- IB/hfi1: Restore allocated resources on failed copyout (CVE-2023-52747 bsc#1224931)
- commit 4ba08d9
- net: rds: fix memory leak in rds_recvmsg
(CVE-2021-47249 bsc#1224880)
- commit 79b2ee2
- sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
(CVE-2021-47397 bsc#1225082)
- commit 2340710
- net: ipv4: fix memory leak in netlbl_cipsov4_add_std
(CVE-2021-47250 bsc#1224827)
- commit ffd876f
- btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
(CVE-2024-35849 bsc#1224733).
- commit 4e18545
- ring-buffer: Fix a race between readers and resize checks
(bsc#1222893).
- commit e55a48c
- ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
(git-fixes).
- commit 56a4e35
- tracing: hide unused ftrace_event_id_fops (git-fixes).
- commit 6e3bbc9
- tracing: Fix blocked reader of snapshot buffer (git-fixes).
- commit 7cc9ae2
- ALSA: usb-audio: Stop parsing channels bits when all channels
are found (CVE-2024-27436 bsc#1224803).
- ALSA: seq: Fix race of snd_seq_timer_open() (CVE-2021-47281
bsc#1224983).
- commit 19aff08
- af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress (bsc#1223384).
- commit 8ee0966
- blacklist.conf: add not-needed or too intrusive tracing fixes
- commit ab535d8
- kprobes: Fix possible use-after-free issue on kprobe
registration (git-fixes).
- commit fd63e27
- tracing: Use .flush() call to wake up readers (git-fixes).
- commit 4442cfe
- tracing: Use strncpy instead of memcpy when copying comm in
trace.c (git-fixes).
- commit 77a5fe6
- ring-buffer: Clean ring_buffer_poll_wait() error return
(git-fixes).
- commit dec7c48
- wifi: mac80211: check/clear fast rx for non-4addr sta VLAN
changes (CVE-2024-35789 bsc#1224749).
- media: tc358743: register v4l2 async device only after
successful setup (CVE-2024-35830 bsc#1224680).
- misc/libmasm/module: Fix two use after free in ibmasm_init_one
(CVE-2021-47334 bsc#1225112).
- atm: iphase: fix possible use-after-free in ia_module_exit()
(CVE-2021-47357 bsc#1225144).
- commit 4495db1
- clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
(CVE-2023-52875 bsc#1225096).
- commit eff8019
- clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
(CVE-2023-52865 bsc#1225086).
- commit c2dc4d3
- ax25: fix use-after-free bugs caused by ax25_ds_del_timer
(CVE-2024-35887 bzg#1224663)
- commit 2bbaa4c
- regmap: Fix possible double-free in regcache_rbtree_exit()
(CVE-2021-47483 bsc#1224907).
- commit 1f96a36
- s390/pci: fix max size calculation in zpci_memcpy_toio()
(git-fixes bsc#1225062).
- commit 1d5a845
- s390/zcrypt: fix reference counting on zcrypt card objects
(git-fixes CVE-2024-26957 bsc#1223666).
- commit 1a50d91
- KVM: s390: Check kvm pointer when testing KVM_CAP_S390_HPAGE_1M
(git-fixes bsc#1225059).
- commit b5429fa
- Refresh
patches.suse/USB-core-Fix-deadlock-in-usb_deauthorize_interface.patch.
- Update
patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch
(bsc#1209657 CVE-2023-0160 CVE-2024-35895 bsc#1224511).
- Update
patches.suse/nfsd-Fix-error-cleanup-path-in-nfsd_rename.patch
(bsc#1221044 CVE-2023-52591 CVE-2024-35914 bsc#1224482).
- Update
patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch
(CVE-2023-47233 bsc#1216702 CVE-2024-35811 bsc#1224592).
- commit 9a84305
- Update
patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_eve.patch
(bsc#1065729 CVE-2023-52686 bsc#1224682).
- Update
patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_pow.patch
(bsc#1181674 ltc#189159 git-fixes CVE-2023-52696 bsc#1224601).
- Update
patches.suse/pstore-ram_core-fix-possible-overflow-in-persistent_ram_init_ecc.patch
(git-fixes CVE-2023-52685 bsc#1224728).
- commit 0720a5d
- Update
patches.suse/NFS-Fix-a-potential-NULL-dereference-in-nfs_get_clie.patch
(git-fixes CVE-2021-47260 bsc#1224834).
- Update
patches.suse/PCI-aardvark-Fix-kernel-panic-during-PIO-transfer.patch
(git-fixes CVE-2021-47229 bsc#1224854).
- Update
patches.suse/batman-adv-Avoid-WARN_ON-timing-related-checks.patch
(git-fixes CVE-2021-47252 bsc#1224882).
- Update
patches.suse/can-mcba_usb-fix-memory-leak-in-mcba_usb.patch
(git-fixes CVE-2021-47231 bsc#1224849).
- Update
patches.suse/gfs2-Fix-use-after-free-in-gfs2_glock_shrink_scan.patch
(git-fixes CVE-2021-47254 bsc#1224888).
- Update
patches.suse/media-ngene-Fix-out-of-bounds-bug-in-ngene_command_c.patch
(git-fixes CVE-2021-47288 bsc#1224889).
- Update
patches.suse/memory-fsl_ifc-fix-leak-of-IO-mapping-on-probe-failu.patch
(git-fixes CVE-2021-47315 bsc#1224892).
- Update
patches.suse/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch
(git-fixes CVE-2021-47314 bsc#1224893).
- Update patches.suse/net-cdc_eem-fix-tx-fixup-skb-leak.patch
(git-fixes CVE-2021-47236 bsc#1224841).
- Update
patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
(git-fixes CVE-2021-47235 bsc#1224844).
- Update
patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch
(git-fixes CVE-2021-47237 bsc#1224830).
- Update
patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
(bsc#1221994 CVE-2021-47171 CVE-2021-47239 bsc#1224846).
- Update
patches.suse/scsi-core-Fix-error-handling-of-scsi_host_alloc
(git-fixes CVE-2021-47258 bsc#1224899).
- Update
patches.suse/udp-fix-race-between-close-and-udp_abort.patch
(git-fixes CVE-2021-47248 bsc#1224867).
- Update
patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch
(git-fixes CVE-2021-47220 bsc#1224859).
- commit 7295d7f
- Update
patches.suse/gfs2-Fix-use-after-free-in-gfs2_glock_shrink_scan.patch
(git-fixes CVE-2021-47254).
- commit 38ebdb5
- blacklist.conf: pure cleanup
- commit 5f0720c
- blacklist.conf: we select the CONFIG whose absence triggers this in all
configs
- commit 2c2df2e
- assoc_array: Fix BUG_ON during garbage collect.
- commit 56fe1ad
- list: fix a data-race around ep->rdllist (git-fixes).
- commit f2db318
- lib/mpi: use kcalloc in mpi_resize (git-fixes).
- commit c463c57
- net: usb: ax88179_178a: stop lying about skb->truesize
(git-fixes).
- commit c4bb7b5
- drm/amd/pm: fix a double-free in si_dpm_init (CVE-2023-52691 bsc#1224607).
- commit 7a87ede
- Fix backport of : NFS: Fix error handling for O_DIRECT write
scheduling (bsc#1224785).
- commit e968faa
- blacklist.conf: Add a1fd0b9d751f sched/fair: Allow disabling sched_balance_newidle with sched_relax_domain_level
- commit 3567984
- rpm/kernel-obs-build.spec.in: remove reiserfs from OBS initrd
We disabled the FS in bug 1202309. And we actively blacklist it in:
/usr/lib/modprobe.d/60-blacklist_fs-reiserfs.conf
This, as a side-effect, fixes obs-build's warning:
dracut-pre-udev[1463]: sh: line 1: /usr/lib/module-init-tools/unblacklist: No such file or directory
Exactly due to the above 60-blacklist_fs-reiserfs.conf trying to call the
above unblacklist.
We should likely drop ext2+ext3 from the list too, as we don't build
them at all. But that's a different story.
- commit 9e1a078
- Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
(bsc#1224174 CVE-2024-27398).
- commit 231873b
- af_unix: Fix garbage collector racing against connect()
(CVE-2024-26923 bsc#1223384).
- af_unix: Replace BUG_ON() with WARN_ON_ONCE() (bsc#1223384).
- af_unix: Do not use atomic ops for unix_sk(sk)->inflight (bsc#1223384).
- commit d9e2f79
- blacklist.conf: btrfs: config fix for 256k pages
- commit a9a21e4
- btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl (git-fixes)
- commit db54449
- btrfs: tree-checker: do not error out if extent ref hash doesn't match (git-fixes)
- commit 874e705
- btrfs: send: ensure send_fd is writable (git-fixes)
- commit 7e0fb05
- btrfs: send: limit number of clones and allocated memory size (git-fixes)
- commit fa2504c
- btrfs: fail mount when sb flag is not in BTRFS_SUPER_FLAG_SUPP (git-fixes)
- commit 7f9b413
- blacklist.conf: btrfs: metadata dump v2 definition only
e2731e55884f2138a252b0a3d7b24d57e49c3c59
- commit b680815
- btrfs: Fix out of bounds access in btrfs_search_slot (git-fixes)
- commit 6b6da17
- btrfs: fix deadlock when writing out space cache (git-fixes)
- commit cdd0586
- btrfs: Explicitly handle btrfs_update_root failure (git-fixes)
- commit ac502aa
- btrfs: undo writable superblocke when sprouting fails (git-fixes)
- commit 9fbf261
- btrfs: avoid null pointer dereference on fs_info when calling btrfs_crit (git-fixes)
- commit daf7dc2
- drm/msm/dpu: Add mutex lock in control vblank irq (CVE-2023-52586 bsc#1221081).
- commit 474c511
- btrfs: prevent to set invalid default subvolid (git-fixes)
- commit c399d80
- Btrfs: fix incorrect {node,sector}size endianness from BTRFS_IOC_FS_INFO (git-fixes)
- commit b016cd3
- Refresh patches.suse/nfs-fix-UAF-in-direct-writes.patch.
Fixup the build warning:
Changed build warnings:
* **** 1 warnings *****
* passing argument 1 of 'nfs_commit_end' from incompatible pointer type [enabled by default] (nfs_commit_end) in ../fs/nfs/direct.c in nfs_direct_commit_complete
../fs/nfs/direct.c: In function 'nfs_direct_commit_complete':
../fs/nfs/direct.c:668:2: warning: passing argument 1 of 'nfs_commit_end' from incompatible pointer type [enabled by default]
- commit 10952b2
- Update
patches.suse/USB-core-Fix-deadlock-in-usb_deauthorize_interface.patch
(git-fixes CVE-2024-26934 bsc#1223671).
- commit cc5c596
- s390/cpum_cf: make crypto counters upward compatible across
machine types (bsc#1224347).
- commit 8af04c2
- scsi: mpt3sas: Fix loop logic (git-fixes).
- scsi: snic: Fix double free in snic_tgt_create() (git-fixes).
- commit d29fa2d
- ecryptfs: fix kernel panic with null dev_name (git-fixes)
- commit 4ecd122
- ecryptfs: Fix typo in message (git-fixes)
- commit b1331d9
- ep_create_wakeup_source(): dentry name can change under you (git-fixes)
- commit e90f9bb
- ecryptfs: fix a memory leak bug in ecryptfs_init_messaging() (git-fixes)
- commit 7163ecf
- ecryptfs: fix a memory leak bug in parse_tag_1_packet() (git-fixes)
- commit d3aeb95
- exportfs_decode_fh(): negative pinned may become positive without the parent locked (git-fixes)
- commit 681e816
- autofs: fix a leak in autofs_expire_indirect() (git-fixes)
- commit 2e9a485
- fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes (git-fixes)
- commit 73af5d9
- blacklist.conf: fs: fget/fput optimization
Commit looks safe but is not a fix rather than an optimization.
- commit 2263087
- fscrypt: clean up some BUG_ON()s in block encryption/decryption (git-fixes)
- commit 2945a7c
- blacklist.conf: fscrypt: depends on no-key format update
Fix depends on functionality added by edc440e3d27fb3 ("fscrypt: improve
format of no-key names")
- commit 871959c
- nouveau: lock the client object tree. (bsc#1223834 CVE-2024-27062)
- commit c775ad3
- blacklist.conf: orangefs not supported
- commit f732788
- nouveau: fix instmem race condition around ptr stores (bsc#1223633 CVE-2024-26984)
- commit 9350c2a
- Refresh
patches.suse/x86-boot-Ignore-relocations-in-.notes-sections-in-walk_rel.patch.
- commit 1389ef9
- net: usb: smsc95xx: stop lying about skb->truesize (git-fixes).
- commit 3b70647
- net: usb: sr9700: stop lying about skb->truesize (git-fixes).
- commit d83f5a1
- usb: aqc111: stop lying about skb->truesize (git-fixes).
- commit 0a7bdae
- Fix use-before-set in hand-coded part of patch
Refresh:
- patches.suse/scsi-iscsi_tcp-restrict-to-TCP-sockets.patch.
- commit 757fd5b
- Fix build warning about now-unused function
Refresh:
- patches.suse/scsi-libsas-Fix-disk-not-being-scanned-in-after-being-removed.patch
- commit bbcdd67
- Refresh
patches.suse/media-flexcop-usb-fix-NULL-ptr-deref-in-flexcop_usb_.patch.
Fix the Patch-mainline tag.
- commit 3169adb
- Bluetooth: btusb: Some Qualcomm Bluetooth adapters stop working
(git-fixes).
- commit 23ff40d
- usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear
(bsc#1220487 CVE-2021-46933).
- commit 33d6865
- blacklist.conf: Add 9474c62ab65f net/sched: Add module alias for sch_fq_pie
- commit b755821
- net: gtp: Fix Use-After-Free in gtp_dellink (bsc#1224096
CVE-2024-27396).
- commit a81f04c
- blacklist.conf: add commits for some git-fixes to be skipped
- commit c8e9217
- scsi: qla2xxx: Fix off by one in qla_edif_app_getstats()
(git-fixes).
- scsi: lpfc: Correct size for wqe for memset() (git-fixes).
- scsi: libsas: Fix disk not being scanned in after being removed
(git-fixes).
- scsi: libsas: Add a helper sas_get_sas_addr_and_dev_type()
(git-fixes).
- scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn
(git-fixes).
- scsi: csiostor: Avoid function pointer casts (git-fixes).
- scsi: isci: Fix an error code problem in isci_io_request_build()
(git-fixes).
- scsi: bnx2fc: Fix skb double free in bnx2fc_rcv() (git-fixes).
- scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle()
(git-fixes).
- scsi: megaraid_sas: Increase register read retry rount from
3 to 30 for selected registers (git-fixes).
- scsi: libfc: Fix potential NULL pointer dereference in
fc_lport_ptp_setup() (git-fixes).
- scsi: mpt3sas: Fix in error path (git-fixes).
- scsi: iscsi_tcp: restrict to TCP sockets (git-fixes).
- scsi: lpfc: Fix the NULL vs IS_ERR() bug for
debugfs_create_file() (git-fixes).
- scsi: mpt3sas: Perform additional retries if doorbell read
returns 0 (git-fixes).
- scsi: qedf: Do not touch __user pointer in
qedf_dbg_fp_int_cmd_read() directly (git-fixes).
- scsi: qedf: Do not touch __user pointer in
qedf_dbg_debug_cmd_read() directly (git-fixes).
- scsi: qedf: Do not touch __user pointer in
qedf_dbg_stop_io_on_error_cmd_read() directly (git-fixes).
- scsi: qla4xxx: Add length check when parsing nlattrs
(git-fixes).
- scsi: be2iscsi: Add length check when parsing nlattrs
(git-fixes).
- scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
(git-fixes).
- scsi: iscsi: Add length check for nlattr payload (git-fixes).
- scsi: qedf: Fix firmware halt over suspend and resume
(git-fixes).
- scsi: qedi: Fix firmware halt over suspend and resume
(git-fixes).
- scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
(git-fixes).
- scsi: snic: Fix possible memory leak if device_add() fails
(git-fixes).
- scsi: core: Fix possible memory leak if device_add() fails
(git-fixes).
- scsi: core: Fix legacy /proc parsing buffer overflow
(git-fixes).
- scsi: 53c700: Check that command slot is not NULL (git-fixes).
- scsi: 3w-xxxx: Add error handling for initialization failure
in tw_probe() (git-fixes).
- scsi: lpfc: Fix double free in lpfc_cmpl_els_logo_acc() caused
by lpfc_nlp_not_used() (git-fixes).
- scsi: qedf: Fix NULL dereference in error handling (git-fixes).
- scsi: stex: Fix gcc 13 warnings (git-fixes).
- scsi: core: Decrease scsi_device's iorequest_cnt if dispatch
failed (git-fixes).
- commit 43436ef
- Update
patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
(bsc#1221994 CVE-2021-47171).
Added bugzilla ID and CVE
The initial fix was present, but it turned later out to be wrong
and the correct fix lacked the references.
- commit cf80be9
- usb: aqc111: check packet for fixup for true limit (bsc#1217169
CVE-2023-52655).
- commit 9dd6dfa
- btrfs: sysfs: use NOFS for device creation (git-fixes)
Adjustment: add #include
- commit f20ad81
- btrfs: send: in case of IO error log it (git-fixes)
- commit 840f907
- btrfs: fix lost error handling when looking up extended ref on log replay (git-fixes)
- commit 20591f1
- btrfs: check if root is readonly while setting security xattr (git-fixes)
- commit 01674b5
- btrfs: limit device extents to the device size (git-fixes)
- commit 0ba992a
- btrfs: fix btrfs_prev_leaf() to not return the same key twice (git-fixes)
- commit 2834caf
- btrfs: fix range_end calculation in extent_write_locked_range (git-fixes)
- commit e723a0b
- btrfs: scrub: reject unsupported scrub flags (git-fixes)
- commit c5866de
- btrfs: fix race when deleting quota root from the dirty cow roots list (git-fixes)
- commit 1e8a661
- btrfs: fix lockdep splat and potential deadlock after failure running delayed items (git-fixes)
- commit 20fccdb
- btrfs: record delayed inode root in transaction (git-fixes)
- commit 7a64f13
- btrfs: tree-checker: fix inline ref size in error messages (git-fixes)
- commit 7031a61
- btrfs: don't stop integrity writeback too early (git-fixes)
- commit 9304b5f
- md: fix kmemleak of rdev->serial (CVE-2024-26900, bsc#1223046).
- commit 0488367
- firewire: nosy: ensure user_length is taken into account when
fetching packet contents (CVE-2024-27401 bsc#1224181).
- commit f890e6b
- aoe: avoid potential deadlock at set_capacity (CVE-2024-26775,
bsc#1222627).
- commit 72683cd
- Update
patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling.patch
(bsc#1222671, CVE-2021-47188).
- commit df1a16c
- blacklist.conf: pure cleanup
- commit b459965
- blacklist.conf: irrelevant in our configs
- commit 91ec532
- blacklist.conf: pure cleanup
- commit 4da5c7c
- blacklist.conf: pure cleanup
- commit c4855e9
- blacklist.conf: pure cleanup
- commit 00ca6d9
- blacklist.conf: pure cleanup
- commit a6aa054
- blacklist.conf: pure cleanup
- commit 27ba46a
- nfs: fix UAF in direct writes (bsc#1223653 CVE-2024-26958).
- commit 5347d82
- scsi: libsas: Introduce struct smp_disc_resp (git-fixes).
- commit 5fefdbb
- drm/radeon: add a force flush to delay work when radeon (bsc#1223932 CVE-2022-48704)
- commit 05d207f
- blacklist.conf: Append 'drm/amd/display: Fix MST Null Ptr for RV'
- commit aab0541
- btrfs: don't get an EINTR during drop_snapshot for reloc (git-fixes)
- commit 2f0ddbd
- btrfs: tree-checker: add missing returns after data_ref alignment checks (git-fixes)
- commit 465da04
- btrfs: tree-checker: add missing return after error in root_item (git-fixes)
- commit 2c66867
- btrfs: fix return value mixup in btrfs_get_extent (git-fixes)
- commit c7aefc2
- btrfs: tree-checker: Fix misleading group system information (git-fixes)
- Refresh patches.suse/0014-btrfs-tree-checker-get-fs_info-from-eb-in-block_grou.patch.
- commit 4c1912f
- btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag (git-fixes)
- commit 6b856de
- btrfs: fix unaligned access in readdir (git-fixes)
- Refresh patches.suse/btrfs-support-swap-files.patch.
Diff context only.
- commit 0df1b83
- btrfs: Fix NULL pointer exception in find_bio_stripe (git-fixes)
- commit 99eebfb
- net: vmxnet3: Fix NULL pointer dereference in
vmxnet3_rq_rx_complete() (bsc#1223360).
- commit 829bff3
- usb: host: ohci-tmio: check return value after calling
platform_get_resource() (bsc#1222894 CVE-2021-47206).
- blacklist.conf: blacklist entry was a mistake caused by the driver
being dropped upstream, but only after SLE12
- commit 740a25a
- drm/amdgpu: Reset IH OVERFLOW_CLEAR bit (bsc#1223207 CVE-2024-26915)
- commit f1d8ff2
- Update
patches.suse/USB-usb-storage-Prevent-divide-by-0-error-in-isd200_.patch
(bsc#1223738 CVE-2024-27059).
Added CVE and bugzilla ids
- commit 6bf9f21
- usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb
ep transport error (bsc#1223752 CVE-2024-26996).
- commit f8904de
- drm/mediatek: Fix a null pointer crash in (CVE-2024-26874 bsc#1223048)
- commit e57c0ce
- ALSA: emu10k1: Fix out of bounds access in
snd_emu10k1_pcm_channel_alloc() (bsc#1223923 CVE-2022-48702).
- commit af9ea5f
- of: fdt: fix off-by-one error in unflatten_dt_nodes()
(CVE-2022-48672 bsc#1223931).
- commit 032891a
- inet: read sk->sk_family once in inet_recv_error() (bsc#1222385
CVE-2024-26679).
- commit 5c9ee90
- btrfs: abort in rename_exchange if we fail to insert the second ref (CVE-2021-47113 bsc#1221543)
- Refresh patches.suse/btrfs-prevent-rename2-from-exchanging-a-subvol-with-a-directory-from-different-parents.patch.
- commit 6cc4490
- btrfs: dev-replace: properly validate device names (CVE-2024-26791 bsc#1222793)
- commit cc0f00b
- Update
patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
references (CVE-2024-26739 bsc#1222559, drop incorrect references).
- commit ea93ecf
- net/tls: Remove the context from the list in tls_device_down
(bsc#1221545).
- commit 58c1b25
- tls: Fix context leak on tls_device_down (bsc#1221545).
- commit 389808e
- blacklist.conf: add 94ce3b64c62d
Blacklist commit 94ce3b64c62d ("net/tls: Use RCU API to access
tls_ctx->netdev"). This is a follow-up to c55dcdd435aa which addresses an
issue which is rather theoretical and the backport would be quite
intrusive.
- commit 8ca558a
- ALSA: usb-audio: Fix an out-of-bounds bug in
__snd_usb_parse_audio_interface() (CVE-2022-48701 bsc#1223921).
- commit 6f798e9
- kabi: hide new member of struct tls_context (CVE-2021-47131
bsc#1221545).
- net/tls: Fix use-after-free after the TLS device goes down
and up (CVE-2021-47131 bsc#1221545).
- commit 8c186be
- Update
patches.suse/SUNRPC-fix-some-memleaks-in-gssx_dec_option_array.patch
(git-fixes CVE-2024-27388 bsc#1223744).
- Update
patches.suse/s390-Once-the-discipline-is-associated-with-the-device-de.patch
(bsc#1141539 git-fixes CVE-2024-27054 bsc#1223819).
- Update
patches.suse/scsi-qla2xxx-Fix-command-flush-on-cable-pull.patch
(bsc1221816 CVE-2024-26931 bsc#1223627).
- Update patches.suse/scsi-qla2xxx-Fix-double-free-of-fcport.patch
(bsc1221816 CVE-2024-26929 bsc#1223715).
- Update
patches.suse/scsi-qla2xxx-Fix-double-free-of-the-ha-vp_map-pointe.patch
(bsc1221816 CVE-2024-26930 bsc#1223626).
- commit daf9a87
- Update
patches.suse/SUNRPC-fix-a-memleak-in-gss_import_v2_context.patch
(git-fixes CVE-2023-52653 bsc#1223712).
- Update patches.suse/aio-fix-mremap-after-fork-null-deref.patch
(git-fixes CVE-2023-52646 bsc#1223432).
- commit 793a07e
- Update
patches.suse/i40e-Fix-kernel-crash-during-module-removal.patch
(git-fixes CVE-2022-48688 bsc#1223953).
- Update
patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
(bsc#1211592 CVE-2023-2860 CVE-2022-48687 bsc#1223952).
- Update
patches.suse/s390-dasd-fix-Oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup
(git-fixes CVE-2022-48636 bsc#1223512).
- Update
patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch
(git-fixes CVE-2022-48695 bsc#1223941).
- Update
patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch
(bsc#1203935 CVE-2022-48650 bsc#1223509).
- commit cc68904
- Update
patches.suse/net-dsa-fix-a-crash-if-get_sset_count-fails.patch
(CVE-2021-47146 bsc#1221979 CVE-2021-47159 bsc#1221967).
- Update
patches.suse/scsi-ufs-core-Improve-SCSI-abort-handling.patch
(bsc#11222671 CVE-2021-47188 bsc#1222671).
- commit 5a613f4
- Fix references of
patches.suse/net-dsa-fix-a-crash-if-get_sset_count-fails.patch
This fix actually refers to different CVE and bug report. Fix the error.
- commit b797fc2
- openvswitch: fix stack OOB read while fragmenting IPv4 packets
(CVE-2021-46955 bsc#1220513).
- commit 1116e19
- sctp: fix potential deadlock on &net->sctp.addr_wq_lock
(CVE-2024-0639 bsc#1218917).
- commit de19ab3
- Update
patches.suse/SUNRPC-fix-some-memleaks-in-gssx_dec_option_array.patch
(git-fixes CVE-2024-27388 bsc#1223744).
- Update
patches.suse/s390-Once-the-discipline-is-associated-with-the-device-de.patch
(bsc#1141539 git-fixes CVE-2024-27054 bsc#1223819).
- Update
patches.suse/scsi-qla2xxx-Fix-command-flush-on-cable-pull.patch
(bsc1221816 CVE-2024-26931 bsc#1223627).
- Update patches.suse/scsi-qla2xxx-Fix-double-free-of-fcport.patch
(bsc1221816 CVE-2024-26929 bsc#1223715).
- Update
patches.suse/scsi-qla2xxx-Fix-double-free-of-the-ha-vp_map-pointe.patch
(bsc1221816 CVE-2024-26930 bsc#1223626).
- commit d54495e
- Update
patches.suse/SUNRPC-fix-a-memleak-in-gss_import_v2_context.patch
(git-fixes CVE-2023-52653 bsc#1223712).
- Update patches.suse/aio-fix-mremap-after-fork-null-deref.patch
(git-fixes CVE-2023-52646 bsc#1223432).
- commit 6164312
- Update
patches.suse/s390-dasd-fix-Oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup
(git-fixes CVE-2022-48636 bsc#1223512).
- Update
patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch
(bsc#1203935 CVE-2022-48650 bsc#1223509).
- commit b81c322
- drm/tegra: dsi: Add missing check for of_find_device_by_node (CVE-2023-52650 bsc#1223770)
- commit 52453b3
- livepatch: Fix missing newline character in
klp_resolve_symbols() (bsc#1223539).
- commit a04a835
- printk: Update @console_may_schedule in
console_trylock_spinning() (bsc#1223969).
- commit 2217d14
- fs: sysfs: Fix reference leak in sysfs_break_active_protection() (CVE-2024-26993 bsc#1223693)
- commit d5b445d
- drm: nv04: Fix out of bounds access (CVE-2024-27008 bsc#1223802).
- commit d2971e3
- usb: dwc2: Fix memory leak in dwc2_hcd_init.
- commit b68c644
- printk: Disable passing console lock owner completely during
panic() (bsc#1197894).
- commit 7493ac1
- Input: ipaq-micro-keys - add error handling for devm_kmemdup.
- commit 8755dbb
- Input: xpad - add PXN V900 support.
- commit fbd5f3f
- Input: adxl34x - do not hardcode interrupt trigger type
(git-fixes).
- commit 926a03d
- blacklist.conf: cleanup surpressing a warning
- commit 922f659
- Input: drv260x - sleep between polling GO bit (git-fixes).
- commit e9e8d04
- blacklist.conf: cleanup, not a fix, no code change
- commit 9cb5758
- blacklist.conf: driver not compiled
- commit a3fa3df
- blacklist.conf: driver not compiled
- commit 9dfacec
- blacklist.conf: driver not compiled
- commit 1aef6fe
- drm/amd/display: Add a dc_state NULL check in dc_state_release (CVE-2024-26948 bsc#1223664)
- commit 04ae1fa
- blacklist.conf: this patch enables features only
- commit b3e7c52
- blacklist.conf: false positive
- commit 88b62ef
- USB: core: Fix deadlock in usb_deauthorize_interface().
- commit ab56ab9
- USB: usb-storage: Prevent divide-by-0 error in
isd200_ata_command (git-fixes).
- commit f114b54
- usb: roles: don't get/set_role() when usb_role_switch is
unregistered.
- commit d121124
- usb: mon: Fix atomicity violation in mon_bin_vma_fault
(git-fixes).
- commit 0605a2c
- blacklist.conf: not enabled
- commit 7aaa582
- blacklist.conf: kABI
- commit d241153
- drivers: usb: host: Fix deadlock in oxu_bus_suspend()
(git-fixes).
- commit 4bfa035
- blacklist.conf: add two fuse commits from git-fixes
- commit 57c7ed8
- fuse: don't unhash root (bsc#1223954).
- commit 4838661
- tun: limit printing rate when illegal packet received by tun
dev (bsc#1223745 CVE-2024-27013).
- net/mlx5e: Prevent deadlock while disabling aRFS (bsc#1223735
CVE-2024-27014).
- nfp: flower: handle acti_netdevs allocation failure (bsc#1223827
CVE-2024-27046).
- commit bb18705
- tipc: fix a possible memleak in tipc_buf_append (bsc#1221977
CVE-2021-47162).
- commit 503e448
- media: usbtv: Remove useless locks in usbtv_video_free()
(CVE-2024-27072 bsc#1223837).
- commit 784e536
- media: dvb-frontends: avoid stack overflow warnings with clang
(CVE-2024-27075 bsc#1223842).
- commit 134dc5e
- media: ttpci: fix two memleaks in budget_av_attach
(CVE-2024-27073 bsc#1223843).
- commit 13b28d2
- media: go7007: fix a memleak in go7007_load_encoder
(CVE-2024-27074 bsc#1223844).
- commit 54185dc
- media: edia: dvbdev: fix a use-after-free (CVE-2024-27043
bsc#1223824).
- commit 2732be2
- s390/mm: Fix storage key clearing for guest huge pages
(git-fixes bsc#1223885).
- commit cd536ee
- s390/mm: Fix clearing storage keys for huge pages (git-fixes
bsc#1223883).
- commit a8f7fd9
- media: v4l2-tpg: fix some memleaks in tpg_alloc (CVE-2024-27078
bsc#1223781).
- commit 9ec09ea
- tty/sysrq: replace smp_processor_id() with get_cpu()
(bsc#1223540).
- commit f6b8019
- NTB: fix possible name leak in ntb_register_device()
(CVE-2023-52652 bsc#1223686).
- commit ca5484d
- scsi: ufs: core: Improve SCSI abort handling (bsc#11222671,
CVE-2021-47188).
- blacklist.conf: remove 3ff1f6b
- commit 9ba0cd1
- drm/bridge: adv7511: fix crash on irq during probe (CVE-2024-26876 bsc#1223119).
- commit be1e389
- kABI workaround for cec_adapter (CVE-2024-23848 bsc#1219104).
- media: cec: core: avoid recursive cec_claim_log_addrs
(CVE-2024-23848 bsc#1219104).
- media: cec: core: avoid confusing "transmit timed out" message
(CVE-2024-23848 bsc#1219104).
- media: cec: cec-api: add locking in cec_release()
(CVE-2024-23848 bsc#1219104).
- media: cec: cec-adap: always cancel work in cec_transmit_msg_fh
(CVE-2024-23848 bsc#1219104).
- commit 6debb18
- media: cec: abort if the current transmit was canceled
(CVE-2024-23848 bsc#1219104).
- commit 331f0d4
- cachefiles: fix memory leak in cachefiles_add_cache()
(bsc#1222976 CVE-2024-26840).
- commit 7ab2bde
- net/bnx2x: Prevent access to a freed page in page_pool
(bsc#1223049 CVE-2024-26859).
- commit d2c8d25
- spi: spi-fsl-dspi: Fix a resource leak in an error handling path
(CVE-2021-47161 bsc#1221966).
- commit 86c2723
- amdkfd: use calloc instead of kzalloc to avoid integer overflow (CVE-2024-26817 bsc#1222812)
- commit e67f0f8
- blacklist.conf: Append 'drm/amdgpu: fix use-after-free bug'
- commit f438d4d
- Update
patches.suse/smb3-fix-temporary-data-corruption-in-insert-range.patch
(bsc#1190317 CVE-2022-48667 bsc#1223518).
- commit 91d9162
- Update
patches.suse/smb3-fix-temporary-data-corruption-in-collapse-range.patch
(bsc#1190317 CVE-2022-48668 bsc#1223516).
- commit 10d5c12
- net: fujitsu: fix potential null-ptr-deref (bsc#1221972
CVE-2021-47149).
- commit 9abeb19
- tipc: skb_linearize the head skb when reassembling msgs
(bsc#1221977 CVE-2021-47162).
- commit ba440f6
- net: dsa: fix a crash if ->get_sset_count() fails
(CVE-2021-47146 bsc#1221979).
- commit 599796c
- mld: fix panic in mld_newpack() (CVE-2021-47146 bsc#1221979).
- commit e3d5602
- netfilter: nf_tables: disallow timeout for anonymous sets
(CVE-2023-52620 bsc#1221825).
- commit f690b72
- net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
(CVE-2024-26852 bsc#1223057)
- commit 598df4c
- Update
patches.suse/s390-Once-the-discipline-is-associated-with-the-device-de.patch
(bsc#1141539 git-fixes).
- commit b8b94c0
- quota: Fix potential NULL pointer dereference (bsc#1223060
CVE-2024-26878).
- commit 983d363
- do_sys_name_to_handle(): use kzalloc() to fix kernel-infoleak
(bsc#1223198 CVE-2024-26901).
- commit 2f53016
- blk-mq: fix IO hang from sbitmap wakeup race (bsc#1222357
CVE-2024-26671).
- commit ecdc50b
- ext4: avoid allocating blocks from corrupted group in
ext4_mb_find_by_goal() (bsc#1222613 CVE-2024-26772).
- commit 3d3003a
- PM / devfreq: Fix buffer overflow in trans_stat_show
(CVE-2023-52614 bsc#1221617).
- commit ad2729f
- net: ice: Fix potential NULL pointer dereference in
ice_bridge_setlink() (bsc#1223051 CVE-2024-26855).
- geneve: make sure to pull inner header in geneve_rx()
(bsc#1223058 CVE-2024-26857).
- ppp_async: limit MRU to 64K (bsc#1222379 CVE-2024-26675).
- ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
(bsc#1223513 CVE-2022-48651).
- commit bc8fe89
- RDMA/mlx5: Fix fortify source warning while accessing Eth segment (bsc#1223203 CVE-2024-26907)
- commit 1c532b6
- regmap: prevent noinc writes from clobbering cache (bsc#1221162
CVE-2023-52488).
- regmap: fix page selection for noinc writes (bsc#1221162
CVE-2023-52488).
- regmap: fix page selection for noinc reads (bsc#1221162
CVE-2023-52488).
- commit dc5bde0
- blacklist.conf: false positive
- commit 17b05a2
- usb: dwc2: check return value after calling
platform_get_resource() (git-fixes).
- commit 831627d
- usb: dwc3: gadget: Ignore EP queue requests during bus reset
(git-fixes).
- commit 270950d
- drm/amdgpu: validate the parameters of bo mapping operations more (CVE-2024-26922 bsc#1223315)
- commit 1a7d0fd
- ipvs: Fix checksumming on GSO of SCTP packets (bsc#1221958)
- commit 5e792b9
- i40e: Fix NULL ptr dereference on VSI filter sync (bsc#1222666
CVE-2021-47184).
- commit 1ad3e1d
- usb: gadget: Fix issue with config_ep_by_speed function
(git-fixes).
- commit e3f4200
- x86/boot: Ignore relocations in .notes sections in walk_relocs() too (bsc#1222624 CVE-2024-26816).
- commit b878a00
- x86, relocs: Ignore relocations in .notes section (bsc#1222624 CVE-2024-26816).
- commit d091560
- blacklist.conf: Add 246f80a0b17f8 ("sh: push-switch: Reorder cleanup operations to avoid use-after-free bug")
- commit 8e38656
- PM / devfreq: Synchronize devfreq_monitor_[start/stop]
(CVE-2023-52635 bsc#1222294).
- commit faf3604
- Update
patches.suse/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_-2535b848.patch
(bsc#1219170 CVE-2024-22099 CVE-2024-26903 bsc#1223187).
- Update
patches.suse/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
(bsc#1218562 CVE-2023-6270 CVE-2024-26898 bsc#1223016).
- Update
patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
(CVE-2024-26733 bsc#1222585 CVE-2024-26739 bsc#1222559).
- Update
patches.suse/sr9800-Add-check-for-usbnet_get_endpoints.patch
(git-fixes CVE-2024-26651 bsc#1221337).
- commit f0c3935
- Update
patches.suse/msft-hv-2480-x86-hyperv-Fix-NULL-deref-in-set_hv_tscchange_cb-if-.patch
(git-fixes CVE-2021-47217 bsc#1222836).
- Update
patches.suse/net-dpaa2-eth-fix-use-after-free-in-dpaa2_eth_remove.patch
(git-fixes CVE-2021-47204 bsc#1222787).
- Update patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch
(git-fixes CVE-2021-47216 bsc#1222876).
- Update
patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch
(bsc#1192145 CVE-2021-47198 bsc#1222883).
- commit 1aa3f8e
- bpf: Fix stackmap overflow check on 32-bit arches (bsc#1223035
CVE-2024-26883).
- bpf: Fix hashtab overflow check on 32-bit arches (bsc#1223189
CVE-2024-26884).
- bpf: Check for integer overflow when using roundup_pow_of_two()
(bsc#1223035 CVE-2024-26883).
- commit 4249641
- IB/hfi1: Fix a memleak in init_credit_return (CVE-2024-26839 bsc#1222975)
- commit 1b9aeec
- Refresh
patches.suse/NFS-add-atomic_open-for-NFSv3-to-handle-O_TRUNC-corr.patch.
Handle too-long file names.
- commit d3b61d6
- wifi: b43: Stop/wake correct queue in DMA Tx path when QoS is
disabled (CVE-2023-52644 bsc#1222961).
- commit 411fc96
- clk: sunxi-ng: Unregister clocks/resets when unbinding
(CVE-2021-47205 bsc#1222888).
- commit 67523b6
- ALSA: usb-audio: fix null pointer dereference on pointer cs_desc
(CVE-2021-47211 bsc#1222869).
- commit a86f817
- Update
patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch
(bsc#1190576 CVE-2021-47203 bsc#1222881).
- commit 2cb2a3c
- ALSA: gus: fix null pointer dereference on pointer block
(CVE-2021-47207 bsc#1222790).
- commit 2c3256c
- wifi: mac80211: fix race condition on enabling fast-xmit
(CVE-2024-26779 bsc#1222772).
- commit 5e02fca
- wifi: rt2x00: restart beacon queue when hardware reset
(CVE-2023-52595 bsc#1221046).
- commit 671852b
- ceph: prevent use-after-free in encode_cap_msg() (bsc#1222503
CVE-2024-26689).
- commit 09813ff
- blacklist.conf: Append 'drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()''
- commit cde121c
- Update patches.suse/arp-Prevent-overflow-in-arp_req_get.patch
- fix build warning
- commit f10c34a
- kABI: regmap: Add regmap_noinc_read/write API (bsc#1221162
CVE-2023-52488).
- commit fb0c9d2
- regmap: Add regmap_noinc_write API (bsc#1221162 CVE-2023-52488).
- regmap: Add regmap_noinc_read API (bsc#1221162 CVE-2023-52488).
- commit 60efad2
- usb: roles: fix NULL pointer issue when put module's reference
(bsc#1222609 CVE-2024-26747).
- commit 73af327
- serial: sc16is7xx: convert from _raw_ to _noinc_ regmap
functions for FIFO (bsc#1221162 CVE-2023-52488).
- commit a689f3e
- Refresh patches.kabi/cpufeatures-kabi-fix.patch (bsc#1222952)
Don't call set_cpu_caps when calling set_cpu_bug, this causes problems
with overlapping feature/bug ints. Directly call set_bit witht he
correct parameters.
- commit 16e52e8
- md/raid5: fix atomicity violation in raid5_cache_count (bsc#1219169, CVE-2024-23307).
- commit c0dbc35
- ext4: avoid allocating blocks from corrupted group in
ext4_mb_try_best_found() (bsc#1222618 CVE-2024-26773).
- commit 4110538
- thermal: Fix NULL pointer dereferences in of_thermal_ functions (CVE-2021-47202 bsc#1222878)
- commit 08cf92c
- md/raid5: fix atomicity violation in raid5_cache_count
(bsc#1219169, CVE-2024-23307).
- commit 391774d
- fbdev: sis: Error out if pixclock equals zero (bsc#1222765 CVE-2024-26777)
- commit 283e632
- fbdev: savage: Error out if pixclock equals zero (bsc#1222770 CVE-2024-26778)
- commit c2c54cf
- drm: Don't unref the same fb many times by mistake due to deadlock handling (CVE-2023-52486 bsc#1221277).
- commit 5843530
- blacklist.conf: add one more PCI git-fixes
- commit 7baca5d
- IB/ipoib: Fix mcast list locking (CVE-2023-52587 bsc#1221082)
- commit 94cde16
- RDMA/IPoIB: Fix error code return in ipoib_mcast_join (bsc#1221082)
- commit 348c98c
- RDMA/srp: Do not call scsi_done() from srp_abort() (CVE-2023-52515 bsc#1221048)
- commit d5d3a97
- RDMA/qedr: Fix qedr_create_user_qp error flow (bsc#1222677 CVE-2024-26743)
- commit c49697b
- RDMA/srpt: Support specifying the srpt_service_guid parameter (bsc#1222449 CVE-2024-26744)
- commit 00d0add
- NFS: avoid spurious warning of lost lock that is being unlocked
(bsc#1221791).
- commit 63a2e3f
- Update
patches.suse/NFS-add-atomic_open-for-NFSv3-to-handle-O_TRUNC-corr.patch
(bsc#1219847 bsc#1221862).
Fix a NULL-pointer-deref bug. Make the patch closer to the patch I sent
upstream.
- commit 5f62723
- dm-crypt: don't modify the data when using authenticated
encryption (bsc#1222720, CVE-2024-26763).
- commit 3e74213
- scsi: core: Fix scsi_mode_sense() buffer length handling
(bsc#1222662 CVE-2021-47182).
- commit 09c6ab5
- dmaengine: ti: edma: Add some null pointer checks to the edma_probe (CVE-2024-26771 bsc#1222610)
- commit 01a7e9c
- netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
(bsc#1222630 CVE-2024-26805).
- commit ad84c88
- Update
patches.suse/gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_gen.patch
(bsc#1222428 CVE-2024-26793 CVE-2024-26754 bsc#1222632).
- commit b4d8fa6
- Update
patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch
(git-fixes CVE-2021-47189 bsc#1222706).
- commit d1ad6f0
- tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc
(bsc#1222669 CVE-2021-47185).
- commit 24cc88e
- PCI: pciehp: Add pciehp_set_indicators() to set both indicators
(git-fixes).
- commit deaddb6
- PCI/ASPM: Reduce severity of common clock config message
(git-fixes).
- commit 00c0986
- PCI/ASPM: Don't warn if already in common clock mode
(git-fixes).
- commit 231253b
- PCI/ASPM: Factor out pcie_wait_for_retrain() (git-fixes).
- PCI/ASPM: Return 0 or -ETIMEDOUT from pcie_retrain_link()
(git-fixes).
- PCI: Rework pcie_retrain_link() wait loop (git-fixes).
- commit 4a0cd5a
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
- commit 70aa480
- Refresh patches.suse/x86-bhi-Add-BHI-mitigation-knob.patch.
Check for bug presence with cpu_has_bug rather than cpu_has so that
overlapping bug/feature bits are handled correctly
- commit ec98c66
- Update
patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch
(bsc#1192145 CVE-2021-47183 bsc#1222664).
- commit b599f2b
- Update
patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch
(git-fixes CVE-2021-47181 bsc#1222660).
- commit a0f1eaa
- tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
(bsc#1222619).
- commit 94fc6e9
- PCI: Mark 3ware-9650SE Root Port Extended Tags as broken
(git-fixes).
- PCI/DPC: Print all TLP Prefixes, not just the first (git-fixes).
- PCI/MSI: Prevent MSI hardware interrupt number truncation
(git-fixes).
- PCI/sysfs: Protect driver's D3cold preference from user space
(git-fixes).
- PCI/ASPM: Use RMW accessors for changing LNKCTL (git-fixes).
- PCI: pciehp: Use RMW accessors for changing LNKCTL (git-fixes).
- PCI: Make link retraining use RMW accessors for changing LNKCTL
(git-fixes).
- PCI: Add locking to RMW PCI Express Capability Register
accessors (git-fixes).
- kABI: PCI: Add locking to RMW PCI Express Capability Register
accessors (kabi).
- PCI: qcom: Use DWC helpers for modifying the read-only DBI
registers (git-fixes).
- PCI: qcom: Disable write access to read only registers for IP
v2.3.3 (git-fixes).
- PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
(git-fixes).
- PCI: pciehp: Cancel bringup sequence if card is not present
(git-fixes).
- PCI/ASPM: Avoid link retraining race (git-fixes).
- commit 5d813c6
- arp: Prevent overflow in arp_req_get() (CVE-2024-26733
bsc#1222585).
- commit 64afd8b
- net/sched: act_mirred: don't override retval if we already
lost the skb (CVE-2024-26733 bsc#1222585).
- commit ec837ad
- blacklist.conf: update blacklist
- commit f1ca6cb
- PCI/ASPM: Disable ASPM on MFD function removal to avoid
use-after-free (git-fixes).
- PCI: pciehp: Fix AB-BA deadlock between reset_lock and
device_lock (git-fixes).
- PCI: switchtec: Return -EFAULT for copy_to_user() errors
(git-fixes).
- PCI: Avoid FLR for AMD FCH AHCI adapters (git-fixes).
- PCI/IOV: Enlarge virtfn sysfs name buffer (git-fixes).
- PCI: hotplug: Allow marking devices as disconnected during
bind/unbind (git-fixes).
- PCI: dwc: Add unroll iATU space support to dw_pcie_disable_atu()
(git-fixes).
- PCI: Add ACS quirk for Broadcom BCM5750x NICs (git-fixes).
- commit 60d94f2
- PCI: endpoint: Don't stop controller when unbinding endpoint
function (git-fixes).
- PCI: qcom: Fix unbalanced PHY init on probe errors (git-fixes).
- PCI: Avoid pci_dev_lock() AB/BA deadlock with
sriov_numvfs_store() (git-fixes).
- PCI/PM: Power up all devices during runtime resume (git-fixes).
- PCI/AER: Clear MULTI_ERR_COR/UNCOR_RCV bits (git-fixes).
- PCI: aardvark: Fix setting MSI address (git-fixes).
- PCI: aardvark: Fix support for MSI interrupts (git-fixes).
- commit fd2813d
- Refresh
patches.suse/Bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_re.patch.
Add alternate ID for stable
- commit 38c4e25
- Bluetooth: btqcomsmd: Fix command timeout after setting BD
address (git-fixes).
- commit de57587
- Bluetooth: hci_intel: Add check for platform_driver_register
(git-fixes).
- commit 0e58b3a
- Bluetooth: btqca: Introduce HCI_EV_VENDOR and use it
(git-fixes).
- commit 7e74176
- Bluetooth: btqca: Fixed a coding style error (git-fixes).
- commit 0f83a52
- blacklist.conf: false positive (introduced v5.14, not backported)
- commit e867532
- ext4: fix double-free of blocks due to wrong extents moved_len
(bsc#1222422 CVE-2024-26704).
- commit da029ac
- Refresh
patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch.
- commit 6490813
- gtp: fix use-after-free and null-ptr-deref in gtp_newlink()
(bsc#1222428 CVE-2024-26793).
- gtp: fix use-after-free and null-ptr-deref in
gtp_genl_dump_pdp() (bsc#1222428 CVE-2024-26793).
- commit 9c6b7d6
- nfsd: Fix error cleanup path in nfsd_rename() (bsc#1221044
CVE-2023-52591).
- commit b8b869c
- usb: musb: Modify the "HWVers" register address (git-fixes).
- commit d99cd58
- blacklist.conf: This is a feature, not a fix
- commit f6334d7
- sr9800: Add check for usbnet_get_endpoints (git-fixes).
- commit 24ceaa4
- blacklist.conf: add unneeded PCI git-fixes
- commit beed85d
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
Fix aliasing problems if we have an extended capability which aliases a
non-extended bug bit. The fix is to always ensure that bug bits related
functionality doesn't use the "generic" cap functionality.
- commit c674af2
- Update
patches.suse/KVM-s390-vsie-fix-race-during-shadow-creation.patch
(git-fixes bsc#1220613 CVE-2023-52639 bsc#1222300).
- Update
patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch
(CVE-2023-4881 bsc#1215221 CVE-2023-52628 bsc#1222117).
- commit 5564fa1
- nfsd: Fix error cleanup path in nfsd_rename() (git-fixes).
- commit c8d258d
- x86/bhi: Mitigate KVM by default (bsc#1217339 CVE-2024-2201).
- commit 7079142
- x86/bhi: Add BHI mitigation knob (bsc#1217339 CVE-2024-2201).
- Update config files.
- commit 41d6371
- x86/bhi: Enumerate Branch History Injection (BHI) bug (bsc#1217339 CVE-2024-2201).
- commit 2432a6f
- x86/bhi: Define SPEC_CTRL_BHI_DIS_S (bsc#1217339 CVE-2024-2201).
- commit fe53768
- x86/bhi: Add support for clearing branch history at syscall entry (bsc#1217339 CVE-2024-2201).
- Refresh patches.kabi/cpufeatures-kabi-fix.patch.
- commit 955ab56
- Fixup NULL ptr dereference due to mistake in backporting in
patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch.
- commit 55001e0
- Delete
patches.suse/x86-bugs-Fix-the-SRSO-mitigation-on-Zen3-4.patch.
the kernel fails to boot on x86:
[ 0.048461] MDS: Vulnerable: Clear CPU buffers attempted, no microcode
[ 0.048698] MMIO Stale Data: Unknown: No mitigations
qemu-system-x86_64: terminating on signal 15 from pid 42034 (timeout)
- commit 035c88f
- x86/cpufeature: Add missing leaf enumeration (bsc#1217339 CVE-2024-2201).
- commit 248bb60
- Update references
- commit 1bab65d
- scsi: lpfc: Fix a possible data race in
lpfc_unregister_fcf_rescan() (bsc#1219618 CVE-2024-24855).
- commit 6004b44
- media: xc4000: Fix atomicity violation in xc4000_get_frequency
(git-fixes bsc#1219623 CVE-2024-24861).
- commit ad0b314
- x86/bugs: Fix the SRSO mitigation on Zen3/4 (git-fixes).
- commit 8032e89
- bpf, sockmap: Prevent lock inversion deadlock in map delete elem
(bsc#1209657 CVE-2023-0160).
- commit 40497a8
- bpf, sockmap: Fix preempt_rt splat when using raw_spin_lock_t
(git-fixes).
- commit 3c6384f
- bnx2x: Fix enabling network interfaces without VFs (git-fixes).
- commit b60bea3
- ethernet: myri10ge: Fix missing error code in myri10ge_probe()
(git-fixes).
- commit 71a7d56
- bnx2x: Fix missing error code in bnx2x_iov_init_one()
(git-fixes).
- commit 813cb9c
- net: macb: ensure the device is available before accessing
GEMGXL control registers (git-fixes).
- commit 1742349
- net/qla3xxx: fix schedule while atomic in ql_sem_spinlock
(git-fixes).
- commit 8e475cb
- blacklist.conf: update blacklist
- commit a7a5329
- netfilter: nf_tables: disallow anonymous set with timeout flag
(CVE-2024-26642 bsc#1221830).
- commit b3d18fd
- netfilter: ctnetlink: fix possible refcount leak in
ctnetlink_create_conntrack() (CVE-2023-7192 bsc#1218479).
- commit 0774a95
- net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function (git-fixes).
- commit d464181
- ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram (git-fixes).
- commit 6895e10
- net/mlx5: Properly convey driver version to firmware (git-fixes).
- commit 09bc4c8
- net: stmmac: free tx skb buffer in stmmac_resume() (git-fixes).
- commit 7769206
- tun: honor IOCB_NOWAIT flag (git-fixes).
- commit 1f0149b
- atl1e: fix error return code in atl1e_probe() (git-fixes).
- commit da6dd80
- atl1c: fix error return code in atl1c_probe() (git-fixes).
- commit 56e0459
- net: atheros: switch from 'pci_' to 'dma_' API (git-fixes).
- commit 47ce14b
- blacklist.conf: update blacklist
- commit dc2abcd
- README.BRANCH: Remove copy of branch name
- commit 26f4895
- usb: dwc3: core: Do not perform GCTL_CORE_SOFTRESET during
bootup (bsc#1220628 CVE-2021-46941).
- commit ebce255
- usb: dwc3: core: balance phy init and exit (bsc#1220628
CVE-2021-46941).
- commit 8f693d2
- USB: usbfs: Don't WARN about excessively large memory
allocations.
- commit 8172f18
- ipv6: init the accept_queue's spinlocks in inet6_create
(bsc#1221293 CVE-2024-26614).
- commit 6bea6a5
- tcp: make sure init the accept_queue's spinlocks once
(bsc#1221293 CVE-2024-26614).
- commit 800aa0a
- userfaultfd: release page in error path to avoid BUG_ON
(CVE-2021-46988 bsc#1220706).
- commit bcafeec
- powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
(CVE-2023-52607 bsc#1221061).
- commit af6f33a
- Update
patches.suse/net-nfc-llcp-Add-lock-when-modifying-device-list.patch
(git-fixes CVE-2023-52524 bsc#1220927).
- Update
patches.suse/net-usb-smsc75xx-Fix-uninit-value-access-in-__smsc75.patch
(git-fixes CVE-2023-52528 bsc#1220843).
- Update
patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch
(bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
CVE-2023-6356 CVE-2023-52454 bsc#1220320).
- Update
patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch
(bsc#1221044 CVE-2023-52591 CVE-2023-52590 bsc#1221088).
- Update
patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch
(bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836).
- Update
patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch
(git-fixes CVE-2023-52575 bsc#1220871).
- commit 2258ead
- Update patches.suse/mmc-moxart_remove-Fix-UAF.patch (bsc#1194516
CVE-2022-0487 CVE-2022-48626 bsc#1220366).
- commit 10fc152
- Update
patches.suse/0019-dm-rq-fix-double-free-of-blk_mq_tag_set-in-dev-remov.patch
(git fixes CVE-2021-46938 bsc#1220554).
- Update
patches.suse/ACPI-custom_method-fix-potential-use-after-free-issu.patch
(git-fixes CVE-2021-46966 bsc#1220572).
- Update
patches.suse/ARM-footbridge-fix-PCI-interrupt-mapping.patch
(git-fixes CVE-2021-46909 bsc#1220442).
- Update
patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch
(git-fixes CVE-2021-47104 bsc#1220960).
- Update
patches.suse/NFC-nci-fix-memory-leak-in-nci_allocate_device.patch
(git-fixes CVE-2021-47180 bsc#1221999).
- Update
patches.suse/NFS-Don-t-corrupt-the-value-of-pg_bytes_written-in-n.patch
(git-fixes CVE-2021-47166 bsc#1221998).
- Update
patches.suse/NFS-Fix-an-Oopsable-condition-in-__nfs_pageio_add_re.patch
(git-fixes CVE-2021-47167 bsc#1221991).
- Update
patches.suse/NFS-fix-an-incorrect-limit-in-filelayout_decode_layo.patch
(git-fixes CVE-2021-47168 bsc#1222002).
- Update
patches.suse/NFSv4-Fix-a-NULL-pointer-dereference-in-pnfs_mark_ma.patch
(git-fixes CVE-2021-47179 bsc#1222001).
- Update
patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch
(git-fixes CVE-2021-47101 bsc#1220987).
- Update
patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch
(git-fixes CVE-2021-47015 bsc#1220794).
- Update
patches.suse/btrfs-fix-race-between-transaction-aborts-and-fsyncs.patch
(bsc#1186441 CVE-2021-46958 bsc#1220521).
- Update
patches.suse/cifs-Return-correct-error-code-from-smb2_get_enc_key.patch
(git-fixes CVE-2021-46960 bsc#1220528).
- Update
patches.suse/crypto-qat-ADF_STATUS_PF_RUNNING-should-be-set-after.patch
(git-fixes CVE-2021-47056 bsc#1220769).
- Update
patches.suse/cxgb4-avoid-accessing-registers-when-clearing-filter.patch
(bsc#1136345 jsc#SLE-4681 CVE-2021-47138 bsc#1221934).
- Update patches.suse/drm-amdgpu-Fix-a-use-after-free.patch
(git-fixes CVE-2021-47142 bsc#1221952).
- Update
patches.suse/drm-meson-fix-shutdown-crash-when-component-not-prob.patch
(git-fixes CVE-2021-47165 bsc#1221965).
- Update
patches.suse/ethernet-enic-Fix-a-use-after-free-bug-in-enic_hard_.patch
(bsc#1113431 CVE-2021-46998 bsc#1220625).
- Update
patches.suse/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_spli.patch
(bsc#1187408 CVE-2021-47117 bsc#1221575).
- Update
patches.suse/ext4-fix-memory-leak-in-ext4_fill_super.patch
(bsc#1187409 CVE-2021-47119 bsc#1221608).
- Update
patches.suse/gve-Add-NULL-pointer-checks-when-freeing-irqs.patch
(bsc#1176940 CVE-2021-47141 bsc#1221949).
- Update
patches.suse/i2c-i801-Don-t-generate-an-interrupt-on-bus-reset.patch
(git-fixes CVE-2021-47153 bsc#1221969).
- Update patches.suse/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu
(bsc#1189272 CVE-2021-47177 bsc#1221997).
- Update
patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch
(git-fixes CVE-2021-47100 bsc#1220985).
- Update
patches.suse/kvm-destroy-i-o-bus-devices-on-unregister-failure-after_-sync-ing-srcu
(CVE-2020-36312 bsc#1184509 CVE-2021-47061 bsc#1220745).
- Update
patches.suse/kvm-stop-looking-for-coalesced-mmio-zones-if-the-bus-is-destroyed
(CVE-2020-36312 bsc#1184509 CVE-2021-47060 bsc#1220742).
- Update
patches.suse/md-raid1-properly-indicate-failure-when-ending-a-fai.patch
(bsc#1185680 CVE-2021-46950 bsc#1220662).
- Update
patches.suse/misc-uss720-fix-memory-leak-in-uss720_probe.patch
(git-fixes CVE-2021-47173 bsc#1221993).
- Update
patches.suse/msft-hv-2305-Drivers-hv-vmbus-Use-after-free-in-__vmbus_open.patch
(git-fixes CVE-2021-47049 bsc#1220692).
- Update
patches.suse/msft-hv-2316-uio_hv_generic-Fix-a-memory-leak-in-error-handling-p.patch
(git-fixes CVE-2021-47071 bsc#1220846).
- Update
patches.suse/msft-hv-2317-uio_hv_generic-Fix-another-memory-leak-in-error-hand.patch
(git-fixes CVE-2021-47070 bsc#1220829).
- Update
patches.suse/mtd-require-write-permissions-for-locking-and-badblo.patch
(git-fixes CVE-2021-47055 bsc#1220768).
- Update
patches.suse/nbd-Fix-NULL-pointer-in-flush_workqueue-79eb.patch
(git-fixes CVE-2021-46981 bsc#1220611).
- Update
patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch
(git-fixes CVE-2021-47150 bsc#1221973).
- Update
patches.suse/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch
(CVE-2021-23134 bsc#1186060 CVE-2021-47068 bsc#1220739).
- Update
patches.suse/net-smc-remove-device-from-smcd_dev_list-after-failed-device_add
(git-fixes CVE-2021-47143 bsc#1221988).
- Update
patches.suse/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
(git-fixes CVE-2021-47171 bsc#1221994).
- Update patches.suse/ocfs2-fix-data-corruption-by-fallocate.patch
(bsc#1187412 CVE-2021-47114 bsc#1221548).
- Update
patches.suse/pid-take-a-reference-when-initializing-cad_pid.patch
(bsc#1114648 CVE-2021-47118 bsc#1221605).
- Update
patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch
(git-fixes CVE-2021-47073 bsc#1220850).
- Update
patches.suse/powerpc-64s-Fix-crashes-when-toggling-entry-flush-ba.patch
(bsc#1177666 git-fixes bsc#1186460 ltc#192531 CVE-2021-46990
bsc#1220743).
- Update
patches.suse/powerpc-64s-Fix-pte-update-for-kernel-memory-on-radi.patch
(bsc#1055117 git-fixes CVE-2021-47034 bsc#1220687).
- Update
patches.suse/scsi-lpfc-Fix-null-pointer-dereference-in-lpfc_prep_.patch
(bsc#1182574 CVE-2021-47045 bsc#1220640).
- Update
patches.suse/scsi-qla2xxx-Fix-crash-in-qla2xxx_mqueuecommand.patch
(bsc#1185491 CVE-2021-46963 bsc#1220536).
- Update patches.suse/scsi-qla2xxx-Reserve-extra-IRQ-vectors.patch
(bsc#1185491 CVE-2021-46964 bsc#1220538).
- Update
patches.suse/serial-rp2-use-request_firmware-instead-of-request_f.patch
(git-fixes CVE-2021-47169 bsc#1222000).
- Update
patches.suse/tracing-Restructure-trace_clock_global-to-never-block.patch
(git-fixes CVE-2021-46939 bsc#1220580).
- Update
patches.suse/vsock-virtio-free-queued-packets-when-closing-socket.patch
(git-fixes CVE-2021-47024 bsc#1220637).
- Update
patches.suse/x86-kvm-Disable-kvmclock-on-all-CPUs-on-shutdown.patch
(bsc#1185308 CVE-2021-47110 bsc#1221532).
- Update
patches.suse/x86-kvm-Teardown-PV-features-on-boot-CPU-as-well.patch
(bsc#1185308 CVE-2021-47112 bsc#1221541).
- commit fa763cd
- Update
patches.suse/netlabel-fix-out-of-bounds-memory-accesses.patch
(networking-stable-19_03_07 CVE-2019-25160 bsc#1220394).
- commit cfd1daa
- IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests (bsc#1220445 CVE-2023-52474)
- commit 71ecb14
- s390/vtime: fix average steal time calculation (git-fixes
bsc#1221953).
- commit ccf7a1f
- s390/ptrace: handle setting of fpc register correctly
(CVE-2023-52598 bsc#1221060 git-fixes).
- commit 0d179a3
- wifi: ath10k: fix NULL pointer dereference in
ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336
CVE-2023-7042).
- commit 1463c4a
- x86/CPU/AMD: Update the Zenbleed microcode revisions (git-fixes).
- commit 11a703b
- kabi fix for pNFS: Fix the pnfs block driver's calculation of
layoutget size (git-fixes).
- commit 188e451
- pNFS: Fix the pnfs block driver's calculation of layoutget size
(git-fixes).
- NFS: Fix O_DIRECT locking issues (git-fixes).
- NFS: Fix direct WRITE throughput regression (git-fixes).
- commit 53dafcd
- NFS: Fix an off by one in root_nfs_cat() (git-fixes).
- net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()
(git-fixes).
- SUNRPC: fix a memleak in gss_import_v2_context (git-fixes).
- NFS: More O_DIRECT accounting fixes for error paths (git-fixes).
- NFS: Fix error handling for O_DIRECT write scheduling
(git-fixes).
- nfs: only issue commit in DIO codepath if we have uncommitted
data (git-fixes).
- NFS: Fix a request reference leak in
nfs_direct_write_clear_reqs() (git-fixes).
- NFS: Fix O_DIRECT commit verifier handling (git-fixes).
- NFS: commit errors should be fatal (git-fixes).
- commit c3fe0ca
- Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
(bsc#1219170 CVE-2024-22099).
- commit f6c10f5
- scsi: qla2xxx: Update version to 10.02.09.200-k (bsc1221816).
- scsi: qla2xxx: Delay I/O Abort on PCI error (bsc1221816).
- scsi: qla2xxx: Change debug message during driver unload
(bsc1221816).
- scsi: qla2xxx: Fix double free of fcport (bsc1221816).
- scsi: qla2xxx: Fix double free of the ha->vp_map pointer
(bsc1221816).
- scsi: qla2xxx: Fix command flush on cable pull (bsc1221816).
- scsi: qla2xxx: NVME|FCP prefer flag not being honored
(bsc1221816).
- scsi: qla2xxx: Update manufacturer detail (bsc1221816).
- scsi: qla2xxx: Split FCE|EFT trace control (bsc1221816).
- scsi: qla2xxx: Fix N2N stuck connection (bsc1221816).
- scsi: qla2xxx: Prevent command send on chip reset (bsc1221816).
- commit 61951e8
- drm: bridge/panel: Cleanup connector on bridge detach (bsc#1220777, CVE-2021-47063)
Backporting changes:
- add patch at the top of panel_bridge_detach()
- commit 760a99d
- aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
(bsc#1218562 CVE-2023-6270).
- commit 4e659c8
- net: Fix features skip in for_each_netdev_feature() (git-fixes).
- commit b1996ba
- rename(): avoid a deadlock in the case of parents having no
common ancestor (bsc#1221044 CVE-2023-52591).
- commit 16f9b33
- kill lock_two_inodes() (bsc#1221044 CVE-2023-52591).
- commit c8410b2
- rename(): fix the locking of subdirectories (bsc#1221044
CVE-2023-52591).
- commit b34d065
- f2fs: Avoid reading renamed directory if parent does not change
(bsc#1221044 CVE-2023-52591).
- commit 95ecb76
- ext4: don't access the source subdirectory content on
same-directory rename (bsc#1221044 CVE-2023-52591).
- commit e81c5d2
- ext2: Avoid reading renamed directory if parent does not change
(bsc#1221044 CVE-2023-52591).
- commit 47af51c
- udf_rename(): only access the child content on cross-directory
rename (bsc#1221044 CVE-2023-52591).
- commit 3e77e59
- ocfs2: Avoid touching renamed directory if parent does not
change (bsc#1221044 CVE-2023-52591).
- commit ef44829
- reiserfs: Avoid touching renamed directory if parent does not
change (git-fixes bsc#1221044 CVE-2023-52591).
Refresh patches.suse/reiserfs-add-check-to-detect-corrupted-directory-entry.patch
Refresh patches.suse/reiserfs-don-t-panic-on-bad-directory-entries.patch
- commit 304c6b9
- fs: don't assume arguments are non-NULL (bsc#1221044
CVE-2023-52591).
- commit 74a158f
- fs: Restrict lock_two_nondirectories() to non-directory inodes
(bsc#1221044 CVE-2023-52591).
- commit 2042147
- fs: ocfs2: check status values (bsc#1221044 CVE-2023-52591).
- commit 24568a1
- fs: no need to check source (bsc#1221044 CVE-2023-52591).
- commit 95711fd
- fs: Lock moved directories (bsc#1221044 CVE-2023-52591).
- commit 2b2136e
- fs: Establish locking order for unrelated directories
(bsc#1221044 CVE-2023-52591).
- commit c49cfde
- fs: introduce lock_rename_child() helper (bsc#1221044
CVE-2023-52591).
- commit 84b4b7d
- dwc3: switch to a global mutex (bsc#1220628 CVE-2021-46941).
- commit d93342d
- usb: dwc3: core: Do core softreset when switch mode (bsc#1220628
CVE-2021-46941).
- blacklist.conf: needed after all for a CVE
- Refresh
patches.suse/USB-dwc3-fix-runtime-pm-imbalance-on-probe-errors.patch.
- Refresh
patches.suse/usb-dwc3-Fix-race-between-dwc3_set_mode-and-__dwc3_s.patch.
- commit 7ca4d31
- Input: add bounds checking to input_set_capability()
(bsc#1218220 CVE-2022-48619).
- commit f42351b
- NFSD: Retransmit callbacks after client reconnects (git-fixes).
- NFSD: Reset cb_seq_status after NFS4ERR_DELAY (git-fixes).
- SUNRPC: fix some memleaks in gssx_dec_option_array (git-fixes).
- NFSv4.1/pnfs: Ensure we handle the error NFS4ERR_RETURNCONFLICT
(git-fixes).
- SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
(git-fixes).
- nfsd: lock_rename() needs both directories to live on the same
fs (git-fixes).
- pNFS/flexfiles: Check the layout validity in
ff_layout_mirror_prepare_stats (git-fixes).
- commit 311216b
- perf/x86/lbr: Filter vsyscall addresses (bsc#1220703,
CVE-2023-52476).
- commit ff86f16
- net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829).
- net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829).
- net/sched: Add module aliases for cls_,sch_,act_ modules
(bsc#1210335 CVE-2023-1829).
- net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829).
- commit 609fe5f
- x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set (bsc#1213456 CVE-2023-28746).
- commit c5b2dec
- Sort patches that are already upstream
- Refresh
patches.suse/Documentation-hw-vuln-Add-documentation-for-RFDS.patch.
- Refresh
patches.suse/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch.
- Refresh
patches.suse/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch.
- commit 031146a
- iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs
(git-fixes).
- commit ea9ae09
- iommu: Check if group is NULL before remove device (git-fixes).
- commit a7b6fa2
- iommu/amd: Silence warnings under memory pressure (git-fixes).
- commit cdec216
- iommu/amd: Increase interrupt remapping table limit to 512
entries (git-fixes).
- commit c290a72
- iommu/amd: Mark interrupt as managed (git-fixes).
- commit 34b8fef
- ARM: 9064/1: hw_breakpoint: Do not directly check the event's
overflow_handler hook (bsc#1220751 CVE-2021-47006).
- commit 605e3a7
- Refresh patches.kabi/team-Hide-new-member-header-ops.patch.
Fix for kABI workaround.
- commit f1bcdf5
- usb: typec: class: fix typec_altmode_put_partner to put plugs
(git-fixes).
- commit 4350c0c
- ceph: fix deadlock or deadcode of misusing dget() (bsc#1221058
CVE-2023-52583).
- commit a413cb6
- usb: hub: Guard against accesses to uninitialized BOS
descriptors (bsc#1220790 CVE-2023-52477).
- commit bf5af19
- krb5
-
- Fix vulnerabilities in GSS message token handling, add patch
0016-Fix-vulnerabilities-in-GSS-message-token-handling.patch
* CVE-2024-37370, bsc#1227186
* CVE-2024-37371, bsc#1227187
- Fix warning executing %postun scriptlet; (bsc#1223122);
- vim
-
- Updated to version 9.1 with patch level 0330, fixes the following problems
* Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1
- refreshed vim-7.3-filetype_spec.patch
- refreshed vim-7.3-filetype_ftl.patch
- Update spec.skeleton to use autosetup in place of setup macro.
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330
- google-guest-configs
-
- Update to version 20240307.00 (bsc#1221146, bsc#1221900, bsc#1221901)
* Support dot in NVMe device ids (#68)
- from version 20240304.00
* google_set_hostname: Extract rsyslog service name
with a regexp for valid systemd unit names (#67)
- from version 20240228.00
* Remove quintonamore from OWNERS (#64)
- from version 20240119.00
* Setup smp affinity for IRQs and XPS on A3+ VMs (#63)
- Update to version 20231214.00
* set multiqueue: A3 check set timeout the MDS call in 1s (#62)
- from version 20231103.00
* Update owners (#61)
* Update owners (#58)
- Update to version 20230929.00
* Update multinic filter to pick only pci devices (#59)
- zypper
-
- Show rpm install size before installing (bsc#1224771)
If filesystem snapshots are taken before the installation (e.g.
by snapper) no disk space is freed by removing old packages. In
this case the install size of all packages is a hint how much
additional disk space is needed by the new packages static
content.
- version 1.13.67
- clean: Do not report an error if no repos are defined at all
(bsc#1223971)
- version 1.13.66
- openssl-1_1
-
- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
security vulnerability. Calling the function SSL_free_buffers()
potentially caused memory to be accessed that was previously
freed in some situations and a malicious attacker could attempt
to engineer a stituation where this occurs to facilitate a
denial-of-service attack. [CVE-2024-4741, bsc#1225551]
- python-pyOpenSSL
-
- Add CVE-2018-1000807-8_use_after_free_X509.patch to fix
CVE-2018-1000807 (bsc#1111635) and CVE-2018-1000808 (bsc#1111634)
fix a memory leak and a potential UAF and also #722 (#723)
sanity check
bump cryptography minimum version, add changelog
- Add skip_user_after_free_tests.patch to pass the test suite.
- bsc#1021578 add move_cryptography_backend_import.patch to avoid bad
interaction with python-cryptography package.
- glib2
-
- Add patches to fix CVE-2024-34397 (boo#1224044):
glib2-CVE-2024-34397-add-ref-count-types.patch
glib2-allocate-SignalSubscriber-structs-individually.patch
glib2-CVE-2024-34397.patch (glgo#GNOME/glib#3268).
glib2-fix-ibus-regression.patch (glgo#GNOME/glib#3353)
- less
-
- Fix CVE-2024-32487, mishandling of \n character in paths when
LESSOPEN is set leads to OS command execution
(CVE-2024-32487, bsc#1222849)
* CVE-2024-32487.patch
- google-osconfig-agent
-
- Update to version 20240320.00 (bsc#1221900, bsc#1221901)
* Enable OSConfig agent to read GPG keys files with multiple entities (#537)
- from version 20240314.00
* Update OWNERS file to replace mahmoudn GitHub
username by personal email GitHub username (#534)
- from version 20240313.01
* Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 in /e2e_tests (#535)
- from version 20240313.00
* Adds a console and gcloud example policies (#533)
- from version 20240228.00
* GuestPolicies e2e: Remove ed package if exist for zypper
startup_script in recipe-steps tests (#532)
- from version 20240126.00
* Fix Enterprise Linux Recipe-Steps tests to install
info dependency package in the startup-script (#530)
- from version 20240125.01
* Fix SUSE pkg-update and pkg-no-update e2e tests (#529)
- from version 20240125.00
* Fix zypper patch info parser to consider conflicts-pkgs float versions (#528)
- from version 20240123.01
* Fix SUSE package update e2e tests to use another existing package (#527)
- from version 20240123.00
* Update cis-exclude-check-once-a-day.yaml (#526)
- Update to version 20231219.00
* Bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#524)
- from version 20231207.01
* Some change to create an agent release (#523)
- from version 20231207.00
* Some change to create an agent release (#522)
- from version 20231205.00
* Some change to create an agent release (#521)
- from version 20231130.02
* Merge pull request #519 from Gulio/just-release
* Merge branch 'master' into just-release
* Some change to create an agent release
* Some change to create an agent release
- from version 20231130.00
* Some change to create an agent release (#518)
- from version 20231129.00
* Fix parse yum updates to consider the packages under
installing-dependencies keyword (#502)
* Update feature names in the README file (#517)
- from version 20231128.00
* Updating owners (#508)
- from version 20231127.00
* Move OS policy CIS examples under the console folder (#514)
- from version 20231123.01
* Adds three more OS Policy examples to CIS folder (#509)
* Added ekrementeskii and MahmoudNada0 to OWNERS (#505)
- from version 20231123.00
* docs(osconfig):add OS policy examples for CIS scanning (#503)
- from version 20231121.02
* Added SCODE to Windows error description (#504)
- from version 20231121.01
* Update OWNERS (#501)
* Update go version to 1.21 (#507)
- from version 20231121.00
* Call fqdn (#481)
- from version 20231116.00
* Removing obsolete MS Windows 2019 images (#500)
- from version 20231107.00
* Update owners. (#498)
- from version 20231103.02
* Increasing test timeouts (#499)
* Update OWNERS (#497)
- from version 20231103.01
* Bump google.golang.org/grpc from 1.53.0 to 1.56.3 in /e2e_tests (#493)
* Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#494)
- from version 20231103.00
* Removing deprecated Win for containers OSs (#496)
- from version 20231027.00
* Shortening the reported image names (#495)
- from version 20231025.00
* Merge pull request #492 from GoogleCloudPlatform/michaljankowiak-patch-1
* Merge branch 'master' into michaljankowiak-patch-1
* Fixing name changes
* Fixing rename issue
* Fixed formatting
* Fixed formatting
* Fixing formatting
* Removing support for RHEL 6, adding RHEL 9
* Removing support for RHEL 6, adding for RHEL 9
* Removing support for RHEL 6 and adding for RHEL 9
* Removing step needed for RHEL 6
* Fixing build issues
* Removing nonexistent images and adding new ones
- from version 20231024.00
* Removing obsolete OS images and adding new ones (#491)
- from version 20231020.00
* Change debug messages when parsing zypper patch output (#490)
- from version 20231013.00
* Bump golang.org/x/net from 0.7.0 to 0.17.0 (#489)
- from version 20231010.00
* Revert "Added [main] section with gpgcheck to
the agent-managed repo file (#484)" (#488)
- from version 20231003.00
* Bump google.golang.org/grpc from 1.42.0 to 1.53.0 in /e2e_tests (#478)
- from version 20230920.00
* Update OWNERS (#485)
- from version 20230912.00
* Added [main] section with gpgcheck to the agent-managed repo file (#484)
* Migrate empty interface to any (#483)
- Bump the golang compiler version to 1.21 (bsc#1216546)
- Update to version 20230829.00
* Added burov, dowgird, paulinakania and Gulio to OWNERS (#482)
>>>>>>> ./google-osconfig-agent.changes.new
- libxml2
-
- Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in
xmlHTMLPrintFileContext in xmllint.c
* Added libxml2-CVE-2024-34459.patch
- nfs-utils
-
- Add 0208-mountd-add-support-for-case-insensitive-file-names.patch
Fix for bsc#1221774 - support case-insensivtive file names
- wget
-
- Fix mishandled semicolons in the userinfo subcomponent could lead to an
insecure behavior in which data that was supposed to be in the userinfo
subcomponent is misinterpreted to be part of the host subcomponent.
[bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]
- python-base
-
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Switch to using the system libexpat (bsc#1219559,
CVE-2023-52425)
- Make sure to remove all embedded versions of other packages
(including expat).
- Add CVE-2023-52425-libexpat-2.6.0-remove-failing-tests.patch
removing failing test fixing bpo#3151, which we just not
support.
- Remove patches over those embedded packages (cffi):
- python-2.7-libffi-aarch64.patch
- sparc_longdouble.patch
- Modify CVE-2023-27043-email-parsing-errors.patch to fix the
unicode string handling in email.utils.parseaddr()
(bsc#1222537).
- Revert CVE-2022-48560-after-free-heappushpop.patch, the fix was
unneeded.
- Switch off tests. ONLY FOR FACTORY!!! (bsc#1219306)
- Build with -std=gnu89 to build correctly with gcc14, bsc#1220970