- bind
-
- dnssec-keygen can no longer generate HMAC keys.
Use tsig-keygen instead.
modified genDDNSkey script to reflect this.
[vendor-files/tools/bind.genDDNSkey, bsc#1180933]
- CVE-2020-8625: A vulnerability in BIND's GSSAPI security policy
negotiation can be targeted by a buffer overflow attack
[bsc#1182246, CVE-2020-8625, bind-CVE-2020-8625.patch]
- containerd
-
- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
fixes CVE-2020-15257. bsc#1178969 bsc#1180243
- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
boo#1176708 bsc#1177598 CVE-2020-15157
- Refresh patches:
* 0001-makefile-remove-emoji.patch
- Use Go 1.13 for build.
bsc#1153367 bsc#1157330
- docker
-
[NOTE: This update was only ever released in SLES and Leap.]
- It turns out the boo#1178801 libnetwork patch is also broken on Leap, so drop
the patch entirely. bsc#1180401 bsc#1182168
- boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Update Docker to 19.03.15-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for
bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).
- Rebase patches:
* bsc1073877-0001-apparmor-clobber-docker-default-profile-on-start.patch
- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
It appears that SLES doesn't like the patch. bsc#1180401
- Re-apply secrets fix for bsc#1065609 which appears to have been lost after it
was fixed.
* secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
* secrets-0002-SUSE-implement-SUSE-container-secrets.patch
- Add Conflicts and Provides for kubic flavour of docker-fish-completion.
- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
https://github.com/docker/docker-ce/releases/tag/v19.03.14
- Enable fish-completion
- Add a patch which makes Docker compatible with firewalld with
nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
(boo#1178801, SLE-16460)
* boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Emergency fix: %requires_eq does not work with provide symbols,
only effective package names. Convert back to regular Requires.
- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
spurrious errors due to Go returning -EINTR from I/O syscalls much more often
(due to Go 1.14's pre-emptive goroutine support).
- bsc1172377-0001-unexport-testcase.Cleanup-to-fix-Go-1.14.patch
- Add BuildRequires for all -git dependencies so that we catch missing
dependencies much more quickly.
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1158590 bsc#1157330
- docker-runc
-
- Switch to Go 1.13 for build.
- gcc7
-
- Remove include-fixed/pthread.h
- Change GCC exception licenses to SPDX format
- add gcc7-pr81942.patch [bsc#1181618]
- glibc
-
- euc-kr-overrun.patch: Fix buffer overrun in EUC-KR conversion module
(CVE-2019-25013, bsc#1182117, BZ #24973)
- gconv-assertion-iso-2022-jp.patch: gconv: Fix assertion failure in
ISO-2022-JP-3 module (CVE-2021-3326, bsc#1181505, BZ #27256)
- iconv-redundant-shift.patch: iconv: Accept redundant shift sequences in
IBM1364 (CVE-2020-27618, bsc#1178386, BZ #26224)
- iconv-ucs4-loop-bounds.patch: iconv: Fix incorrect UCS4 inner loop
bounds (CVE-2020-29562, bsc#1179694, BZ #26923)
- printf-long-double-non-normal.patch: x86: Harden printf against
non-normal long double values (CVE-2020-29573, bsc#1179721, BZ #26649)
- get-nprocs-cpu-online-parsing.patch: Fix parsing of
/sys/devices/system/cpu/online (bsc#1180038, BZ #25859)
- golang-github-docker-libnetwork
-
[NOTE: This update was only ever released in SLES and Leap.]
- It turns out the boo#1178801 libnetwork patch is also broken on Leap, so drop
the patch entirely. bsc#1180401 bsc#1182168
- boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
It appears that SLES doesn't like the patch. bsc#1180401
- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
bsc#1180243
- Add patch which makes libnetwork compatible with firewalld with
nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
(boo#1178801, SLE-16460)
* boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
- Update to libnetwork 026aabaa6598, which is required for Docker 19.03.12-ce.
- grub2
-
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
* 0028-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
* 0029-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
* 0030-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
* 0031-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
* 0032-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
* 0033-util-mkimage-Improve-data_size-value-calculation.patch
* 0034-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
* 0035-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
* 0036-grub-install-common-Add-sbat-option.patch
- Fix CVE-2021-20225 (bsc#1182262)
* 0019-lib-arg-Block-repeated-short-options-that-require-an.patch
- Fix CVE-2020-27749 (bsc#1179264)
* 0021-kern-parser-Fix-resource-leak-if-argc-0.patch
* 0022-kern-parser-Fix-a-memory-leak.patch
* 0023-kern-parser-Introduce-process_char-helper.patch
* 0024-kern-parser-Introduce-terminate_arg-helper.patch
* 0025-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
* 0026-kern-buffer-Add-variable-sized-heap-buffer.patch
* 0027-kern-parser-Fix-a-stack-buffer-overflow.patch
- Fix CVE-2021-20233 (bsc#1182263)
* 0020-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- Fix CVE-2020-25647 (bsc#1177883)
* 0018-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- Fix CVE-2020-25632 (bsc#1176711)
* 0017-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
* 0001-mkimage-Clarify-file-alignment-in-efi-case.patch
* 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
* 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
* 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
* 0005-efi-Add-secure-boot-detection.patch
* 0006-kern-Add-lockdown-support.patch
* 0007-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
* 0008-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
* 0009-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
* 0010-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
* 0011-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
* 0012-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
* 0013-commands-setpci-Restrict-setpci-command-when-locked-.patch
* 0014-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
* 0015-gdb-Restrict-GDB-access-when-locked-down.patch
* 0016-loader-xnu-Don-t-allow-loading-extension-and-package.patch
* 0037-squash-Add-secureboot-support-on-efi-chainloader.patch
* 0038-squash-grub2-efi-chainload-harder.patch
* 0039-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
* 0040-squash-linuxefi-fail-kernel-validation-without-shim-.patch
* 0041-squash-kern-Add-lockdown-support.patch
- Add SBAT metadata section to grub.efi
* grub2.spec
- hawk2
-
- Update to version 2.6.0:
* Use fullpath of binary (bsc#1181436)
* remove %x (bsc#1182163)
- java-1_8_0-ibm
-
- Update to Java 8.0 Service Refresh 6 Fix Pack 25
[bsc#1182186, bsc#1181239, CVE-2020-27221, CVE-2020-14803]
* CVE-2020-27221: Potential for a stack-based buffer overflow
when the virtual machine or JNI natives are converting from
UTF-8 characters to platform encoding.
* CVE-2020-14803: Unauthenticated attacker with network access
via multiple protocols allows to compromise Java SE.
- kernel-default
-
- Fix a bug in rawmidi UAF fix patch (bsc#1179601, CVE-2020-27786)
Refresh patches.suse/ALSA-rawmidi-Fix-racy-buffer-resize-under-concurrent.patch
- commit ce80dfa
- nbd: freeze the queue while we're adding connections
(bsc#1181504 CVE-2021-3348).
- nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
- commit 447797a
- kABI: Fix kABI for extended APIC-ID support (bsc#1181001,
jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where
available (bsc#1181001, jsc#ECO-3191).
- x86/ioapic: Handle Extended Destination ID field in RTE
(bsc#1181001, jsc#ECO-3191).
- x86/msi: Only use high bits of MSI address for DMAR unit
(bsc#1181001, jsc#ECO-3191).
- x86/apic: Fix x2apic enablement without interrupt remapping
(bsc#1181001, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
jsc#ECO-3191).
- iommu/vt-d: Don't dereference iommu_device if IOMMU_API is
not built (bsc#1181001, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported address widths (bsc#1181001, jsc#ECO-3191).
- commit ae9e787
- Move futex fixes into the sorted section (bsc#1181349 CVE-2021-3347)
- commit c34c9df
- Update patch References tags for futex fixes (bsc#1181349 CVE-2021-3347)
- commit afd051d
- Refresh patches.suse/4.4.136-002-powerpc-64s-Clear-PCR-on-boot.patch
Also clear PCR on POWER9 and in dt_cpu_ftrs.
- commit 56daabf
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- commit 0ba69a9
- futex: Handle faults correctly for PI futexes (bsc#1181349
bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349
bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state()
(bsc#1181349 bsc#1149032).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
(bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349
bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349
bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi()
(bsc#1181349 bsc#1149032).
- futex: Don't enable IRQs unconditionally in put_pi_state()
(bsc#1149032).
- locking/futex: Allow low-level atomic operations to return
- EAGAIN (bsc#1149032).
- commit 058c695
- netfilter: ctnetlink: add a range check for l3/l4 protonum
(CVE-2020-25211 bsc#1176395).
- commit 92230c0
- Update
patches.suse/0001-xen-events-add-a-proper-barrier-to-2-level-uevent-un.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0002-xen-events-fix-race-in-evtchn_fifo_unmask.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0003-xen-events-add-a-new-late-EOI-evtchn-framework.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0004-xen-blkback-use-lateeoi-irq-binding.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0005-xen-netback-use-lateeoi-irq-binding.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0006-xen-scsiback-use-lateeoi-irq-binding.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0008-xen-pciback-use-lateeoi-irq-binding.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0009-xen-events-switch-user-event-channels-to-lateeoi-mod.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0010-xen-events-use-a-common-cpu-hotplug-hook-for-event-c.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0011-xen-events-defer-eoi-in-case-of-excessive-number-of-.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0012-xen-events-block-rogue-events-for-some-time.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/XEN-uses-irqdesc-irq_data_common-handler_data-to-sto.patch
(CVE-2020-27673 XSA-332 bsc#1065600).
- Update
patches.suse/xen-events-avoid-removing-an-event-channel-while-han.patch
(CVE-2020-27675 XSA-331 bsc#1177410).
- Update
patches.suse/xen-events-don-t-use-chip_data-for-legacy-IRQs.patch
(CVE-2020-27673 XSA-332 bsc#1065600).
- Added CVE numbers for above patches.
- commit 77fc141
- scsi: iscsi: Fix a potential deadlock in the timeout handler
(bsc#1178272).
- commit 05ab404
- Refresh
patches.suse/IB-hfi1-Ensure-correct-mm-is-used-at-all-times.patch.
Fixed backport (removed one line too much, d'oh).
- commit 6dc4356
- IB/hfi1: Ensure correct mm is used at all times (bsc#1179878
CVE-2020-27835).
- commit 39a2b87
- xen: support having only one event pending per watch
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit d884e81
- xen: revert Allow watches discard events before queueing
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit 2a4a8da
- xen: revert Add 'will_handle' callback support in
xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6baf8b8
- xen: revert Support will_handle watch callback (bsc#1179508
XSA-349 CVE-2020-29568).
- commit 3918801
- xen: revert Count pending messages for each watch (bsc#1179508
XSA-349 CVE-2020-29568).
- commit 9d30f4d
- xen: revert Disallow pending watch messages (bsc#1179508
XSA-349 CVE-2020-29568).
- commit d039881
- xen-blkback: set ring->xenblkd to NULL after kthread_stop()
(bsc#1179509 XSA-350 CVE-2020-29569).
- commit 1aab73c
- xenbus/xenbus_backend: Disallow pending watch messages
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit 0cdf358
- xen/xenbus: Count pending messages for each watch (bsc#1179508
XSA-349 CVE-2020-29568).
- commit a14bb56
- xen/xenbus/xen_bus_type: Support will_handle watch callback
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit 33a4600
- xen/xenbus: Add 'will_handle' callback support in
xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 5ef1497
- xen/xenbus: Allow watches discard events before queueing
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6f7a44e
- Drop the previous drm/nouveau fix that turned out to be superfluous (CVE-2020-25639 bsc#1176846)
- commit 001c6e5
- Move upstreamed vgacon patch into sorted section
- commit 73d2a02
- drm: bail out of nouveau_channel_new if channel init fails
(CVE-2020-25639 bsc#1176846).
- commit 55debf7
- target: fix XCOPY NAA identifier lookup (CVE-2020-28374,
bsc#1178372).
- commit 2765e76
- mwifiex: Fix possible buffer overflows in
mwifiex_cmd_802_11_ad_hoc_start (CVE-2020-36158 bsc#1180559).
- commit a833298
- s390/dasd: fix hanging device offline processing (bsc#1144912).
- commit deefa7f
- Move upstreamed bt fixes into sorted section
- commit adeed42
- Refresh patches.suse/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-f.patch
Refresh to upstream version.
- commit 76e9945
- blacklist.conf: added CVE affecting only SP1+
- commit a6af6c8
- blacklist.conf: added CVE-2020-10781 to blacklist, as only SP!+ affected
false positive in the checking script
- commit e4b1fa4
- Update
patches.suse/media-tw5864-Fix-possible-NULL-pointer-dereference-i.patch
(bsc#1051510 CVE-2019-20806).
Added CVE number, which was missing
- commit ac232ce
- tracing: Fix race in trace_open and buffer resize call
(CVE-2020-27825 bsc#1179960).
- commit 8b99744
- ring-buffer: speed up buffer resets by avoiding synchronize_rcu
for each CPU (CVE-2020-27825 bsc#1179960).
- commit 0d53945
- ring-buffer: Make resize disable per cpu buffer instead of
total buffer (CVE-2020-27825 bsc#1179960).
- commit 39cee5c
- fix regression in "/epoll: Keep a reference on files added to the check list"/ (bsc#1180031, git-fixes).
- commit d9c444f
- do_epoll_ctl(): clean the failure exits up a bit
(bsc#1180031,CVE-2020-0466).
- epoll: Keep a reference on files added to the check list
(bsc#1180031).
- commit e792e5d
- cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
(CVE-2020-27068 bsc#1180086).
- commit 886ad61
- HID: Fix slab-out-of-bounds read in hid_field_extract
(bsc#1180052).
- commit 5b124d9
- HID: core: Sanitize event code and type when mapping input
(CVE-2020-0465 bsc#1180029).
- commit ebf9f0e
- audit: fix error handling in audit_data_to_entry()
(CVE-2020-0444 bsc#1180027).
- commit f2e7691
- tty: Fix ->session locking (bsc#1179745 CVE-2020-29660).
- tty: Fix ->pgrp locking in tiocspgrp() (bsc#1179745
CVE-2020-29661).
- commit a59c61c
- x86/traps: Simplify pagefault tracing logic (bsc#1179895).
- Refresh
patches.suse/10-x86-xen-get-rid-of-paravirt-op-adjust_exception_frame.patch.
- commit 1fd13a5
- x86/tracing: Introduce a static key for exception tracing
(bsc#1179895).
- commit bf5beaa
- powerpc/rtas: fix typo of ibm,open-errinjct in rtas filter
(CVE-2020-27777 bsc#1179107 bsc#1179887 ltc#190092).
- commit 153fdda
- net/x25: prevent a couple of overflows (bsc#1178590).
- commit 3f48ad3
- media: xirlink_cit: add missing descriptor sanity checks
(bsc#1168952 CVE-2020-11668).
- commit e978e80
- Update
patches.suse/sched-fair-Don-t-free-p-numa_faults-with-concurrent-.patch
(bsc#1144920, bsc#1179663, CVE-2019-20934).
- commit fad2215
- kABI workaround for snd_rawmidi buffer_ref field addition
(CVE-2020-27786 bsc#1179601).
- commit 0e8d69d
- ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
(CVE-2020-27786 bsc#1179601).
- commit 3c00a93
- Delete patches.suse/fs-select.c-batch-user-writes-in-do_sys_poll.patch.
(CVE-2020-4788 bsc#1179419).
Patch causes DLM regression. Drop for now.
- commit a422074
- Add missing RESTORE_CTR (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch.
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
patches.suse/powerpc-64s-SLB-miss-already-has-CTR-saved-for-reloc.patch
adds RESTORE_CTR to the SLB miss handler so
patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch
must now copy it in the other fork of the exit code as well.
- commit a382dc2
- romfs: fix uninitialized memory leak in romfs_dev_read()
(CVE-2020-29371 bsc#1179429).
- commit c4cfc72
- block: Fix use-after-free in blkdev_get() (bsc#1173834
bsc#1179141 CVE-2020-15436).
- commit 0475fee
- blk-mq: make sure that line break can be printed (bsc#1163840
bsc#1179071).
- commit 8510786
- kABI: powerpc: Add back __clear_user (CVE-2020-4788
bsc#1177666).
- commit 9ab0140
- kABI: powerpc: avoid including pgtable.h in kup.h (CVE-2020-4788
bsc#1177666).
- commit 81cd22b
- make 'user_access_begin()' do 'access_ok()' (CVE-2020-4788 bsc#1177666).
- Delete patches.suse/drm-i915-CVE-2018-20669-access-check.patch.
- commit ffc3685
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
(CVE-2020-15437 bsc#1179140).
- commit 76da61e
- powerpc/64s: SLB miss already has CTR saved for relocatable kernel
(CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
- commit 741f364
- powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64-Call-setup_barrier_nospec-from-setup_arch.patch
- Refresh patches.suse/powerpc-pmem-Update-ppc64-to-use-the-new-barrier-ins.patch.
- Update config files.
- commit b0085a7
- powerpc/rtas: Restrict RTAS requests from userspace
(CVE-2020-27777 bsc#1179107).
- Update config files.
- commit 3ed445b
- vt: Disable KD_FONT_OP_COPY (CVE-2020-28974 bsc#1178589).
- commit d9af9e6
- powerpc/64s: flush L1D after user accesses (CVE-2020-4788
bsc#1177666).
- Refresh patches.kabi/kABI-powerpc-avoid-including-pgtable.h-in-kup.h.patch.
- powerpc/uaccess: Evaluate macro arguments once, before user
access is allowed (CVE-2020-4788 bsc#1177666).
- powerpc: Fix __clear_user() with KUAP enabled (CVE-2020-4788
bsc#1177666).
- powerpc: Implement user_access_begin and friends (CVE-2020-4788
bsc#1177666).
- powerpc: Add a framework for user access tracking (CVE-2020-4788
bsc#1177666).
- powerpc/64s: flush L1D on kernel entry (CVE-2020-4788
bsc#1177666).
- powerpc/64s: move some exception handlers out of line
(CVE-2020-4788 bsc#1177666).
- powerpc/64s: Define MASKABLE_RELON_EXCEPTION_PSERIES_OOL
(CVE-2020-4788 bsc#1177666).
- powerpc/64s: Rename slb_miss_realmode() to slb_miss_common()
(CVE-2020-4788 bsc#1177666).
- powerpc/64s: Use BRANCH_TO_COMMON() for slb_miss_realmode
(CVE-2020-4788 bsc#1177666).
- commit f7d6c42
- fs/select.c: batch user writes in do_sys_poll (CVE-2020-4788
bsc#1177666).
- commit 011abbd
- Fonts: Replace discarded const qualifier (CVE-2020-28915
bsc#1178886).
- fbcon: Fix global-out-of-bounds read in fbcon_get_font()
(CVE-2020-28915 bsc#1178886).
- Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
(CVE-2020-28915 bsc#1178886).
- fbdev, newport_con: Move FONT_EXTRA_WORDS macros into
linux/font.h (CVE-2020-28915 bsc#1178886).
- commit 8016c83
- Input: sunkbd - avoid use-after-free in teardown paths
(CVE-2020-25669 bsc#1178182).
- commit e6736dd
- Refresh
patches.suse/0002-x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch.
- commit 896b402
- blk-mq: avoid sysfs buffer overflow with too many CPU cores
(bsc#1163840 bsc#1179071).
- commit ecf4289
- openssh
-
- Update openssh-7.6p1-audit.patch (bsc#1180501). This fixes
occasional crashes on connection termination caused by accessing
freed memory.
- python-Jinja2
-
- Fixed IndentationError in CVE-2020-28493.patch (bsc#1182244)
- CVE-2020-28493: Fixed a ReDOS vulnerability where urlize could have
been called with untrusted user data (bsc#1181944).
Added CVE-2020-28493.patch
- python3
-
- Resync with python36 Factory package.
- Make this %primary_interpreter
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- Change setuptools and pip version numbers according to new
wheels (bsc#1179756).
- salt
-
- Fix regression on cmd.run when passing tuples as cmd (bsc#1182740)
- Added:
* fix_regression_in_cmd_run_after_cve.patch
- Allow extra_filerefs as sanitized kwargs for SSH client
- Added:
* allow-extra_filerefs-as-sanitized-kwargs-for-ssh-cli.patch
- Fix errors with virt.update
- Added:
* backport-commit-1b16478c51fb75c25cd8d217c80955feefb6.patch
- Fix for multiple for security issues
(CVE-2020-28243) (CVE-2020-28972) (CVE-2020-35662) (CVE-2021-3148) (CVE-2021-3144)
(CVE-2021-25281) (CVE-2021-25282) (CVE-2021-25283) (CVE-2021-25284) (CVE-2021-3197)
(bsc#1181550) (bsc#1181556) (bsc#1181557) (bsc#1181558) (bsc#1181559) (bsc#1181560)
(bsc#1181561) (bsc#1181562) (bsc#1181563) (bsc#1181564) (bsc#1181565)
- Added:
* fix-for-some-cves-bsc1181550.patch
- virt: search for grub.xen path
- Xen spicevmc, DNS SRV records backports:
Fix virtual network generated DNS XML for SRV records
Don't add spicevmc channel to xen VMs
- virt UEFI fix: virt.update when efi=True
- Added:
* open-suse-3002.2-xen-grub-316.patch
* virt-uefi-fix-backport-312.patch
* 3002.2-xen-spicevmc-dns-srv-records-backports-314.patch
- screen
-
- Fix double width combining char handling that could lead
to a segfault [bnc#1182092] [CVE-2021-26937]
new patch: combchar.diff
- tcl
-
- bsc#1181840: Same fix as for tclConfig.sh is needed for tcl.pc.