- binutils
-
- For building shim 15.6~rc1 (and later versions) aarch64 image, objcopy
needs to support efi-app-aarch64 target. (bsc#1198458)
Adds binutils-add-efi-aarch64-1.diff,
binutils-add-efi-aarch64-2.diff, binutils-add-efi-aarch64-3.diff .
- Add binutils-fix-keepdebug.diff for fix bsc#1191908, a problem
in crash not accepting some of our .ko.debug files.
- Add binutils-revert-rela.diff to revert back to old behaviour
of not ignoring the in-section content of to be relocated
fields on x86-64, even though that's a RELA architecture.
Compatibility with buggy object files generated by old tools.
[bsc#1198422]
- containerd
-
- Update to containerd v1.6.6 to fix CVE-2022-31030 and meet the requirements
of Docker v20.10.17-ce. bsc#1200145
- Remove upstreamed patches:
- bsc1200145-Limit-the-response-size-of-ExecSync.patch
[ This patch was only released in SLES and Leap. ]
- Backport patch to fix GHSA-5ffw-gxpp-mxpf CVE-2022-31030. bsc#1200145
+ bsc1200145-Limit-the-response-size-of-ExecSync.patch
- Update to containerd v1.5.12. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.5.12>
- curl
-
- Security fix: [bsc#1200735, CVE-2022-32206]
* HTTP compression denial of service
* Add curl-CVE-2022-32206.patch
- Security fix: [bsc#1200737, CVE-2022-32208]
* FTP-KRB bad message verification
* Add curl-CVE-2022-32208.patch
- docker
-
- Update to Docker 20.10.17-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#201017>. bsc#1200145
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
* 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
- fence-agents
-
- fence-agents-4.9.0+git.1624456340.8d746be9-150300.3.8.1 broken in
GCP due to missing "/--zone"/ parameter (bsc#1198872)
- Apply proposed patch
0001-fence_gce-Make-zone-optional-for-get_nodes_list-487.patch
- gcc11
-
- Update to the GCC 11.3.0 release.
* includes SLS hardening backport on x86_64. [bsc#1195283]
- Update to gcc-11 branch head (691af15031e00227ba6d5935c), git1635
* includes gcc11-pr104931.patch
* includes fix for Firefox ICE [gcc#105256]
- Add provides/conflicts to glibc crosses since only one GCC version
for the same target can be installed at the same time.
- Add provides/conflicts to libgccjit.
- Update to gcc-11 branch head (6a1150d1524aeda3381b21717), git1406
* includes change to adjust gnats idea of the target, fixing
the build of gprbuild. [bsc#1196861]
- Add gcc11-pr104931.patch to fix miscompile of embedded premake
in 0ad on i586. [bsc#1197065]
- drop armv5tel, merge arm and armv6hl
- use --with-cpu rather than specifying --with-arch/--with-tune
to Recoomends.
- Remove sys/rseq.h from include-fixed
- Update to gcc-11 branch head (d4a1d3c4b377f1d4acb), git1173
* Fix D memory corruption in -M output.
* Fix ICE in is_this_parameter with coroutines. [boo#1193659]
- Enable the cross compilers also on i586
- Enable some cross compilers also in rings
- Remove cross compilers for i386 target
- Update to gcc-11 branch head (7510c23c1ec53aa4a62705f03), git1018
* fixes issue with debug dumping together with -o /dev/null
* fixes libgccjit issue showing up in emacs build [boo#1192951]
- Package mwaitintrin.h
- Remove spurious exit from change_spec.
- Enable the full cross compiler, cross-aarch64-gcc11 and
cross-riscv64-gcc11 now provide a fully hosted C (and C++)
cross compiler, not just a freestanding one. I.e. with a cross
glibc. They don't yet support the sanitizer libraries.
Part of [jsc#OBS-124].
- grub2
-
- Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
* 0001-video-Remove-trailing-whitespaces.patch
* 0002-video-readers-jpeg-Test-for-an-invalid-next-marker-r.patch
* 0003-video-readers-jpeg-Catch-files-with-unsupported-quan.patch
* 0004-video-readers-jpeg-Catch-OOB-reads-writes-in-grub_jp.patch
* 0005-video-readers-jpeg-Don-t-decode-data-before-start-of.patch
* 0006-misc-Format-string-for-grub_error-should-be-a-litera.patch
* 0007-loader-efi-chainloader-Simplify-the-loader-state.patch
* 0008-commands-boot-Add-API-to-pass-context-to-loader.patch
- Fix CVE-2022-28736 (bsc#1198496)
* 0009-loader-efi-chainloader-Use-grub_loader_set_ex.patch
- Fix CVE-2022-28735 (bsc#1198495)
* 0010-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch
* 0011-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch
* 0012-video-readers-png-Abort-sooner-if-a-read-operation-f.patch
* 0013-video-readers-png-Refuse-to-handle-multiple-image-he.patch
- Fix CVE-2021-3695 (bsc#1191184)
* 0014-video-readers-png-Drop-greyscale-support-to-fix-heap.patch
- Fix CVE-2021-3696 (bsc#1191185)
* 0015-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch
* 0016-video-readers-png-Sanity-check-some-huffman-codes.patch
* 0017-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch
* 0018-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch
* 0019-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch
- Fix CVE-2021-3697 (bsc#1191186)
* 0020-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch
* 0021-normal-charset-Fix-array-out-of-bounds-formatting-un.patch
- Fix CVE-2022-28733 (bsc#1198460)
* 0022-net-ip-Do-IP-fragment-maths-safely.patch
* 0023-net-netbuff-Block-overly-large-netbuff-allocs.patch
* 0024-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch
* 0025-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch
* 0026-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch
* 0027-net-tftp-Avoid-a-trivial-UAF.patch
* 0028-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch
- Fix CVE-2022-28734 (bsc#1198493)
* 0029-net-http-Fix-OOB-write-for-split-http-headers.patch
- Fix CVE-2022-28734 (bsc#1198493)
* 0030-net-http-Error-out-on-headers-with-LF-without-CR.patch
* 0031-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch
* 0032-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch
* 0033-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch
* 0034-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch
* 0035-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch
* 0036-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch
* 0037-Use-grub_loader_set_ex-for-secureboot-chainloader.patch
- Update SBAT security contact (boo#1193282)
- Bump grub's SBAT generation to 2
- Use boot disks in OpenFirmware, fixing regression caused by
0001-ieee1275-implement-FCP-methods-for-WWPN-and-LUNs.patch, when
the root LV is completely in the boot LUN (bsc#1197948)
* 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
- icewm
-
- Add icewm-build-with-glib2-ver-gt-2.67.3.patch:
A later glib2 update will cause icewm failed to build by including
gdk-pixbuf-xlib with extern "/C"/ annotation:
https://gitlab.gnome.org/GNOME/glib/-/commit/51003d409bb4b6c9a8540f70b92f8045abc4f0c9?merge_request_iid=1715
The patch aims to remove the annotation caused the issue
(bsc#1197729).
- kernel-default
-
- x86/kexec: Disable RET on kexec (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 307fbca
- x86/bugs: Do not enable IBPB-on-entry when IBPB is not supported
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 1765272
- x86/cpu/amd: Enumerate BTC_NO (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit d929744
- x86/common: Stamp out the stepping madness (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 2c755e4
- KVM: VMX: Prevent RSB underflow before vmenter (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 9a79f2f
- x86/speculation: Fill RSB on vmexit for IBRS (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 0b69b8a
- KVM: VMX: Fix IBRS handling after vmexit (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 07ac9e9
- KVM: VMX: Prevent guest RSB poisoning attacks with eIBRS
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 1e6246d
- KVM: VMX: Convert launched argument to flags (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit c6cb889
- KVM: VMX: Flatten __vmx_vcpu_run() (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 7be7aa8
- KVM/nVMX: Use __vmx_vcpu_run in nested_vmx_check_vmentry_hw
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit fa67a49
- x86/speculation: Remove x86_spec_ctrl_mask (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 65ae6ff
- x86/speculation: Use cached host SPEC_CTRL value for guest
entry/exit (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit f9804f2
- x86/speculation: Fix SPEC_CTRL write on SMT state change
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 5f2a343
- x86/speculation: Fix firmware entry SPEC_CTRL handling
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit f2239f3
- x86/cpu/amd: Add Spectral Chicken (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 947cd5f
- x86/bugs: Do IBPB fallback check only once (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 1a61b75
- x86/bugs: Add retbleed=ibpb (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 0cc24ff
- x86/xen: Rename SYS* entry points (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 006e283
- intel_idle: Disable IBRS during long idle (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit be76ad2
- x86/bugs: Report Intel retbleed vulnerability (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit f305bb6
- x86/bugs: Split spectre_v2_select_mitigation() and
spectre_v2_user_select_mitigation() (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit ea9c198
- x86/speculation: Add spectre_v2=ibrs option to support Kernel
IBRS (bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit f446cce
- x86/bugs: Optimize SPEC_CTRL MSR writes (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit c6d4bce
- x86/entry: Add kernel IBRS implementation (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 177b58c
- x86/bugs: Keep a per-CPU IA32_SPEC_CTRL value (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 09deb3c
- x86/bugs: Enable STIBP for JMP2RET (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit f81a4dd
- x86/bugs: Add AMD retbleed= boot parameter (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- Update config files.
- commit d01bb91
- x86/bugs: Report AMD retbleed vulnerability (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 0f3415d
- x86: Add magic AMD return-thunk (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit c07f56b
- x86: Use return-thunk in asm code (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit ca39a43
- x86/sev: Avoid using __x86_return_thunk (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 10587ca
- x86/vsyscall_emu/64: Don't use RET in vsyscall emulation
(bsc#1199657 CVE-2022-29900 CVE-2022-29901).
- commit 5767b0f
- x86/kvm: Fix SETcc emulation for return thunks (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 720497e
- x86/bpf: Use alternative RET encoding (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 2b357b7
- x86: Undo return-thunk damage (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 83262bf
- x86/retpoline: Use -mfunction-return (bsc#1199657 CVE-2022-29900
CVE-2022-29901).
- commit 15c2b41
- x86/cpufeatures: Move RETPOLINE flags to word 11 (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- commit 115e0f2
- crypto: x86/poly1305 - Fixup SLS (bsc#1201050 CVE-2021-26341).
- commit 2d201f6
- x86: Add straight-line-speculation mitigation (bsc#1201050
CVE-2021-26341).
- Update config files.
- Refresh
patches.suse/x86-speculation-rename-retpoline_amd-to-retpoline_lfence.patch.
- commit 928abdb
- x86: Prepare inline-asm for straight-line-speculation
(bsc#1201050 CVE-2021-26341).
- commit 5a87fe7
- x86: Prepare asm files for straight-line-speculation
(bsc#1201050 CVE-2021-26341).
- commit cbb5495
- x86/lib/atomic64_386_32: Rename things (bsc#1201050
CVE-2021-26341).
- commit 2201ded
- x86: Use -mindirect-branch-cs-prefix for RETPOLINE builds
(bsc#1201050 CVE-2021-26341).
- commit beba436
- bcache: avoid unnecessary soft lockup in kworker
update_writeback_rate() (bsc#1197362).
- commit 23f1946
- sctp: handle kABI change in struct sctp_endpoint (CVE-2022-20154
bsc#1200599).
- commit b1e8eec
- sctp: use call_rcu to free endpoint (CVE-2022-20154
bsc#1200599).
- commit 44ec44b
- vmxnet3: fix minimum vectors alloc issue (bsc#1199489).
- commit e96d754
- blk-mq: clear active_queues before clearing
BLK_MQ_F_TAG_QUEUE_SHARED (bsc#1200263).
- commit d497e61
- rpm/check-for-config-changes: ignore GCC12/CC_NO_ARRAY_BOUNDS
Upstream commit f0be87c42cbd (gcc-12: disable '-Warray-bounds'
universally for now) added two new compiler-dependent configs:
* CC_NO_ARRAY_BOUNDS
* GCC12_NO_ARRAY_BOUNDS
Ignore them -- they are unset by dummy tools (they depend on gcc version
== 12), but set as needed during real compilation.
- commit a14607c
- ath9k: fix use-after-free in ath9k_hif_usb_rx_cb (CVE-2022-1679
bsc#1199487).
- commit 1ae14c9
- Update patches.suse/pNFS-flexfiles-fix-incorrect-size-check-in-decode_nf.patch
(git-fixes CVE-2021-4157 bnc#1194013).
- commit fccebe3
- exec: Force single empty string when argv is empty
(bsc#1200571).
- commit dffa04e
- HID: add USB_HID dependancy to hid-prodikeys (CVE-2022-20132
bsc#1200619).
- HID: add USB_HID dependancy to hid-chicony (CVE-2022-20132
bsc#1200619).
- HID: bigbenff: prevent null pointer dereference (CVE-2022-20132
bsc#1200619).
- HID: add USB_HID dependancy on some USB HID drivers
(CVE-2022-20132 bsc#1200619).
- commit f2f08be
- HID: holtek: fix mouse probing (CVE-2022-20132 bsc#1200619).
- commit f8ff78e
- HID: check for valid USB device for many HID drivers
(CVE-2022-20132 bsc#1200619).
- HID: add hid_is_usb() function to make it simpler for USB
detection (CVE-2022-20132 bsc#1200619).
- commit 3fe30db
- igmp: Add ip_mc_list lock in ip_check_mc_rcu (bsc#1200604
CVE-2022-20141).
- commit 34bf464
- kernel-binary.spec: check s390x vmlinux location
As a side effect of mainline commit edd4a8667355 ("/s390/boot: get rid of
startup archive"/), vmlinux on s390x moved from "/compressed"/ subdirectory
directly into arch/s390/boot. As the specfile is shared among branches,
check both locations and let objcopy use one that exists.
- commit cd15543
- Add missing recommends of kernel-install-tools to kernel-source-vanilla (bsc#1200442)
- commit 93b1375
- blk-mq: Fix wrong wakeup batch configuration which will cause
hang (bsc#1200263).
- commit 94fe3d6
- blk-mq: fix tag_get wait task can't be awakened (bsc#1200263).
- commit 6b5ea17
- floppy: disable FDRAWCMD by default (bsc#1198866 CVE-2022-1836).
- Update config files.
- commit f9d0532
- add mainline tag for a pci-hyperv change
- commit 32deed8
- netfilter: nf_tables: disallow non-stateful expression in sets
earlier (CVE-2022-1966 bsc#1200015).
- commit 41de480
- btrfs: tree-checker: fix incorrect printk format (bsc#1200249).
- commit 9d94c81
- NFC: netlink: fix sleep in atomic bug when firmware download
timeout (CVE-2022-1975 bsc#1200143).
- commit bcae1e0
- nfc: replace improper check device_is_registered() in netlink
related functions (CVE-2022-1974 bsc#1200144).
- Refresh
patches.suse/NFC-SUSE-specific-brutal-fix-for-runtime-PM.patch.
- commit 8ab4a08
- certs: Add EFI_CERT_X509_GUID support for dbx entries
(bsc#1177282 CVE-2020-26541).
- Update config files.
- commit 6bf28b7
- Refresh
patches.suse/lockdown-also-lock-down-previous-kgdb-use.patch.
In this case, we can not simply use __GENKSYMS__ to wrap new
LOCKDOWN_DBG_WRITE/READ_KERNEL fields in enum lockdown_reason
struct. So let's remove __GENKSYMS__ and add a kabi workaround
patch. (bsc#1199426 CVE-2022-21499)
- commit 88eddb5
- lockdown: kABI workaround for lockdown_reason changes
(bsc#1199426, CVE-2022-21499).
- commit fe7a29a
- btrfs: extent-tree: kill the BUG_ON() in
insert_inline_extent_backref() (CVE-2019-19377 bsc#1158266).
- commit 31a8792
- btrfs: extent-tree: kill BUG_ON() in __btrfs_free_extent()
(CVE-2019-19377 bsc#1158266).
- commit 75b17c1
- sched/rt: Disable RT_RUNTIME_SHARE by default (bnc#1197895).
- commit b949091
- KVM: x86/speculation: Disable Fill buffer clear within guests (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 5a5e587
- lockdown: also lock down previous kgdb use (bsc#1199426
CVE-2022-21499).
- commit 090b59e
- kernel-binary.spec: Support radio selection for debuginfo.
To disable debuginfo on 5.18 kernel a radio selection needs to be
switched to a different selection. This requires disabling the currently
active option and selecting NONE as debuginfo type.
- commit 43b5dd3
- perf: Fix sys_perf_event_open() race against self
(CVE-2022-1729, bsc#1199507).
- commit feaf8f1
- x86/speculation/mmio: Reuse SRBDS mitigation for SBDS (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 26884d9
- ext4: avoid cycles in directory h-tree (bsc#1198577
CVE-2022-1184).
- commit b98a7a0
- ext4: verify dir block before splitting it (bsc#1198577
CVE-2022-1184).
- commit 1b10a51
- x86/speculation/srbds: Update SRBDS mitigation selection (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit d537aef
- x86/speculation/mmio: Add sysfs reporting for Processor MMIO Stale Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit b3703f5
- x86/speculation/mmio: Enable CPU Fill buffer clearing on idle (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 66ff392
- x86/bugs: Group MDS, TAA & Processor MMIO Stale Data mitigations (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 155be7c
- x86/speculation/mmio: Add mitigation for Processor MMIO Stale Data (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit f3a7e3f
- x86/speculation: Add a common function for MD_CLEAR mitigation update (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit a863a71
- x86/speculation/mmio: Enumerate Processor MMIO Stale Data bug (bsc#1199650 CVE-2022-21166 CVE-2022-21127 CVE-2022-21123 CVE-2022-21125 CVE-2022-21180).
- commit 70a86e2
- ping: fix the sk_bound_dev_if match in ping_lookup
(bsc#1199918).
- commit 6a58950
- kABI: Fix kABI after CVE-2022-0171 backport (CVE-2022-0171
bsc#1199509).
- commit da4b250
- KVM: SEV: add cache flush to solve SEV cache incoherency issues
(CVE-2022-0171 bsc#1199509).
- commit b851a8d
- ping: remove pr_err from ping_lookup (bsc#1199918).
- commit db3c60d
- patches.suse/ping-fix-the-dif-and-sdif-check-in-ping_lookup.patch:
(bsc#1199918).
- commit f3f3a96
- floppy: use a statically allocated error counter (bsc#1199063
CVE-2022-1652).
- commit 3cde83e
- nfc: nfcmrvl: main: reorder destructive operations in
nfcmrvl_nci_unregister_dev to avoid bugs (CVE-2022-1734
bsc#1199605 git-fixes).
- commit 4841312
- NFS: limit use of ACCESS cache for negative responses
(bsc#1196570).
- Refresh
patches.kabi/NFS-pass-cred-explicitly-for-access-tests.patch.
- commit d1ca538
- Update
patches.suse/sctp-delay-auto_asconf-init-until-binding-the-first-.patch
headers (CVE-2021-23133 bsc#1184675).
Remove unwanted patch headers which have hidden intended CVE and bugzilla
references (shown above) when the patch was added. The primary purpose of
this commit is to get the CVE/bugzilla references to git and rpm changelog.
- commit 33c2a2f
- Fix build warning
Refreshed:
patches.suse/PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch
- commit ba12cc4
- ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on
PTRACE_SEIZE (CVE-2022-30594 bsc#1199505 bsc#1198413).
- commit fd4d93d
- NFSv4: nfs_atomic_open() can race when looking up a non-regular
file (bsc#1195612 CVE-2022-24448).
- commit db3a8ef
- PCI: hv: Do not set PCI_COMMAND_MEMORY to reduce VM boot time (bsc#1199314).
- commit bdb23bb
- series.conf: cleanup
- Move submitted patch to "/sorted"/ section
patches.suse/0001-SUNRPC-change-locking-for-xs_swap_enable-disable.patch
- commit cacd83b
- cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
(CVE-2022-0168 bsc#1197472).
- commit 5256a40
- cifs: prevent bad output lengths in smb2_ioctl_query_info()
(CVE-2022-0168 bsc#1197472).
- commit 3989909
- rpm/kernel-obs-build.spec.in: Also depend on dracut-systemd (bsc#1195775)
- commit 5d4e32c
- ixgbevf: add disable link state (bsc#1196426 CVE-2021-33061).
- ixgbe: add improvement for MDD response functionality
(bsc#1196426 CVE-2021-33061).
- ixgbe: add the ability for the PF to disable VF link state
(bsc#1196426 CVE-2021-33061).
- commit c5d1777
- net: mana: Remove unnecessary check of cqe_type in
mana_process_rx_cqe() (bsc#1195651).
- net: mana: Add handling of CQE_RX_TRUNCATED (bsc#1195651).
- net: mana: Reuse XDP dropped page (bsc#1195651).
- net: mana: Add counter for XDP_TX (bsc#1195651).
- net: mana: Add counter for packet dropped by XDP (bsc#1195651).
- net: mana: Use struct_size() helper in
mana_gd_create_dma_region() (bsc#1195651).
- commit 9f064ea
- net/x25: Fix null-ptr-deref caused by x25_disconnect
(CVE-2022-1516 bsc#1199012).
- commit bd2f1ec
- net: ena: Extract recurring driver reset code into a function
(bsc#1198778).
- net: ena: Change the name of bad_csum variable (bsc#1198778).
- net: ena: Add debug prints for invalid req_id resets
(bsc#1198778).
- net: ena: Remove ena_calc_queue_size_ctx struct (bsc#1198778).
- net: ena: Move reset completion print to the reset function
(bsc#1198778).
- net: ena: Remove redundant return code check (bsc#1198778).
- net: ena: Change ENI stats support check to use capabilities
field (bsc#1198778).
- net: ena: Add capabilities field with support for ENI stats
capability (bsc#1198778).
- net: ena: Change return value of ena_calc_io_queue_size()
to void (bsc#1198778).
- net: ena: Fix error handling when calculating max IO queues
number (bsc#1198778).
- net: ena: Fix wrong rx request id by resetting device
(bsc#1198778).
- net: ena: Fix undefined state when tx request id is out of
bounds (bsc#1198778).
- ena: Remove rcu_read_lock() around XDP program invocation
(bsc#1198778).
- net: ena: make symbol 'ena_alloc_map_page' static (bsc#1198778).
- net: ena: re-organize code to improve readability (bsc#1198778).
- net: ena: Use dev_alloc() in RX buffer allocation (bsc#1198778).
- net: ena: aggregate doorbell common operations into a function
(bsc#1198778).
- net: ena: Remove module param and change message severity
(bsc#1198778).
- net: ena: add jiffies of last napi call to stats (bsc#1198778).
- net: ena: use build_skb() in RX path (bsc#1198778).
- net: ena: Improve error logging in driver (bsc#1198778).
- net: ena: Remove unused code (bsc#1198778).
- net: ena: optimize data access in fast-path code (bsc#1198778).
- net: ena: fix DMA mapping function issues in XDP (bsc#1198778).
- net: ena: remove extra words from comments (bsc#1198778).
- net: ena: fix inaccurate print type (bsc#1198778).
- ethernet: amazon: ena: A typo fix in the file ena_com.h
(bsc#1198778).
- net: ena: Update XDP verdict upon failure (bsc#1198778).
- net: ena: introduce ndo_xdp_xmit() function for XDP_REDIRECT
(bsc#1198778).
- net: ena: use xdp_return_frame() to free xdp frames
(bsc#1198778).
- net: ena: introduce XDP redirect implementation (bsc#1198778).
- net: ena: use xdp_frame in XDP TX flow (bsc#1198778).
- net: ena: aggregate stats increase into a function
(bsc#1198778).
- net: ena: fix coding style nits (bsc#1198778).
- net: ena: store values in their appropriate variables types
(bsc#1198778).
- net: ena: add device distinct log prefix to files (bsc#1198778).
- net: ena: use constant value for net_device allocation
(bsc#1198778).
- commit f2320f9
- ovl: fix missing negative dentry check in ovl_rename()
(CVE-2021-20321 bsc#1191647).
- commit 14422d8
- SUNRPC: change locking for xs_swap_enable/disable (bsc#1196367).
- commit 8562a15
- scsi: scsi_dh_alua: Avoid crash during alua_bus_detach()
(bsc#1028340 bsc#1198825).
- commit f04215d
- pahole 1.22 required for full BTF features.
also recommend pahole for kernel-source to make the kernel buildable
with standard config
- commit 364f54b
- Update
patches.suse/net-usb-ax88179_178a-Fix-out-of-bounds-accesses-in-R.patch
(bsc#1196018 CVE-2022-28748).
added CVE number
- commit dfbe27e
- use jobs not processors in the constraints
jobs is the number of vcpus available to the build, while processors
is the total processor count of the machine the VM is running on.
- commit a6e141d
- Update patch reference for drm fix (CVE-2022-1419 bsc#1198742)
- commit 5c0501b
- KVM: x86/mmu: do compare-and-exchange of gPTE via the user address (CVE-2022-1158 bsc#1197660).
- commit 0581a66
- powerpc/pseries: Fix use after free in remove_phb_dynamic()
(bsc#1065729 bsc#1198660 ltc#197803).
- commit 4723baf
- af_key: add __GFP_ZERO flag for compose_sadb_supported in
function pfkey_register (CVE-2022-1353 bsc#1198516).
- commit 981f1ec
- SUNRPC: Ensure we flush any closed sockets before
xs_xprt_free() (bsc#1198330 CVE-2022-28893).
- commit f607730
- Update patches.suse/cgroup-verify-that-source-is-a-string.patch
(bsc#1190131 bsc#1193842 CVE-2021-4154).
- commit 0f6b5cd
- Update patch references of drm fixes (CVE-2022-1280 bsc#1197914)
- commit c917eda
- Update patch reference for DRM fix (CVE-2021-20292 bsc#1183723)
- commit f6cdff5
- fuse: handle kABI change in struct fuse_req (bsc#1197343
CVE-2022-1011).
- fuse: fix pipe buffer lifetime for direct_io (bsc#1197343
CVE-2022-1011).
- commit 5920a58
- Update patch reference for NFS/RDMA fix (CVE-2022-0812 bsc#1196639)
- commit 7e276c6
- livepatch: Don't block removal of patches that are safe to
unload (bsc#1071995).
- commit 768b9d1
- x86/speculation: Restore speculation related MSRs during S3
resume (bsc#1198400).
- commit aece496
- x86/pm: Save the MSR validity status at context setup
(bsc#1198400).
- commit 2364cfa
- direct-io: defer alignment check until after the EOF check
(bsc#1197656).
- commit 90d08aa
- direct-io: don't force writeback for reads beyond EOF
(bsc#1197656).
- commit f8a2691
- direct-io: clean up error paths of do_blockdev_direct_IO
(bsc#1197656).
- commit 4781e89
- Update
patches.suse/llc-fix-netdevice-reference-leaks-in-llc_ui_bind.patch
references (add CVE-2022-28356 bsc#1197391).
- commit bf5ad66
- cifs: fix bad fids sent over wire (bsc#1197157).
- commit 3e7e3c4
- rpm/constraints.in: skip SLOW_DISK workers for kernel-source
- commit e84694f
- macros.kernel-source: Fix conditional expansion.
Fixes: bb95fef3cf19 ("/rpm: Use bash for %() expansion (jsc#SLE-18234)."/)
- commit 7e857f7
- rpm: Use bash for %() expansion (jsc#SLE-18234).
Since 15.4 alternatives for /bin/sh are provided by packages
<something>-sh. While the interpreter for the build script can be
selected the interpreter for %() cannot.
The kernel spec files use bashisms in %().
While this could technically be fixed there is more serious underlying
problem: neither bash nor any of the alternatives are 100% POSIX
compliant nor bug-free.
It is not my intent to maintain bug compatibility with any number of
shells for shell scripts embedded in the kernel spec file. The spec file
syntax is not documented so embedding the shell script in it causes some
unspecified transformation to be applied to it. That means that
ultimately any changes must be tested by building the kernel, n times if
n shells are supported.
To reduce maintenance effort require that bash is used for kernel build
always.
- commit bb95fef
- rpm: Run external scriptlets on uninstall only when available
(bsc#1196514 bsc#1196114 bsc#1196942).
When dependency cycles are encountered package dependencies may not be
fulfilled during zypper transaction at the time scriptlets are run.
This is a problem for kernel scriptlets provided by suse-module-tools
when migrating to a SLE release that provides these scriptlets only as
part of LTSS. The suse-module-tools that provides kernel scriptlets may
be removed early causing migration to fail.
- commit ab8dd2d
- rpm/*.spec.in: remove backtick usage
- commit 87ca1fb
- powerpc/powernv/memtrace: Fix dcache flushing (bsc#1196433
ltc#196449).
- commit 9f96679
- rpm/kernel-obs-build.spec.in: add systemd-initrd and terminfo dracut module (bsc#1195775)
- commit d9a821b
- powerpc/mm: Remove dcache flush from memory remove (bsc#1196433
ltc#196449).
- commit ec198ed
- rpm/kernel-obs-build.spec.in: use default dracut modules (bsc#1195926,
bsc#1198484)
Let's iron out the reduced initrd optimisation in Tumbleweed.
Build full blown dracut initrd with systemd for SLE15 SP4.
- commit ea76821
- video: hyperv_fb: Fix validation of screen resolution
(git-fixes).
- commit fcb02f5
- lifecycle-data-sle-module-live-patching
-
- Added data for 4_12_14-150000_150_89, 4_12_14-150100_197_111,
5_3_18-150200_24_112, 5_3_18-150300_59_60,
5_3_18-150300_59_63. (bsc#1020320)
- openssl-1_1
-
- Encrypt the sixteen bytes that were unencrypted in some circumstances
on 32-bit x86 platforms.
* [bsc#1201099, CVE-2022-2097]
* added openssl-CVE-2022-2097.patch
- Added openssl-1_1-Fix-file-operations-in-c_rehash.patch
* bsc#1200550
* CVE-2022-2068
* Fixed more shell code injection issues in c_rehash
- Added openssl-update_expired_certificates.patch
* Openssl failed tests because of expired certificates.
* bsc#1185637
* Sourced from https://github.com/openssl/openssl/pull/18446/commits
- Security fix: [bsc#1199166, CVE-2022-1292]
* Added: openssl-CVE-2022-1292.patch
* properly sanitise shell metacharacters in c_rehash script.
- p11-kit
-
- CVE-2020-29362: Fixed a 4 byte overread (bsc#1180065)
Added p11-kit-CVE-2020-29362.patch:
- pcre
-
- Added pcre-8.45-bsc1199232-unicode-property-matching.patch
* bsc#1199232
* CVE-2022-1586
* Fixes unicode property matching issue
- python-base
-
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- python3
-
- Add CVE-2015-20107-mailcap-unsafe-filenames.patch to avoid
CVE-2015-20107 (bsc#1198511, gh#python/cpython#68966), the
command injection in the mailcap module.
- Rename support-expat-245.patch to
support-expat-CVE-2022-25236-patched.patch to unify the patch
with other packages.
- Add bpo-46623-skip-zlib-s390x.patch skipping two failing tests
on s390x.
- Update bundled pip wheel to the latest SLE version patched
against bsc#1186819 (CVE-2021-3572).
- Add patch support-expat-245.patch:
* Support Expat >= 2.4.5
- Rename 22198.patch into more descriptive remove-sphinx40-warning.patch.
- Don't use appstream-glib on SLE-12.
- Use Python 2-based Sphinx on SLE-12.
- No documentation on SLE-12.
- Add skip_SSL_tests.patch skipping tests because of patched
OpenSSL (bpo#9425).
- Don't use appstream-glib on SLE-12.
- Use Python 2-based Sphinx on SLE-12.
- No documentation on SLE-12.
- Add skip_SSL_tests.patch skipping tests because of patched
OpenSSL (bpo#9425).
- Don't use OpenSSL 1.1 on platforms which don't have it.
- Remove shebangs from from python-base libraries in _libdir
(bsc#1193179, bsc#1192249).
- Readjust patches:
- bpo-31046_ensurepip_honours_prefix.patch
- decimal.patch
- python-3.3.0b1-fix_date_time_compiler.patch
- build against openssl 1.1 as it is incompatible with openssl 3.0+ (bsc#1190566)
- 0001-allow-for-reproducible-builds-of-python-packages.patch: ignore
permission error when changing the mtime of the source file in presence
of SOURCE_DATE_EPOCH
- CVE-2021-3733-ReDoS-urllib-AbstractBasicAuthHandler.patch
- Remove merged patch CVE-2020-8492-urllib-ReDoS.patch and
CRLF_injection_via_host_part.patch.
- release-notes-sles-for-sap
-
15.2.20220712 (tracked in bsc#1201315)
- Trento is fully supported remove it from tech preview
section (bsc#1201315)
- resource-agents
-
- AUDIT-FIND: resource-agents: Predictable log file in /tmp in mariadb.in
(bsc#1146691)
Add patch:
0001-mariadb-Remove-obsolete-DEBUG_LOG-functionality-1191.patch
- RA aws-vpc-move-ip is lacking the possibility to assign a label to an interface.
(bsc#1199766) Include upsteam patch:
0001-aws-vpc-move-ip-Allow-to-set-the-interface-label.patch
- Can IPaddr2 run ARP for IPV6 in background during start operation
(bsc#1196164)
Include upstream patches:
0001-IPaddr2-Allow-to-disable-Duplicate-Address-Detection.patch
0002-IPaddr2-Allow-to-send-IPv6-Neighbor-Advertisements-i.patch
0003-IPaddr2-Log-ip-addr-add-options-together.patch
0004-IPaddr2-Clarify-behavior-of-arp_-parameters-for-IPv4.patch
- oracle RA lists monpassword as optional but fails unless provided
(bsc#1197956)
Add upstream patch:
0001-Improve-the-error-message-if-monpassword-was-not-set.patch
- Use safe tmp files. Use the variable ${HA_RSCTMP} of the resource
agents instead of /tmp. ${HA_RSCTMP} points to a safe directory
in /var/run or /run. This patch fix following issues:
bsc#1146690 bsc#1146691 bsc#1146692 bsc#1146766 bsc#1146776
bsc#1146784 bsc#1146785 bsc#1146787
- ocfmon user created with "/OCFMON"/ as default password
If no password is set the user will not be created.
bsc#1021689 bsc#1146687
- Included following upstream patches:
0001-make-secure-tmp-files.patch
0001-increase-the-security-of-monitor-user-in-oracle.patch
- rsyslog
-
- Remove inotify watch descriptor in imfile on inode change detected
(bsc#1198939)
* add 0001-imfile-Remove-inotify-watch-descriptor-on-inode-chan.patch
- rubygem-actionpack-5_1
-
- Added patch 0005-CVE-2021-22904.patch to fix CVE-2021-22904
(bsc#1185780)
- Added patch 0004-CVE-2022-23633.patch to fix CVE-2022-23633
(bsc#1196182)
- rubygem-activesupport-5_1
-
- Added patch CVE-2022-23633.patch to fix CVE-2022-23633 (bsc#1196182)
- rubygem-rack
-
- security update
- added patches
fix CVE-2022-30122 [bsc#1200748], crafted multipart POST request may cause a DoS
+ rubygem-rack-CVE-2022-30122.patch
fix CVE-2022-30123 [bsc#1200750], crafted requests can cause shell escape sequences
+ rubygem-rack-CVE-2022-30123.patch
- runc
-
- Update to runc v1.1.3. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.3.
(Includes a fix for bsc#1200088.)
* Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
s390 and s390x. This solves the issue where syscalls the host kernel did not
support would return `-EPERM` despite the existence of the `-ENOSYS` stub
code (this was due to how s390x does syscall multiplexing).
* Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
intended; this fix does not affect runc binary itself but is important for
libcontainer users such as Kubernetes.
* Inability to compile with recent clang due to an issue with duplicate
constants in libseccomp-golang.
* When using systemd cgroup driver, skip adding device paths that don't exist,
to stop systemd from emitting warnings about those paths.
* Socket activation was failing when more than 3 sockets were used.
* Various CI fixes.
* Allow to bind mount /proc/sys/kernel/ns_last_pid to inside container.
* runc static binaries are now linked against libseccomp v2.5.4.
- Remove upstreamed patches:
- bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
- Backport <https://github.com/opencontainers/runc/pull/3474> to fix issues
with newer syscalls (namely faccessat2) on older kernels on s390(x) caused by
that platform's syscall multiplexing semantics. bsc#1192051 bsc#1199565
+ bsc1192051-0001-seccomp-enosys-always-return-ENOSYS-for-setup-2-on-s390x.patch
- Add ExcludeArch for s390 (not s390x) since we've never supported it.
- Update to runc v1.1.2. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.2.
CVE-2022-29162 bsc#1199460
* A bug was found in runc where runc exec --cap executed processes with
non-empty inheritable Linux process capabilities, creating an atypical Linux
environment. For more information, see [GHSA-f3fp-gc8g-vw66][] and
CVE-2022-29162. bsc#1199460
* `runc spec` no longer sets any inheritable capabilities in the created
example OCI spec (`config.json`) file.
- Update to runc v1.1.1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.1.
* runc run/start can now run a container with read-only /dev in OCI spec,
rather than error out. (#3355)
* runc exec now ensures that --cgroup argument is a sub-cgroup. (#3403)
libcontainer systemd v2 manager no longer errors out if one of the files
listed in /sys/kernel/cgroup/delegate do not exist in container's
cgroup. (#3387, #3404)
* Loosen OCI spec validation to avoid bogus "/Intel RDT is not supported"/
error. (#3406)
* libcontainer/cgroups no longer panics in cgroup v1 managers if stat
of /sys/fs/cgroup/unified returns an error other than ENOENT. (#3435)
- Update to runc v1.1.0. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.0.
- libcontainer will now refuse to build without the nsenter package being
correctly compiled (specifically this requires CGO to be enabled). This
should avoid folks accidentally creating broken runc binaries (and
incorrectly importing our internal libraries into their projects). (#3331)
- Update to runc v1.1.0~rc1. Upstream changelog is available from
https://github.com/opencontainers/runc/releases/tag/v1.1.0-rc.1.
+ Add support for RDMA cgroup added in Linux 4.11.
* runc exec now produces exit code of 255 when the exec failed.
This may help in distinguishing between runc exec failures
(such as invalid options, non-running container or non-existent
binary etc.) and failures of the command being executed.
+ runc run: new --keep option to skip removal exited containers artefacts.
This might be useful to check the state (e.g. of cgroup controllers) after
the container hasexited.
+ seccomp: add support for SCMP_ACT_KILL_PROCESS and SCMP_ACT_KILL_THREAD
(the latter is just an alias for SCMP_ACT_KILL).
+ seccomp: add support for SCMP_ACT_NOTIFY (seccomp actions). This allows
users to create sophisticated seccomp filters where syscalls can be
efficiently emulated by privileged processes on the host.
+ checkpoint/restore: add an option (--lsm-mount-context) to set
a different LSM mount context on restore.
+ intelrdt: support ClosID parameter.
+ runc exec --cgroup: an option to specify a (non-top) in-container cgroup
to use for the process being executed.
+ cgroup v1 controllers now support hybrid hierarchy (i.e. when on a cgroup v1
machine a cgroup2 filesystem is mounted to /sys/fs/cgroup/unified, runc
run/exec now adds the container to the appropriate cgroup under it).
+ sysctl: allow slashes in sysctl names, to better match sysctl(8)'s
behaviour.
+ mounts: add support for bind-mounts which are inaccessible after switching
the user namespace. Note that this does not permit the container any
additional access to the host filesystem, it simply allows containers to
have bind-mounts configured for paths the user can access but have
restrictive access control settings for other users.
+ Add support for recursive mount attributes using mount_setattr(2). These
have the same names as the proposed mount(8) options -- just prepend r
to the option name (such as rro).
+ Add runc features subcommand to allow runc users to detect what features
runc has been built with. This includes critical information such as
supported mount flags, hook names, and so on. Note that the output of this
command is subject to change and will not be considered stable until runc
1.2 at the earliest. The runtime-spec specification for this feature is
being developed in opencontainers/runtime-spec#1130.
* system: improve performance of /proc/$pid/stat parsing.
* cgroup2: when /sys/fs/cgroup is configured as a read-write mount, change
the ownership of certain cgroup control files (as per
/sys/kernel/cgroup/delegate) to allow for proper deferral to the container
process.
* runc checkpoint/restore: fixed for containers with an external bind mount
which destination is a symlink.
* cgroup: improve openat2 handling for cgroup directory handle hardening.
runc delete -f now succeeds (rather than timing out) on a paused
container.
* runc run/start/exec now refuses a frozen cgroup (paused container in case of
exec). Users can disable this using --ignore-paused.
- Update version data embedded in binary to correctly include the git commit of
the release.
- Drop runc-rpmlintrc because we don't have runc-test anymore.
bsc#1193436
- systemd-presets-branding-SLE
-
- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)
- vim
-
- Deleted patches:
* restrict-shell-commands.patch
* source-check-sandbox.patch
* vim-8.0.1568-CVE-2021-3778.patch
* vim-8.0.1568-CVE-2021-3796.patch
* vim-8.0.1568-CVE-2021-3872.patch
* vim-8.0.1568-CVE-2021-3927.patch
* vim-8.0.1568-CVE-2021-3928.patch
* vim-8.0.1568-CVE-2021-3984.patch
* vim-8.0.1568-CVE-2021-4019.patch
* vim-8.0.1568-CVE-2021-4193.patch
* vim-8.0.1568-CVE-2021-46059.patch
* vim-8.0.1568-CVE-2022-0319.patch
* vim-8.0.1568-CVE-2022-0351.patch
* vim-8.0.1568-CVE-2022-0361.patch
* vim-8.0.1568-CVE-2022-0413.patch
* vim-8.0.1568-globalvimrc.patch
- Added patches:
* vim-8.1.0297-dump3.patch
* vim-8.2.2411-globalvimrc.patch
* disable-unreliable-tests-arch.patch
- Updated patches:
* disable-unreliable-tests.patch
* vim-7.3-filetype_changes.patch
* vim-7.3-filetype_ftl.patch
* vim-7.3-filetype_spec.patch
* vim-7.3-gvimrc_fontset.patch
* vim-7.3-help_tags.patch
* vim-7.3-mktemp_tutor.patch
* vim-7.3-name_vimrc.patch
* vim-7.3-sh_is_bash.patch
* vim-7.3-use_awk.patch
* vim-7.4-disable_lang_no.patch
* vim-7.4-filetype_apparmor.patch
* vim-7.4-filetype_mine.patch
* vim-7.4-highlight_fstab.patch
* vim-8.0-ttytype-test.patch
* vim-8.0.1568-defaults.patch
* vim73-no-static-libpython.patch
- Updated to version 8.2 with patch level 5038, fixes the following problems
* Fixing bsc#1191770 VUL-0: CVE-2021-3875: vim: heap-based buffer overflow
* Fixing bsc#1192167 VUL-0: CVE-2021-3903: vim: heap-based buffer overflow
* Fixing bsc#1192902 VUL-0: CVE-2021-3968: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1192903 VUL-0: CVE-2021-3973: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1192904 VUL-0: CVE-2021-3974: vim: vim is vulnerable to Use
After Free
* Fixing bsc#1193466 VUL-1: CVE-2021-4069: vim: use-after-free in ex_open()
in src/ex_docmd.c
* Fixing bsc#1193905 VUL-0: CVE-2021-4136: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1194093 VUL-1: CVE-2021-4166: vim: vim is vulnerable to
Out-of-bounds Read
* Fixing bsc#1194216 VUL-1: CVE-2021-4193: vim: vulnerable to
Out-of-bounds Read
* Fixing bsc#1194217 VUL-0: CVE-2021-4192: vim: vulnerable to Use After Free
* Fixing bsc#1194872 VUL-0: CVE-2022-0261: vim: Heap-based Buffer Overflow
in vim prior to 8.2.
* Fixing bsc#1194885 VUL-0: CVE-2022-0213: vim: vim is vulnerable to
Heap-based Buffer Overflow
* Fixing bsc#1195004 VUL-0: CVE-2022-0318: vim: Heap-based Buffer Overflow in
vim prior to 8.2.
* Fixing bsc#1195203 VUL-0: CVE-2022-0359: vim: heap-based buffer overflow in
init_ccline() in ex_getln.c
* Fixing bsc#1195354 VUL-0: CVE-2022-0407: vim: Heap-based Buffer Overflow in
Conda vim prior to 8.2.
* Fixing bsc#1198596 VUL-0: CVE-2022-1381: vim: global heap buffer overflow
in skip_range
* Fixing bsc#1199331 VUL-0: CVE-2022-1616: vim: Use after free in
append_command
* Fixing bsc#1199333 VUL-0: CVE-2022-1619: vim: Heap-based Buffer Overflow in
function cmdline_erase_chars
* Fixing bsc#1199334 VUL-0: CVE-2022-1620: vim: NULL Pointer Dereference in
function vim_regexec_string
* Fixing bsc#1199747 VUL-0: CVE-2022-1796: vim: Use After in
find_pattern_in_path
* Fixing bsc#1200010 VUL-0: CVE-2022-1897: vim: Out-of-bounds Write in vim
* Fixing bsc#1200011 VUL-0: CVE-2022-1898: vim: Use After Free in vim prior
to 8.2
* Fixing bsc#1200012 VUL-0: CVE-2022-1927: vim: Buffer Over-read in vim prior
to 8.2
* Fixing bsc#1070955 VUL-1: CVE-2017-17087: vim: Sets the group ownership of a
.swp file to the editor's primary group, which allows local users to obtain
sensitive information
* Fixing bsc#1194388 VUL-1: CVE-2022-0128: vim: vim is vulnerable to
Out-of-bounds Read
* Fixing bsc#1195332 VUL-1: CVE-2022-0392: vim: Heap-based Buffer Overflow
in vim prior to 8.2
* Fixing bsc#1196361 VUL-1: CVE-2022-0696: vim: NULL Pointer Dereference in
vim prior to 8.2
* Fixing bsc#1198748 VUL-1: CVE-2022-1420: vim: Out-of-range Pointer Offset
* Fixing bsc#1199651 VUL-1: CVE-2022-1735: vim: heap buffer overflow
* Fixing bsc#1199655 VUL-1: CVE-2022-1733: vim: Heap-based Buffer Overflow in
cindent.c
* Fixing bsc#1199693 VUL-1: CVE-2022-1771: vim: stack exhaustion in vim prior
to 8.2.
* Fixing bsc#1199745 VUL-1: CVE-2022-1785: vim: Out-of-bounds Write
* Fixing bsc#1199936 VUL-1: CVE-2022-1851: vim: out of bounds read
- xen
-
- bsc#1199966 - VUL-0: EMBARGOED: CVE-2022-26363,CVE-2022-26364: xen:
Insufficient care with non-coherent mappings
fix xsa402-5.patch
- bsc#1199965 - VUL-0: CVE-2022-26362: xen: Race condition in
typeref acquisition (XSA-401)
xsa401-1.patch
xsa401-2.patch
- bsc#1199966 - VUL-0: CVE-2022-26363,CVE-2022-26364: xen:
Insufficient care with non-coherent mappings (XSA-402)
xsa402-1.patch
xsa402-2.patch
xsa402-3.patch
xsa402-4.patch
xsa402-5.patch
- zypp-plugin
-