- HANA-Firewall
-
- HANA-Firewall creates insufficient configuration.
(bsc#1221231)
- SAPHanaSR
-
- Version bump to 0.162.4
* unify global.ini examples
* add demo script SAPHanaSR-upgrade-to-angi-demo
* update man pages:
SAPHanaSR_basic_cluster.7
SAPHanaSR_maintenance_examples.7
SAPHanaSR_upgrade_to_angi.7
SAPHanaSR-manageProvider.8
SAPHanaSR-upgrade-to-angi-demo.8
SAPHanaSR.py.7
- Version bump to 0.162.3
* Fix the hexdump log for empty node states
* catch monitor calls for non-cloned resources and report them as
unsupported instead of 'command not found'
(bsc#1218333)
* fix scope of variable 'site' to be global
(bsc#1219194)
* susChkSrv.py - relocate function logTimestamp()
* update man pages:
SAPHanaSR.7
ocf_suse_SAPHana.7
SAPHanaSR_maintenance_examples.7
SAPHanaSR.py.7
SAPHanaSR-showAttr.8
- Version bump to 0.162.2
* inside SAPHanaSR-hookHelper use the full path for the cibadmin
command to support non root users in special user environments
(bsc#1216484)
* if the SAPHanaSR.py hook has successfully reported a SR event
to the cluster a still existing fall-back state file will be
removed to prevent an override of an already reported
SR state.
(bsc#1215693)
* improve supportability by providing the current process ID of
the RA, which is logged in the RA outputs, to HANA tracefiles
too.
This allows a mapping of the SAP related command invocations
from the RA and the HANA executions which might have a delay
in between.
(bsc#1214613)
* avoid explicid and implicid usage of /tmp filesystem to keep
the SAPHanaSR resource agents working even in situations with
/tmp filesystem full.
(bsc#1210728)
* update man pages:
SAPHanaSR.7
SAPHanaSR_basic_cluster.7
SAPHanaSR_maintenance_examples.7
ocf_suse_SAPHana.7
ocf_suse_SAPHanaTopology.7
susCostOpt.py.7
SAPHanaSR-monitor.8
SAPHanaSR-showAttr.8
* add improvements from SAP to the RA scripts, part II
(jsc#PED-1739, jsc#PED-2608)
- aaa_base
-
- modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
to also fix the typo to set JAVA_BINDIR in the csh variant
of the alljava profile script (bsc#1221361)
- modify git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
drop the stderr redirection for csh (bsc#1221361)
- add git-49-3f8f26123d91f70c644677a323134fc79318c818.patch
drop sysctl.d/50-default-s390.conf (bsc#1211721)
- add aaa_base-preinstall.patch
make sure the script does not exit with 1 if a file
with content is found (bsc#1222547)
- add patch git-48-477bc3c05fcdabf9319e84278a1cba2c12c9ed5a.patch
home and end button not working from ssh client (bsc#1221407)
- use autosetup in prep stage of specfile
- silence the output in the case of broken symlinks (bsc#1218232)
- fix git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
to actually apply
- replace git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
by git-47-056fc66c699a8544c7692a03c905fca568f5390b.patch
* fix the issues from bsc#1107342 and bsc#1215434 and just
use the settings from update-alternatives to set JAVA_HOME
- autofs
-
- autofs-5.1.6-remove-intr-hosts-map-mount-option.patch
Don't use the intr option on NFS mounts by default, it's been
ignored by the kernel for a long time now. (bsc#1225130)
- autofs-5.1.8-dont-use-initgroups-at-spawn.patch
Don't use initgroups at spawn (bsc#1214710, bsc#1221181)
- bind
-
- Security Fixes:
* It is possible to craft excessively large numbers of resource
record types for a given owner name, which has the effect of
slowing down database processing. This has been addressed by
adding a configurable limit to the number of records that can
be stored per name and type in a cache or zone database. The
default is 100, which can be tuned with the new
max-types-per-name option. (CVE-2024-1737)
[bsc#1228256, bind-9.16-CVE-2024-1737.patch]
* Validating DNS messages signed using the SIG(0) protocol (RFC
2931) could cause excessive CPU load, leading to a
denial-of-service condition. Support for SIG(0) message
validation was removed from this version of named.
(CVE-2024-1975)
[bsc#1228257, bind-9.16-CVE-2024-1975.patch]
- Security Fixes:
* Validating DNS messages containing a lot of DNSSEC signatures
could cause excessive CPU load, leading to a denial-of-service
condition. This has been fixed. (CVE-2023-50387)
[bsc#1219823, bind-CVE-2023-50387-CVE-2023-50868.patch]
* Preparing an NSEC3 closest encloser proof could cause excessiv
CPU load, leading to a denial-of-service condition. This has
been fixed. (CVE-2023-50868)
[bsc#1219826, bind-CVE-2023-50387-CVE-2023-50868.patch]
* Parsing DNS messages with many different names could cause
excessive CPU load. This has been fixed. (CVE-2023-4408)
[bsc#1219851, bind-CVE-2023-4408.patch]
* Specific queries could cause named to crash with an assertion
failure when nxdomain-redirect was enabled. This has been
fixed. (CVE-2023-5517)
[bsc#1219852, bind-CVE-2023-5517.patch]
* Query patterns that continuously triggered cache database
maintenance could cause an excessive amount of memory to be
allocated, exceeding max-cache-size and potentially leading to
all available memory on the host running named being exhausted
This has been fixed. (CVE-2023-6516)
[bsc#1219854, bind-CVE-2023-6516.patch]
- ca-certificates
-
- Update to version 2+git20240416.98ae794 (bsc#1221184):
* Use flock to serialize calls (boo#1188500)
* Make certbundle.run container friendly
* Create /var/lib/ca-certificates if needed
- catatonit
-
- Update to catatonit v0.2.0.
* Change license to GPL-2.0-or-later.
- Remove upstreamed patches:
- 99bb9048f.patch
- chrony
-
- Use make quickcheck instead of make check to avoid >1h build
times and failures due to timeouts. This was the default before
3.2 but it changed to make tests more reliable. Here a seed is
already set to get deterministic execution.
- Use shorter NTS-KE retry interval when network is down
(bsc#1213551, chrony-burst_total_samples_to_go.patch,
chrony-retry_interval_ke_start.patch).
- cloud-netconfig
-
- Update to version 1.14
+ Use '-s' instead of '--no-progress-meter' for curl (bsc#1221757)
- Add version settings to Provides/Obsoletes
- Update to version 1.12 (bsc#1221202)
+ If token access succeeds using IPv4 do not use the IPv6 endpoint
only use the IPv6 IMDS endpoint if IPv4 access fails.
- Add Provides/Obsoletes for dropped cloud-netconfig-nm
- Install dispatcher script into /etc/NetworkManager/dispatcher.d
on older distributions
- Add BuildReqires: NetworkManager to avoid owning dispatcher.d
parent directory
- Update to version 1.11:
+ Revert address metadata lookup in GCE to local lookup (bsc#1219454)
+ Fix hang on warning log messages
+ Check whether getting IPv4 addresses from metadata failed and abort
if true
+ Only delete policy rules if they exist
+ Skip adding/removing IPv4 ranges if metdata lookup failed
+ Improve error handling and logging in Azure
+ Set SCRIPTDIR when installing netconfig wrapper
- Update to version 1.10:
+ Drop cloud-netconfig-nm sub package and include NM dispatcher
script in main packages (bsc#1219007)
+ Spec file cleanup
- Update to version 1.9:
+ Drop package dependency on sysconfig-netconfig
+ Improve log level handling
+ Support IPv6 IMDS endpoint in EC2 (bsc#1218069)
- cloud-regionsrv-client
-
- Update to version 10.1.7 (bsc#1220164, bsc#1220165)
+ Fix the failover path to a new target update server. At present a new
server is not found since credential validation fails. We targeted
the server detected in down condition to verify the credentials instead
of the replacement server.
- Update EC2 plugin to 1.0.4 (bsc#1219156, bsc#1219159)
+ Fix the algorithm to determine the region from the availability zone
information retrieved from IMDS.
- Update to version 10.1.6
+ Support specifying an IPv6 address for a manually configured target
update server.
- Update to version 10.1.5 (bsc#1217583)
+ Fix fallback path when IPv6 network path is not usable
+ Enable an IPv6 fallback path in IMDS access if it cannot be accessed
over IPv4
+ Enable IMDS access over IPv6
- Update to version 10.1.4 (bsc#1217451)
+ Fetch cert for new update server during failover
- kernel-default
-
- Update
patches.suse/0020-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch
(git-fixes CVE-2021-47600 bsc#1226575).
- Update
patches.suse/0022-block-Fix-wrong-offset-in-bio_truncate.patch
(git-fixes CVE-2022-48747 bsc#1226643).
- Update
patches.suse/ARM-9170-1-fix-panic-when-kasan-and-kprobe-are-enabled.patch
(git-fixes CVE-2021-47618 bsc#1226644).
- Update
patches.suse/ASoC-max9759-fix-underflow-in-speaker_gain_control_p.patch
(git-fixes CVE-2022-48717 bsc#1226679).
- Update
patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_-4cf28e9ae6e2.patch
(git-fixes CVE-2022-48736 bsc#1226721).
- Update
patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_-4f1e50d6a9cf.patch
(git-fixes CVE-2022-48737 bsc#1226762).
- Update
patches.suse/ASoC-ops-Reject-out-of-bounds-values-in-snd_soc_put_.patch
(git-fixes CVE-2022-48738 bsc#1226674).
- Update
patches.suse/Bluetooth-refactor-malicious-adv-data-check.patch
(git-fixes CVE-2021-47620 bsc#1226669).
- Update patches.suse/IB-hfi1-Fix-AIP-early-init-panic.patch
(jsc#SLE-13208 CVE-2022-48728 bsc#1226691).
- Update
patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch
(git-fixes CVE-2021-47617 bsc#1226614).
- Update
patches.suse/RDMA-ucma-Protect-mc-during-concurrent-multicast-lea.patch
(bsc#1181147 CVE-2022-48726 bsc#1226686).
- Update
patches.suse/ceph-properly-put-ceph_string-reference-after-async-create-attempt.patch
(bsc#1195798 CVE-2022-48767 bsc#1226715).
- Update
patches.suse/dma-buf-heaps-Fix-potential-spectre-v1-gadget.patch
(git-fixes CVE-2022-48730 bsc#1226713).
- Update
patches.suse/drm-msm-dpu-invalid-parameter-check-in-dpu_setup_dsp.patch
(git-fixes CVE-2022-48749 bsc#1226650).
- Update
patches.suse/drm-msm-dsi-invalid-parameter-check-in-msm_dsi_phy_e.patch
(git-fixes CVE-2022-48756 bsc#1226698).
- Update
patches.suse/drm-nouveau-fix-off-by-one-in-BIOS-boundary-checking.patch
(git-fixes CVE-2022-48732 bsc#1226716).
- Update
patches.suse/firmware-arm_scpi-Fix-string-overflow-in-SCPI-genpd-.patch
(git-fixes CVE-2021-47609 bsc#1226562).
- Update patches.suse/i40e-Fix-queues-reservation-for-XDP.patch
(git-fixes CVE-2021-47619 bsc#1226645).
- Update patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch
(git-fixes CVE-2021-47589 bsc#1226557).
- Update
patches.suse/iommu-vt-d-fix-potential-memory-leak-in-intel_setup_irq_remapping
(git-fixes CVE-2022-48724 bsc#1226624).
- Update
patches.suse/mac80211-track-only-QoS-data-frames-for-admission-co.patch
(git-fixes CVE-2021-47602 bsc#1226554).
- Update
patches.suse/mac80211-validate-extended-element-ID-is-present.patch
(git-fixes CVE-2021-47611 bsc#1226583).
- Update
patches.suse/net-bridge-vlan-fix-memory-leak-in-__allowed_ingress.patch
(bsc#1176447 CVE-2022-48748 bsc#1226647).
- Update
patches.suse/net-hns3-fix-use-after-free-bug-in-hclgevf_send_mbx_.patch
(jsc#SLE-14777 CVE-2021-47596 bsc#1226558).
- Update
patches.suse/net-ieee802154-ca8210-Stop-leaking-skb-s.patch
(git-fixes CVE-2022-48722 bsc#1226619).
- Update
patches.suse/net-mlx5e-Fix-handling-of-wrong-devices-during-bond-.patch
(jsc#SLE-15172 CVE-2022-48746 bsc#1226703).
- Update
patches.suse/net-sched-sch_ets-don-t-remove-idle-classes-from-the.patch
(bsc#1176774 CVE-2021-47595 bsc#1226552).
- Update
patches.suse/nfc-fix-segfault-in-nfc_genl_dump_devices_done.patch
(git-fixes CVE-2021-47612 bsc#1226585).
- Update patches.suse/phylib-fix-potential-use-after-free.patch
(git-fixes CVE-2022-48754 bsc#1226692).
- Update
patches.suse/powerpc-perf-Fix-power_pmu_disable-to-call-clear_pmi.patch
(bsc#1156395 CVE-2022-48752 bsc#1226709).
- Update
patches.suse/rpmsg-char-Fix-race-between-the-release-of-rpmsg_ctr.patch
(git-fixes CVE-2022-48759 bsc#1226711).
- Update
patches.suse/scsi-bnx2fc-Flush-destroy_work-queue-before-calling-bnx2fc_interface_put
(git-fixes CVE-2022-48758 bsc#1226708).
- Update patches.suse/scsi-bnx2fc-Make-bnx2fc_recv_frame-mp-safe
(git-fixes CVE-2022-48715 bsc#1226621).
- Update
patches.suse/scsi-scsi_debug-Sanity-check-block-descriptor-length-in-resp_mode_select.patch
(git-fixes CVE-2021-47576 bsc#1226537).
- Update
patches.suse/smb-client-set-correct-id-uid-and-cruid-for-multiuser-automounts.patch
(git-fixes CVE-2024-26822 bsc#1223011).
- Update
patches.suse/tracing-histogram-Fix-a-potential-memory-leak-for-kstrdup.patch
(git-fixes CVE-2022-48768 bsc#1226720).
- commit 3239c2b
- Update
patches.suse/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
(CVE-2022-22942 bsc#1195065 CVE-2022-48771 bsc#1226732).
- Update
patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-.patch
(CVE-2021-43389 CVE-2021-3896 bsc#1191958 git-fixes
CVE-2021-4439 bsc#1226670).
- Update
patches.suse/media-mxl111sf-change-mutex_init-location.patch
(git-fixes CVE-2021-47583 bsc#1226563).
- Update
patches.suse/of-module-prevent-NULL-pointer-dereference-in-vsnprintf.patch
(bsc#1226587 CVE-2024-38541 CVE-2024-35878 bsc#1224671).
- Update
patches.suse/tipc-improve-size-validations-for-received-domain-re.patch
(bsc#1195254 CVE-2022-0435 CVE-2022-48711 bsc#1226672).
- commit 4e385ef
- tcp: Use refcount_inc_not_zero() in tcp_twsk_unique()
(CVE-2024-36904 bsc#1225732).
- commit 80f0f47
- tcp: do not accept ACK of bytes we never sent (CVE-2023-52881
bsc#1225611).
- commit 874a2d3
- x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
(bsc#1222015 bsc#1226962).
- commit c8cabcf
- USB: core: Fix hang in usb_kill_urb by adding memory barriers
(CVE-2022-48760 bsc#1226712).
- commit da8ec3e
- scsi: qedf: Ensure the copied buf is NUL terminated (bsc#1226758
CVE-2024-38559).
- scsi: bfa: Ensure the copied buf is NUL terminated (bsc#1226786
CVE-2024-38560).
- commit 0e33f69
- Update References tag
patches.suse/Bluetooth-Disconnect-if-E0-is-used-for-Level-4.patch
(bsc#1171988 CVE-2020-10135 bsc#1218148 CVE-2023-24023).
- commit 906dfa6
- RDMA/hns: Fix UAF for cq async event (bsc#1226595 CVE-2024-38545)
- commit d57d06d
- of: module: prevent NULL pointer dereference in vsnprintf() (bsc#1226587 CVE-2024-38541)
- commit c381bb4
- of: module: add buffer overflow check in of_modalias() (bsc#1226587 CVE-2024-38541)
- commit 212b607
- net/mlx5e: Fix use-after-free of encap entry in neigh update
handler (bsc#1224865 CVE-2021-47247).
- commit 91cae43
- net: qcom/emac: fix UAF in emac_remove (bsc#1225010
CVE-2021-47311).
- commit 5533443
- NFS: avoid infinite loop in pnfs_update_layout (bsc#1219633
bsc#1226226).
- commit 1b48f4e
- net: macb: fix use after free on rmmod (CVE-2021-47372
bsc#1225184).
- commit c9f62c2
- ocfs2: fix sparse warnings (bsc#1219224).
- ocfs2: speed up chain-list searching (bsc#1219224).
- ocfs2: adjust enabling place for la window (bsc#1219224).
- ocfs2: improve write IO performance when fragmentation is high
(bsc#1219224).
- commit 124c57b
- smb: client: fix potential UAF in smb2_is_network_name_deleted()
(bsc#1224764, CVE-2024-35862).
- commit 8a40236
- smb: client: fix potential UAF in smb2_is_valid_lease_break()
(bsc#1224765, CVE-2024-35864).
- commit 8030dd8
- smb: client: fix potential UAF in
cifs_signal_cifsd_for_reconnect() (bsc#1224766, CVE-2024-35861).
- commit d1384a0
- smb: client: fix use-after-free bug in
cifs_debug_data_proc_show() (bsc#1225487, CVE-2023-52752).
- commit c058f4e
- blacklist.conf: bsc#1225047 CVE-2021-47328
breaks kABI and does not apply
- commit 8d10b79
- blk-cgroup: fix UAF by grabbing blkcg lock before destroying
blkg pd (CVE-2021-47379 bsc#1225203).
- commit af72a45
- wifi: mac80211: check/clear fast rx for non-4addr sta VLAN
changes (CVE-2024-35789 bsc#1224749).
- commit 7707dc6
- fs/9p: only translate RWX permissions for plain 9P2000
(bsc#1225866 CVE-2024-36964).
- commit c4d4f4c
- pinctrl: core: delete incorrect free in pinctrl_enable()
(CVE-2024-36940 bsc#1225840).
- commit 6932105
- staging: rtl8192e: Fix use after free in
_rtl92e_pci_disconnect() (CVE-2021-47571 bsc#1225518).
- commit b52b9d0
- enetc: Fix illegal access when reading affinity_hint
(CVE-2021-47368 bsc#1225161).
- commit cde762c
- Bluetooth: Add more enc key size check (bsc#1218148
CVE-2023-24023).
- commit 529bf5d
- Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt
(bsc#1218148 CVE-2023-24023).
- commit 4ac624b
- blacklist.conf: Add 1971d13ffa84a "af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc()."
- commit 1f2871b
- usb: gadget: f_fs: Fix race between aio_cancel() and AIO
request complete (CVE-2024-36894 bsc#1225749).
- commit 99fc30d
- net: preserve kabi for sk_buff (CVE-2024-26921 bsc#1223138).
- commit 62989dd
- inet: inet_defrag: prevent sk release while still in use
(CVE-2024-26921 bsc#1223138).
- commit 599b2eb
- drm/client: Fully protect modes with dev->mode_config.mutex (CVE-2024-35950 bsc#1224703).
- commit f5de9d8
- smb: client: set correct id, uid and cruid for multiuser
automounts (git-fixes).
- commit 548a1f6
- smb: client: fix dfs link mount against w2k8 (git-fixes).
- commit ffabd7c
- cifs: use tcon allocation functions even for dummy tcon
(bsc#1213476).
- commit 8a18c8c
- cifs: avoid race conditions with parallel reconnects
(bsc#1213476).
- commit 0156937
- cifs: check only tcon status on tcon related functions
(bsc#1213476).
- commit 3ee757c
- cifs: return DFS root session id in DebugData (bsc#1213476).
- commit 40d8689
- cifs: fix use-after-free bug in refresh_cache_worker()
(bsc#1213476).
- Refresh
patches.suse/cifs-avoid-dup-prefix-path-in-dfs_get_automount_devname-.patch.
- commit efddc92
- cifs: set DFS root session in cifs_get_smb_ses() (bsc#1213476).
- commit 249b33f
- cifs: reuse cifs_match_ipaddr for comparison of dstaddr too
(bsc#1213476).
- commit c221add
- cifs: match even the scope id for ipv6 addresses (bsc#1213476).
- commit 376b929
- cifs: get rid of dns resolve worker (bsc#1213476).
- commit 36fdff3
- nvme-rdma: destroy cm id before destroy qp to avoid use after
free (CVE-2021-47378 bsc#1225201).
- commit 132f56c
- net/tls: Fix flipped sign in tls_err_abort() calls
(CVE-2021-47496 bsc#1225354)
- commit c2b236a
- net: sched: flower: protect fl_walk() with rcu
(CVE-2021-47402 bsc#1225301)
- commit 5275989
- Update
patches.suse/0001-x86-ioremap-Map-efi_mem_reserve-memory-as-encrypted-.patch
(bsc#1186885 bsc#1224826 CVE-2021-47228).
- Update
patches.suse/0002-bcache-avoid-oversized-read-request-in-cache-miss.patch
(bsc#1187357 bsc#1185570 bsc#1184631 bsc#1224965
CVE-2021-47275).
- Update
patches.suse/0002-ocfs2-fix-race-between-searching-chunks-and-release-.patch
(bsc#1199304 bsc#1225439 CVE-2021-47493).
- Update
patches.suse/0003-drm-prime-Fix-use-after-free-in-mmap-with-drm_gem_tt.patch
(bsc#1152472 bsc#1222838 CVE-2021-47200).
- Update
patches.suse/0015-dm-btree-remove-assign-new_root-only-when-removal-su.patch
(git-fixes bsc#1225155 CVE-2021-47343).
- Update
patches.suse/0019-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch
(git-fixes bsc#1225247 CVE-2021-47435).
- Update patches.suse/ACPI-fix-NULL-pointer-dereference.patch
(git-fixes bsc#1224984 CVE-2021-47289).
- Update
patches.suse/ALSA-pcm-oss-Limit-the-period-size-to-16MB.patch
(git-fixes bsc#1225409 CVE-2021-47509).
- Update
patches.suse/ALSA-seq-Fix-race-of-snd_seq_timer_open.patch
(git-fixes bsc#1224983 CVE-2021-47281).
- Update
patches.suse/ALSA-usx2y-Don-t-call-free_pages_exact-with-NULL-add.patch
(git-fixes bsc#1225091 CVE-2021-47332).
- Update
patches.suse/ASoC-SOF-Fix-DSP-oops-stack-dump-output-contents.patch
(git-fixes bsc#1225206 CVE-2021-47381).
- Update
patches.suse/ASoC-codecs-wcd934x-handle-channel-mappping-list-cor.patch
(git-fixes bsc#1225369 CVE-2021-47502).
- Update
patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch
(git-fixes bsc#1225303 CVE-2021-47404).
- Update
patches.suse/HID-bigbenff-prevent-null-pointer-dereference.patch
(CVE-2022-20132 bsc#1200619 bsc#1225437 CVE-2021-47522).
- Update
patches.suse/HID-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
(git-fixes bsc#1225238 CVE-2021-47405).
- Update
patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch
(git-fixes bsc#1225438 CVE-2021-47523).
- Update
patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch
(CVE-2021-47485 bsc#1224904 bsc#1220960 CVE-2021-47104).
- Update
patches.suse/KVM-PPC-Book3S-HV-Fix-stack-handling-in-idle_kvm_sta.patch
(bko#206669 bsc#1174585 bsc#1192107 CVE-2021-43056 bsc#1225341
CVE-2021-47465).
- Update
patches.suse/KVM-mmio-Fix-use-after-free-Read-in-kvm_vm_ioctl_unr.patch
(git-fixes bsc#1224923 CVE-2021-47341).
- Update
patches.suse/KVM-x86-Immediately-reset-the-MMU-context-when-the-S.patch
(git-fixes bsc#1224853 CVE-2021-47230).
- Update
patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch
(git-fixes bsc#1225263 CVE-2021-47442).
- Update
patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch
(git-fixes bsc#1225262 CVE-2021-47443).
- Update
patches.suse/NFS-Fix-use-after-free-in-nfs4_init_client.patch
(git-fixes bsc#1224953 CVE-2021-47259).
- Update
patches.suse/RDMA-Verify-port-when-creating-flow-rule.patch
(git-fixes bsc#1224957 CVE-2021-47265).
- Update
patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch
(git-fixes bsc#1210629 CVE-2023-2176 bsc#1225318
CVE-2021-47391).
- Update
patches.suse/RDMA-cma-Fix-listener-leak-in-rdma_cma_listen_on_all.patch
(bsc#1181147 bsc#1225320 CVE-2021-47392).
- Update
patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch
(CVE-2021-39698 bsc#1196956 bsc#1225400 CVE-2021-47505).
- Update
patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch
(git-fixes bsc#1225393 CVE-2021-47464).
- Update
patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch
(bsc#1191452 bsc#1225193 CVE-2021-47375).
- Update
patches.suse/bpf-s390-Fix-potential-memory-leak-about-jit_data.patch
(git-fixes bsc#1225370 CVE-2021-47426).
- Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch
(git-fixes bsc#1225256 CVE-2021-47456).
- Update
patches.suse/can-sja1000-fix-use-after-free-in-ems_pcmcia_add_car.patch
(git-fixes bsc#1225435 CVE-2021-47521).
- Update
patches.suse/cfg80211-fix-management-registrations-locking.patch
(git-fixes bsc#1225450 CVE-2021-47494).
- Update
patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch
(bsc#1185902 bsc#1224961 CVE-2021-47307).
- Update
patches.suse/cpufreq-schedutil-Use-kobject-release-method-to-free.patch
(git-fixes bsc#1225316 CVE-2021-47387).
- Update
patches.suse/dm-rq-don-t-queue-request-to-blk-mq-during-DM-suspen.patch
(bsc#1221113 bsc#1225357 CVE-2021-47498).
- Update
patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch
(git-fixes bsc#1224968 CVE-2021-47305).
- Update
patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch
(git-fixes bsc#1224982 CVE-2021-47280).
- Update
patches.suse/drm-amd-display-Avoid-HDCP-over-read-and-corruption.patch
(git-fixes bsc#1225178 CVE-2021-47348).
- Update
patches.suse/drm-amd-display-Fix-potential-memory-leak-in-DMUB-hw.patch
(git-fixes bsc#1224886 CVE-2021-47253).
- Update patches.suse/drm-amdgpu-fix-gart.bo-pin_count-leak.patch
(git-fixes bsc#1225390 CVE-2021-47431).
- Update
patches.suse/drm-edid-In-connector_bad_edid-cap-num_of_ext-by-num.patch
(git-fixes bsc#1225243 CVE-2021-47444).
- Update
patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch
(git-fixes bsc#1225261 CVE-2021-47445).
- Update
patches.suse/drm-msm-a6xx-Allocate-enough-space-for-GMU-registers.patch
(git-fixes bsc#1225446 CVE-2021-47535).
- Update
patches.suse/drm-nouveau-avoid-a-use-after-free-when-BO-init-fail.patch
(bsc#1152472 bsc#1224816 CVE-2020-36788).
- Update
patches.suse/drm-nouveau-debugfs-fix-file-release-memory-leak.patch
(git-fixes bsc#1225366 CVE-2021-47423).
- Update
patches.suse/drm-nouveau-kms-nv50-fix-file-release-memory-leak.patch
(git-fixes bsc#1225233 CVE-2021-47422).
- Update
patches.suse/drm-radeon-fix-a-possible-null-pointer-dereference.patch
(git-fixes bsc#1225230 CVE-2022-48710).
- Update patches.suse/drm-sched-Avoid-data-corruptions.patch
(git-fixes bsc#1225140 CVE-2021-47354).
- Update
patches.suse/ethtool-strset-fix-message-length-calculation.patch
(bsc#1176447 bsc#1224842 CVE-2021-47241).
- Update
patches.suse/fbmem-Do-not-delete-the-mode-that-is-still-in-use.patch
(git-fixes bsc#1224924 CVE-2021-47338).
- Update
patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch
(git-fixes bsc#1224966 CVE-2021-47276).
- Update
patches.suse/gpio-wcd934x-Fix-shift-out-of-bounds-error.patch
(git-fixes bsc#1224955 CVE-2021-47263).
- Update
patches.suse/hwmon-mlxreg-fan-Return-non-zero-value-when-fan-curr.patch
(git-fixes bsc#1225321 CVE-2021-47393).
- Update
patches.suse/i2c-acpi-fix-resource-leak-in-reconfiguration-device.patch
(git-fixes bsc#1225223 CVE-2021-47425).
- Update
patches.suse/i40e-Fix-NULL-pointer-dereference-in-i40e_dbg_dump_d.patch
(git-fixes bsc#1225361 CVE-2021-47501).
- Update
patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch
(git-fixes bsc#1225367 CVE-2021-47424).
- Update patches.suse/ice-avoid-bpf_prog-refcount-underflow.patch
(jsc#SLE-7926 bsc#1225500 CVE-2021-47563).
- Update patches.suse/ice-fix-vsi-txq_map-sizing.patch
(jsc#SLE-7926 bsc#1225499 CVE-2021-47562).
- Update
patches.suse/igb-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224916 CVE-2021-47301).
- Update
patches.suse/igc-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224917 CVE-2021-47302).
- Update
patches.suse/iio-accel-kxcjk-1013-Fix-possible-memory-leak-in-pro.patch
(git-fixes bsc#1225358 CVE-2021-47499).
- Update
patches.suse/isdn-mISDN-Fix-sleeping-function-called-from-invalid.patch
(git-fixes bsc#1225346 CVE-2021-47468).
- Update
patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch
(git-fixes bsc#1224987 CVE-2021-47284).
- Update
patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch
(bsc#1194591 bsc#1225198 CVE-2021-47478).
- Update
patches.suse/ixgbe-Fix-NULL-pointer-dereference-in-ixgbe_xdp_setu.patch
(git-fixes bsc#1225328 CVE-2021-47399).
- Update patches.suse/jfs-fix-GPF-in-diFree.patch (bsc#1203389
bsc#1225148 CVE-2021-47340).
- Update
patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch
(git-fixes bsc#1225143 CVE-2021-47356).
- Update
patches.suse/mac80211-fix-use-after-free-in-CCMP-GCMP-RX.patch
(git-fixes bsc#1225214 CVE-2021-47388).
- Update
patches.suse/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch
(git-fixes bsc#1225327 CVE-2021-47396).
- Update
patches.suse/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch
(git-fixes bsc#1225326 CVE-2021-47395).
- Update
patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch
(git-fixes bsc#1224922 CVE-2021-47344).
- Update
patches.suse/misc-alcor_pci-fix-null-ptr-deref-when-there-is-no-P.patch
(git-fixes bsc#1225113 CVE-2021-47333).
- Update
patches.suse/misc-libmasm-module-Fix-two-use-after-free-in-ibmasm.patch
(git-fixes bsc#1225112 CVE-2021-47334).
- Update
patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch
(git-fixes bsc#1225224 CVE-2021-47441).
- Update
patches.suse/mt76-mt7915-fix-NULL-pointer-dereference-in-mt7915_g.patch
(git-fixes bsc#1225386 CVE-2021-47540).
- Update patches.suse/net-batman-adv-fix-error-handling.patch
(git-fixes bsc#1224909 CVE-2021-47482).
- Update
patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
(git-fixes bsc#1224844 CVE-2021-47235).
- Update
patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch
(CVE-2022-1195 bsc#1198029 bsc#1224830 CVE-2021-47237).
- Update
patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch
(git-fixes bsc#1225453 CVE-2021-47541).
- Update
patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch
(git-fixes bsc#1224981 CVE-2021-47285).
- Update
patches.suse/net-qlogic-qlcnic-Fix-a-NULL-pointer-dereference-in-.patch
(git-fixes bsc#1225455 CVE-2021-47542).
- Update
patches.suse/net-sched-fq_pie-prevent-dismantle-issue.patch
(jsc#SLE-15172 bsc#1225424 CVE-2021-47512).
- Update
patches.suse/net-sched-sch_ets-don-t-peek-at-classes-beyond-nband.patch
(bsc#1176774 bsc#1225468 CVE-2021-47557).
- Update
patches.suse/net-smc-fix-wrong-list_del-in-smc_lgr_cleanup_early
(git-fixes bsc#1225447 CVE-2021-47536).
- Update
patches.suse/netfilter-xt_IDLETIMER-fix-panic-that-occurs-when-ti.patch
(bsc#1176447 bsc#1225237 CVE-2021-47451).
- Update
patches.suse/nfc-fix-potential-NULL-pointer-deref-in-nfc_genl_dum.patch
(git-fixes bsc#1225372 CVE-2021-47518).
- Update
patches.suse/nfp-Fix-memory-leak-in-nfp_cpp_area_cache_add.patch
(git-fixes bsc#1225427 CVE-2021-47516).
- Update
patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch
(git-fixes bsc#1225058 CVE-2021-47320).
- Update patches.suse/nfsd-Fix-nsfd-startup-race-again.patch
(git-fixes bsc#1225405 CVE-2021-47507).
- Update
patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch
(git-fixes bsc#1225404 CVE-2021-47506).
- Update
patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch
(bsc#1190795 bsc#1225251 CVE-2021-47460).
- Update
patches.suse/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
(bsc#1197760 bsc#1225252 CVE-2021-47458).
- Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes
bsc#1225336 CVE-2021-47416).
- Update
patches.suse/powerpc-64s-fix-program-check-interrupt-emergency-st.patch
(bsc#1156395 bsc#1225387 CVE-2021-47428).
- Update
patches.suse/powerpc-mm-Fix-lockup-on-kernel-exec-fault.patch
(bsc#1156395 bsc#1225181 CVE-2021-47350).
- Update
patches.suse/regmap-Fix-possible-double-free-in-regcache_rbtree_e.patch
(git-fixes bsc#1224907 CVE-2021-47483).
- Update
patches.suse/rxrpc-Fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch
(bsc#1154353 bnc#1151927 5.3.9 bsc#1225448 CVE-2021-47538).
- Update
patches.suse/s390-dasd-fix-Oops-in-dasd_alias_get_start_dev-due-to-missing-pavgroup
(git-fixes bsc#1223512 CVE-2022-48636).
- Update
patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list
(git-fixes bsc#1225164 CVE-2021-47369).
- Update
patches.suse/s390-qeth-fix-deadlock-during-failing-recovery
(git-fixes bsc#1225207 CVE-2021-47382).
- Update
patches.suse/sata_fsl-fix-UAF-in-sata_fsl_port_stop-when-rmmod-sa.patch
(git-fixes bsc#1225508 CVE-2021-47549).
- Update
patches.suse/scsi-core-Fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid.patch
(git-fixes bsc#1224926 CVE-2021-47337).
- Update
patches.suse/scsi-core-Fix-error-handling-of-scsi_host_alloc.patch
(git-fixes bsc#1224899 CVE-2021-47258).
- Update
patches.suse/scsi-core-Put-LLD-module-refcnt-after-SCSI-device-is-released.patch
(git-fixes bsc#1225322 CVE-2021-47480).
- Update
patches.suse/scsi-core-sysfs-Fix-hang-when-device-state-is-set-via-sysfs.patch
(git-fixes bsc#1222867 CVE-2021-47192).
- Update
patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch
(bsc#1188616 bsc#1224963 CVE-2021-47308).
- Update
patches.suse/scsi-megaraid_sas-Fix-resource-leak-in-case-of-probe-failure.patch
(git-fixes bsc#1225083 CVE-2021-47329).
- Update
patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test
(git-fixes bsc#1225384 CVE-2021-47565).
- Update
patches.suse/scsi-pm80xx-Do-not-call-scsi_remove_host-in-pm8001_alloc
(git-fixes bsc#1225374 CVE-2021-47503).
- Update
patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els
(git-fixes bsc#1225192 CVE-2021-47473).
- Update
patches.suse/serial-core-fix-transmit-buffer-reset-and-memleak.patch
(git-fixes bsc#1194288 CVE-2021-47527).
- Update
patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch
(git-fixes bsc#1224990 CVE-2021-47274).
- Update
patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
(bsc#1222619 CVE-2023-52880).
- Update
patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch
(git-fixes bsc#1225084 CVE-2021-47330).
- Update
patches.suse/udf-Fix-NULL-pointer-dereference-in-udf_symlink-func.patch
(bsc#1206646 bsc#1225128 CVE-2021-47353).
- Update
patches.suse/usb-chipidea-ci_hdrc_imx-Also-search-for-phys-phandl.patch
(git-fixes bsc#1225333 CVE-2021-47413).
- Update
patches.suse/usb-dwc2-check-return-value-after-calling-platform_g.patch
(git-fixes bsc#1225330 CVE-2021-47409).
- Update
patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch
(git-fixes bsc#1224996 CVE-2021-47269).
- Update
patches.suse/usb-fix-various-gadget-panics-on-10gbps-cabling.patch
(git-fixes bsc#1224993 CVE-2021-47267).
- Update
patches.suse/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cab.patch
(git-fixes bsc#1224997 CVE-2021-47270).
- Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch
(git-fixes bsc#1225244 CVE-2021-47436).
- Update patches.suse/usbnet-sanity-check-for-maxpacket.patch
(git-fixes bsc#1225351 CVE-2021-47495).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch
(git-fixes bsc#1225060 CVE-2021-47321).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch
(git-fixes bsc#1225030 CVE-2021-47324).
- Update
patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch
(git-fixes bsc#1225026 CVE-2021-47323).
- Update
patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
(git-fixes bsc#1225177 CVE-2021-47347).
- Update
patches.suse/x86-fpu-prevent-state-corruption-in-_fpu__restore_sig.patch
(bsc#1178134 bsc#1224852 CVE-2021-47227).
- Update
patches.suse/xhci-Fix-command-ring-pointer-corruption-while-abort.patch
(git-fixes bsc#1225232 CVE-2021-47434).
- commit 0b290f8
- Update
patches.suse/0002-bcache-avoid-oversized-read-request-in-cache-miss.patch
(bsc#1184631 bsc#1224965 CVE-2021-47275).
- Update patches.suse/ACPI-fix-NULL-pointer-dereference.patch
(git-fixes bsc#1224984 CVE-2021-47289).
- Update
patches.suse/ALSA-usx2y-Don-t-call-free_pages_exact-with-NULL-add.patch
(git-fixes bsc#1225091 CVE-2021-47332).
- Update
patches.suse/ASoC-SOF-Fix-DSP-oops-stack-dump-output-contents.patch
(git-fixes bsc#1225206 CVE-2021-47381).
- Update
patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch
(git-fixes bsc#1225303 CVE-2021-47404).
- Update
patches.suse/HID-bigbenff-prevent-null-pointer-dereference.patch
(CVE-2022-20132 bsc#1200619 bsc#1225437 CVE-2021-47522).
- Update
patches.suse/HID-usbhid-free-raw_report-buffers-in-usbhid_stop.patch
(git-fixes bsc#1225238 CVE-2021-47405).
- Update
patches.suse/IB-qib-Fix-memory-leak-in-qib_user_sdma_queue_pkts.patch
(CVE-2021-47485 bsc#1224904 bsc#1220960 CVE-2021-47104).
- Update
patches.suse/KVM-PPC-Book3S-HV-Fix-stack-handling-in-idle_kvm_sta.patch
(bko#206669 bsc#1174585 bsc#1192107 CVE-2021-43056 bsc#1225341
CVE-2021-47465).
- Update
patches.suse/KVM-mmio-Fix-use-after-free-Read-in-kvm_vm_ioctl_unr.patch
(git-fixes bsc#1224923 CVE-2021-47341).
- Update
patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_in_s.patch
(git-fixes bsc#1225263 CVE-2021-47442).
- Update
patches.suse/NFC-digital-fix-possible-memory-leak-in-digital_tg_l.patch
(git-fixes bsc#1225262 CVE-2021-47443).
- Update
patches.suse/NFS-Fix-use-after-free-in-nfs4_init_client.patch
(git-fixes bsc#1224953 CVE-2021-47259).
- Update
patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch
(bsc#1210629 CVE-2023-2176 bsc#1225318 CVE-2021-47391).
- Update
patches.suse/aio-fix-use-after-free-due-to-missing-POLLFREE-handl.patch
(CVE-2021-39698 bsc#1196956 bsc#1225400 CVE-2021-47505).
- Update
patches.suse/audit-fix-possible-null-pointer-dereference-in-audit.patch
(git-fixes bsc#1225393 CVE-2021-47464).
- Update
patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch
(bsc#1191452 bsc#1225193 CVE-2021-47375).
- Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch
(git-fixes bsc#1225256 CVE-2021-47456).
- Update
patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch
(bsc#1185902 bsc#1224961 CVE-2021-47307).
- Update
patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch
(git-fixes bsc#1224968 CVE-2021-47305).
- Update
patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch
(git-fixes bsc#1224982 CVE-2021-47280).
- Update patches.suse/drm-amdgpu-fix-gart.bo-pin_count-leak.patch
(git-fixes bsc#1225390 CVE-2021-47431).
- Update
patches.suse/drm-msm-Fix-null-pointer-dereference-on-pointer-edp.patch
(git-fixes bsc#1225261 CVE-2021-47445).
- Update
patches.suse/drm-nouveau-debugfs-fix-file-release-memory-leak.patch
(git-fixes bsc#1225366 CVE-2021-47423).
- Update patches.suse/drm-sched-Avoid-data-corruptions.patch
(git-fixes bsc#1225140 CVE-2021-47354).
- Update
patches.suse/fbmem-Do-not-delete-the-mode-that-is-still-in-use.patch
(git-fixes bsc#1224924 CVE-2021-47338).
- Update
patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch
(git-fixes bsc#1224966 CVE-2021-47276).
- Update
patches.suse/hwmon-mlxreg-fan-Return-non-zero-value-when-fan-curr.patch
(git-fixes bsc#1225321 CVE-2021-47393).
- Update
patches.suse/i2c-acpi-fix-resource-leak-in-reconfiguration-device.patch
(git-fixes bsc#1225223 CVE-2021-47425).
- Update
patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch
(git-fixes bsc#1225367 CVE-2021-47424).
- Update patches.suse/ice-avoid-bpf_prog-refcount-underflow.patch
(jsc#SLE-7926 bsc#1225500 CVE-2021-47563).
- Update patches.suse/ice-fix-vsi-txq_map-sizing.patch
(jsc#SLE-7926 bsc#1225499 CVE-2021-47562).
- Update
patches.suse/igb-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224916 CVE-2021-47301).
- Update
patches.suse/igc-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224917 CVE-2021-47302).
- Update
patches.suse/isdn-mISDN-Fix-sleeping-function-called-from-invalid.patch
(git-fixes bsc#1225346 CVE-2021-47468).
- Update
patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch
(git-fixes bsc#1224987 CVE-2021-47284).
- Update
patches.suse/ixgbe-Fix-NULL-pointer-dereference-in-ixgbe_xdp_setu.patch
(git-fixes bsc#1225328 CVE-2021-47399).
- Update
patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch
(git-fixes bsc#1225143 CVE-2021-47356).
- Update
patches.suse/mac80211-fix-use-after-free-in-CCMP-GCMP-RX.patch
(git-fixes bsc#1225214 CVE-2021-47388).
- Update
patches.suse/mac80211-hwsim-fix-late-beacon-hrtimer-handling.patch
(git-fixes bsc#1225327 CVE-2021-47396).
- Update
patches.suse/mac80211-limit-injected-vht-mcs-nss-in-ieee80211_par.patch
(git-fixes bsc#1225326 CVE-2021-47395).
- Update
patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch
(git-fixes bsc#1224922 CVE-2021-47344).
- Update
patches.suse/misc-alcor_pci-fix-null-ptr-deref-when-there-is-no-P.patch
(git-fixes bsc#1225113 CVE-2021-47333).
- Update
patches.suse/misc-libmasm-module-Fix-two-use-after-free-in-ibmasm.patch
(git-fixes bsc#1225112 CVE-2021-47334).
- Update
patches.suse/mlxsw-thermal-Fix-out-of-bounds-memory-accesses.patch
(git-fixes bsc#1225224 CVE-2021-47441).
- Update patches.suse/net-batman-adv-fix-error-handling.patch
(git-fixes bsc#1224909 CVE-2021-47482).
- Update
patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch
(git-fixes bsc#1225453 CVE-2021-47541).
- Update
patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch
(git-fixes bsc#1224981 CVE-2021-47285).
- Update
patches.suse/net-qlogic-qlcnic-Fix-a-NULL-pointer-dereference-in-.patch
(git-fixes bsc#1225455 CVE-2021-47542).
- Update
patches.suse/nfp-Fix-memory-leak-in-nfp_cpp_area_cache_add.patch
(git-fixes bsc#1225427 CVE-2021-47516).
- Update
patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch
(git-fixes bsc#1225058 CVE-2021-47320).
- Update
patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch
(bsc#1190795 bsc#1225251 CVE-2021-47460).
- Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes
bsc#1225336 CVE-2021-47416).
- Update
patches.suse/powerpc-mm-Fix-lockup-on-kernel-exec-fault.patch
(bsc#1156395 bsc#1225181 CVE-2021-47350).
- Update
patches.suse/regmap-Fix-possible-double-free-in-regcache_rbtree_e.patch
(git-fixes bsc#1224907 CVE-2021-47483).
- Update
patches.suse/rxrpc-Fix-rxrpc_local-leak-in-rxrpc_lookup_peer.patch
(bsc#1154353 bnc#1151927 5.3.9 bsc#1225448 CVE-2021-47538).
- Update
patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list
(git-fixes bsc#1225164 CVE-2021-47369).
- Update
patches.suse/s390-qeth-fix-deadlock-during-failing-recovery
(git-fixes bsc#1225207 CVE-2021-47382).
- Update
patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch
(bsc#1188616 bsc#1224963 CVE-2021-47308).
- Update
patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test
(git-fixes bsc#1225384 CVE-2021-47565).
- Update
patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els
(git-fixes bsc#1225192 CVE-2021-47473).
- Update
patches.suse/serial-core-fix-transmit-buffer-reset-and-memleak.patch
(git-fixes bsc#1194288 CVE-2021-47527).
- Update
patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch
(git-fixes bsc#1224990 CVE-2021-47274).
- Update
patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
(bsc#1222619 CVE-2023-52880).
- Update
patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch
(git-fixes bsc#1225084 CVE-2021-47330).
- Update
patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch
(git-fixes bsc#1224996 CVE-2021-47269).
- Update
patches.suse/usb-fix-various-gadget-panics-on-10gbps-cabling.patch
(git-fixes bsc#1224993 CVE-2021-47267).
- Update
patches.suse/usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cab.patch
(git-fixes bsc#1224997 CVE-2021-47270).
- Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch
(git-fixes bsc#1225244 CVE-2021-47436).
- Update patches.suse/usbnet-sanity-check-for-maxpacket.patch
(git-fixes bsc#1225351 CVE-2021-47495).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch
(git-fixes bsc#1225060 CVE-2021-47321).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch
(git-fixes bsc#1225030 CVE-2021-47324).
- Update
patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch
(git-fixes bsc#1225026 CVE-2021-47323).
- Update
patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
(git-fixes bsc#1225177 CVE-2021-47347).
- Update
patches.suse/xhci-Fix-command-ring-pointer-corruption-while-abort.patch
(git-fixes bsc#1225232 CVE-2021-47434).
- commit 37dba5a
- net/smc: kABI workarounds for struct smc_link (CVE-2022-48673
bsc#1223934).
- net/smc: Fix possible access to freed memory in link clear
(CVE-2022-48673 bsc#1223934).
- commit 0f509bf
- soc: qcom: llcc: Handle a second device without data corruption (bsc#1225534 CVE-2023-52871)
- commit f6adad8
- x86/xen: Drop USERGS_SYSRET64 paravirt call (git-fixes).
- Refresh
patches.suse/x86-entry_64-Add-VERW-just-before-userspace-transition.patch.
- Refresh
patches.suse/x86-xen-add-xenpv_restore_regs_and_return_to_usermode.patch.
- commit fa16bf8
- cifs: fix underflow in parse_server_interfaces() (bsc#1223084,
CVE-2024-26828).
- commit 8a48c12
- nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
(bsc#1225355 CVE-2021-47497).
- commit 33cab00
- Refresh
patches.suse/firmware-raspberrypi-introduce-vl805-init-routine.patch.
- Refresh
patches.suse/pci-brcmstb-wait-for-raspberry-pi-s-firmware-when-present.patch.
- Refresh
patches.suse/usb-pci-quirks-add-raspberry-pi-4-quirk.patch.
- Rename to
patches.suse/soc-bcm2835-add-notify-xhci-reset-property.patch.
Add upstream references, sync with upstream and move to the sorted
section.
3 of these patches were later reverted, but only because they were
replaced by a different implementation, not because they were wrong.
Add the reverts to blacklist.conf.
- commit ebed050
- iio: mma8452: Fix trigger reference couting (bsc#1225360
CVE-2021-47500).
- commit 8ee9c73
- efi/capsule-loader: fix incorrect allocation size (bsc#1224438
CVE-2024-27413).
- commit 66f7463
- tty: Fix out-of-bound vmalloc access in imageblit
(CVE-2021-47383 bsc#1225208).
- commit aa2473d
- ALSA: pcm: oss: Fix negative period/buffer sizes (CVE-2021-47511
bsc#1225411).
- commit 094796a
- Update tags in
patches.suse/ext4-Fix-check-for-block-being-out-of-directory-size.patch.
And move to the sorted section of series.conf.
- commit dc0df73
- Refresh patches.suse/x86-cpu-amd-add-a-zenbleed-fix.patch.
- Refresh
patches.suse/x86-cpu-amd-move-the-errata-checking-functionality-up.patch.
Move 2 upstream arch-specific patches to the sorted section.
- commit d5f36cd
- Input: synaptics-rmi4 - fix use after free in
rmi_unregister_function() (CVE-2023-52840 bsc#1224928).
- commit 3a1b2ed
- IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() (CVE-2021-47485 bsc#1224904)
- commit 7e99b42
- af_unix: annote lockless accesses to unix_tot_inflight &
gc_in_progress (bsc#1223384).
- Refresh
patches.suse/io_uring-af_unix-defer-registered-files-gc-to-io_uri.patch.
- commit 03fbb54
- IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields (CVE-2021-47485 bsc#1224904)
- commit c9482fe
- IB/mlx5: Fix initializing CQ fragments buffer (bsc#1224954 CVE-2021-47261)
- commit 77cbada
- Move powerpc patches to their specific section
They are apparently not going upstream.
- commit eea93a0
- Move upstream patches to the sorted section
- commit 757eb5a
- Update
patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch
(bsc#1209657 CVE-2023-0160 CVE-2024-35895 bsc#1224511).
- Update
patches.suse/nfsd-Fix-error-cleanup-path-in-nfsd_rename.patch
(bsc#1221044 CVE-2023-52591 CVE-2024-35914 bsc#1224482).
- Update
patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch
(CVE-2023-47233 bsc#1216702 CVE-2024-35811 bsc#1224592).
- commit e0bcd81
- Update
patches.suse/KVM-PPC-Fix-kvm_arch_vcpu_ioctl-vcpu_load-leak.patch
(bsc#1156395 CVE-2021-47296 bsc#1224891).
- Update
patches.suse/NFS-Fix-a-potential-NULL-dereference-in-nfs_get_clie.patch
(git-fixes CVE-2021-47260 bsc#1224834).
- Update
patches.suse/PCI-aardvark-Fix-kernel-panic-during-PIO-transfer.patch
(git-fixes CVE-2021-47229 bsc#1224854).
- Update
patches.suse/batman-adv-Avoid-WARN_ON-timing-related-checks.patch
(git-fixes CVE-2021-47252 bsc#1224882).
- Update
patches.suse/can-mcba_usb-fix-memory-leak-in-mcba_usb.patch
(git-fixes CVE-2021-47231 bsc#1224849).
- Update
patches.suse/kvm-lapic-restore-guard-to-prevent-illegal-apic-regi.patch
(bsc#1188772 CVE-2021-47255 bsc#1224832).
- Update
patches.suse/media-ngene-Fix-out-of-bounds-bug-in-ngene_command_c.patch
(git-fixes CVE-2021-47288 bsc#1224889).
- Update
patches.suse/memory-fsl_ifc-fix-leak-of-IO-mapping-on-probe-failu.patch
(git-fixes CVE-2021-47315 bsc#1224892).
- Update
patches.suse/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch
(git-fixes CVE-2021-47314 bsc#1224893).
- Update patches.suse/net-cdc_eem-fix-tx-fixup-skb-leak.patch
(git-fixes CVE-2021-47236 bsc#1224841).
- Update
patches.suse/net-mlx5e-Fix-page-reclaim-for-dead-peer-hairpin.patch
(git-fixes CVE-2021-47246 bsc#1224831).
- Update
patches.suse/net-qrtr-fix-OOB-Read-in-qrtr_endpoint_post.patch
(CVE-2021-3743 bsc#1189883 CVE-2021-47240 bsc#1224843).
- Update
patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
(git-fixes CVE-2021-47239 bsc#1224846).
- Update
patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch
(git-fixes CVE-2021-47220 bsc#1224859).
- commit 5376688
- gfs2: Fix use-after-free in gfs2_glock_shrink_scan (bsc#1224888
CVE-2021-47254).
- commit bf82ce3
- btrfs: do not start relocation until in progress drops are done
(bsc#1222251).
- commit a41ddb4
- btrfs: do not start relocation until in progress drops are done
(bsc#1222251).
- commit 0f3d5ec
- Bluetooth: Fix use-after-free bugs caused by sco_sock_timeout
(bsc#1224174 CVE-2024-27398).
- commit 2d99726
- af_unix: Fix garbage collector racing against connect()
(CVE-2024-26923 bsc#1223384).
- af_unix: Replace BUG_ON() with WARN_ON_ONCE() (bsc#1223384).
- af_unix: Do not use atomic ops for unix_sk(sk)->inflight (bsc#1223384).
- commit 9a2eeaf
- blacklist.conf: Fix for code not present (CVE-2024-26929)
- commit 3d9e5d9
- Refresh
patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch.
- Refresh
patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch.
- Refresh
patches.suse/rpadlpar_io-Add-MODULE_DESCRIPTION-entries-to-kernel.patch.
Adjust headers to minimize merge conflicts.
- commit 0300a69
- Refresh
patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch.
Swap headers to avoid a conflict when merging into consumer branches.
- commit 1510229
- Refresh
patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch.
Update Patch-mainline tag and move to sorted section.
- commit 81abd64
- Refresh patches.suse/Bluetooth-L2CAP-Fix-u8-overflow.patch.
Add upstream commit ID and move to sorted section.
- commit 5c72346
- Refresh
patches.suse/wifi-brcmfmac-Fix-potential-buffer-overflow-in-brcmf.patch.
Update Patch-mainline tag and move to sorted section.
- commit 684103a
- Refresh
patches.suse/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch.
Update Patch-mainline tag and move to sorted section.
- commit a75fb60
- Refresh
patches.suse/char-pcmcia-synclink_cs-Fix-use-after-free-in-mgslpc.patch.
Driver was deleted upstream so this fix will stay out-of-tree
forever. Move to the appropriate section.
- commit bce6652
- Refresh
patches.suse/media-dvb-core-Fix-UAF-due-to-refcount-races-at-rele.patch.
Add upstream commit ID and move to sorted section.
- commit 39ecedd
- Refresh
patches.suse/netfilter-nf_conntrack_irc-Tighten-matching-on-DCC-m.patch.
Add upstream commit ID and move to sorted section.
- commit 6754ecb
- Refresh
patches.suse/ext4-Avoid-trim-error-on-fs-with-small-groups.patch.
Add upstream commit ID and move to sorted section.
- commit 92fa4c5
- Refresh
patches.suse/SUNRPC-auth-async-tasks-mustn-t-block-waiting-for-me.patch.
- Refresh
patches.suse/SUNRPC-call_alloc-async-tasks-mustn-t-block-waiting-.patch.
- Refresh
patches.suse/SUNRPC-improve-swap-handling-scheduling-and-PF_MEMAL.patch.
- Refresh
patches.suse/SUNRPC-remove-scheduling-boost-for-SWAPPER-tasks.patch.
- Refresh
patches.suse/SUNRPC-xprt-async-tasks-mustn-t-block-waiting-for-me.patch.
Add upstream commit IDs and move to sorted section.
- commit 245a308
- Refresh
patches.suse/NFS-change-nfs_access_get_cached-to-only-report-the-.patch.
- Refresh
patches.suse/NFS-don-t-store-struct-cred-in-struct-nfs_access_ent.patch.
- Refresh
patches.suse/NFS-pass-cred-explicitly-for-access-tests.patch.
Add upstream commit IDs and move to sorted section.
- commit 8f85449
- Refresh
patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch.
Add upstream commit ID and move to sorted section.
- commit 0e0054f
- NFC: nxp: add NXP1002 (bsc#1185589).
Add upstream commit ID and subject, and move to sorted section.
- commit 01c3222
- series.conf: Move block-genhd-use-atomic_t-for-disk_event-block.patch
Patch was never accepted upstream and was dropped from later products
as it had problematic side effects. Move it to the appropriate
out-of-tree section.
- commit 9199401
- PCI: rpaphp: Add MODULE_DESCRIPTION (bsc#1176869 ltc#188243).
Add upstream commit ID and subject, and move to sorted section.
- commit 4630de9
- Refresh
patches.suse/drivers-base-memory.c-cache-blocks-in-radix-tree-to-.patch.
Document why this commit will never go upstream and move it to its
specific section.
- commit f30bed3
- Refresh
patches.suse/x86-boot-Ignore-relocations-in-.notes-sections-in-walk_rel.patch.
Move to sorted section.
- commit 9bdf9d5
- blacklist.conf: add fix for code not present (CVE-2024-26930)
- commit 19f6175
- Update
patches.suse/netfilter-nf_tables-mark-set-as-dead-when-unbinding-.patch
(git-fixes CVE-2024-26643 bsc#1221829).
- Update
patches.suse/netfilter-nf_tables-release-mutex-after-nft_gc_seq_e.patch
(git-fixes CVE-2024-26925 bsc#1223390).
- Update
patches.suse/netfilter-nft_set_rbtree-skip-end-interval-element-f.patch
(git-fixes CVE-2024-26581 bsc#1220144).
- commit 5b5ef95
- Update
patches.suse/io_uring-af_unix-disable-sending-io_uring-over-socke.patch
(bsc#1220754 CVE-2023-6531 CVE-2023-52654 bsc#1224099).
- Update
patches.suse/netfilter-nf_tables-fix-memleak-when-more-than-255-e.patch
(git-fixes CVE-2023-52581 bsc#1220877).
- Update
patches.suse/netfilter-nft_set_rbtree-skip-sync-GC-for-new-elemen.patch
(git-fixes CVE-2023-52433 bsc#1220137).
- commit ab7595e
- blacklist.conf: Add 9474c62ab65f net/sched: Add module alias for sch_fq_pie
- commit 0f0d88e
- usb: aqc111: check packet for fixup for true limit (bsc#1217169
CVE-2023-52655).
- commit 1678228
- Update
patches.suse/drm-radeon-add-a-force-flush-to-delay-work-when-rade.patch
(git-fixes CVE-2022-48704 bsc#1223932).
- commit d602686
- netfilter: nf_tables: release mutex after nft_gc_seq_end from
abort path (git-fixes).
- commit 453d60a
- netfilter: nf_tables: mark set as dead when unbinding anonymous
set with timeout (git-fixes).
- commit a3b6f2c
- netfilter: nft_set_rbtree: skip end interval element from gc
(git-fixes).
- commit f941d80
- netfilter: nf_tables: skip dead set elements in netlink dump
(git-fixes).
- commit 11672cf
- netfilter: nf_tables: mark newset as dead on transaction abort
(git-fixes).
- commit deeefa0
- blacklist.conf: update blacklist
- commit d111502
- blacklist.conf: update blacklist
- commit c053707
- netfilter: nf_tables: nft_set_rbtree: fix spurious insertion
failure (git-fixes).
- commit 787a388
- Refresh patches.kabi/netfilter-preserve-nf_tables-kabi.patch.
- commit f69dce7
- netfilter: nf_tables: fix memleak when more than 255 elements
expired (git-fixes).
- commit 55db444
- blacklist.conf: update blacklist
- commit 3075338
- netfilter: nft_set_hash: try later when GC hits EAGAIN on
iteration (git-fixes).
- commit bc13e9b
- netfilter: nft_set_rbtree: use read spinlock to avoid datapath
contention (git-fixes).
- commit 9ed8e71
- netfilter: nft_set_rbtree: skip sync GC for new elements in
this transaction (git-fixes).
- commit 0d564a0
- netfilter: nf_tables: defer gc run if previous batch is still
pending (git-fixes).
- commit 1cb21d0
- netfilter: nf_tables: use correct lock to protect gc_list
(git-fixes).
- commit f315c4c
- netfilter: nf_tables: GC transaction race with abort path
(git-fixes).
- commit ce0642f
- netfilter: nf_tables: GC transaction race with netns dismantle
(git-fixes).
- commit d9e442c
- blacklist.conf: update blacklist
- commit 51055c8
- netfilter: nf_tables: fix GC transaction races with netns and
netlink event exit path (git-fixes).
- commit eacca32
- netfilter: nf_tables: fix kdoc warnings after gc rework
(git-fixes).
- commit f86c22d
- Update
patches.suse/scsi-mpt3sas-Fix-use-after-free-warning.patch
(git-fixes CVE-2022-48695 bsc#1223941).
- commit 033821b
- Update
patches.suse/ALSA-emu10k1-Fix-out-of-bounds-access-in-snd_emu10k1.patch
(git-fixes CVE-2022-48702 bsc#1223923).
- commit c521d4a
- Update
patches.suse/of-fdt-fix-off-by-one-error-in-unflatten_dt_nodes.patch
(git-fixes CVE-2022-48672 bsc#1223931).
- commit e3fefd5
- cachefiles: fix memory leak in cachefiles_add_cache()
(bsc#1222976 CVE-2024-26840).
- commit aa1fa99
- netfilter: nf_tables: adapt set backend to use GC transaction
API (bsc#1215420 CVE-2023-4244).
- commit 2a5fb01
- btrfs: abort in rename_exchange if we fail to insert the second ref (CVE-2021-47113 bsc#1221543)
Refresh patches.suse/btrfs-prevent-rename2-from-exchanging-a-subvol-with-a-directory-from-different-parents.patch
- commit cc57e15
- Update
patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
references (CVE-2024-26739 bsc#1222559, drop incorrect references).
- commit 8b3f599
- net/tls: Remove the context from the list in tls_device_down
(bsc#1221545).
- commit aca4b2e
- blacklist.conf: add 94ce3b64c62d
Blacklist commit 94ce3b64c62d ("net/tls: Use RCU API to access
tls_ctx->netdev"). This is a follow-up to c55dcdd435aa which addresses an
issue which is rather theoretical and the backport would be quite
intrusive.
- commit 64bbcaf
- tls: Fix context leak on tls_device_down (bsc#1221545).
- commit 23bab3f
- Update
patches.suse/nvme-tcp-fix-uaf-when-detecting-digest-errors.patch
(bsc#1200313 bsc#1201489 CVE-2022-48686 bsc#1223948).
- commit 5e5f9fe
- Update
patches.suse/ALSA-usb-audio-Fix-an-out-of-bounds-bug-in-__snd_usb.patch
(git-fixes CVE-2022-48701 bsc#1223921).
- commit 5de225e
- Update
patches.suse/soc-brcmstb-pm-arm-Fix-refcount-leak-and-__iomem-lea.patch
(git-fixes CVE-2022-48693 bsc#1223963).
- commit 0e4cd62
- kabi: hide new member of struct tls_context (CVE-2021-47131
bsc#1221545).
- net/tls: Fix use-after-free after the TLS device goes down
and up (CVE-2021-47131 bsc#1221545).
- commit c19ff47
- Update
patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
(bsc#1211592 CVE-2023-2860 CVE-2022-48687 bsc#1223952).
- commit 94a1c44
- net/ipv6: avoid possible UAF in ip6_route_mpath_notify()
(CVE-2024-26852 bsc#1223057).
- commit f51e744
- openvswitch: fix stack OOB read while fragmenting IPv4 packets
(CVE-2021-46955 bsc#1220513).
- commit 37faff4
- packet: annotate data-races around ignore_outgoing
(CVE-2024-26862 bsc#1223111).
- commit 9b14c5d
- sctp: fix potential deadlock on &net->sctp.addr_wq_lock
(CVE-2024-0639 bsc#1218917).
- commit c0f421c
- netfilter: preserve nf_tables kabi (bsc#1215420 CVE-2023-424).
- commit e6ab556
- media: edia: dvbdev: fix a use-after-free (CVE-2024-27043
bsc#1223824).
- commit 1c01fe0
- ext4: fix bug in extents parsing when eh_entries == 0 and
eh_depth > 0 (bsc#1223475 CVE-2022-48631).
- commit 911e181
- md/raid5: fix atomicity violation in raid5_cache_count
(bsc#1219169, CVE-2024-23307).
- commit b804891
- Update
patches.suse/cgroup-cgroup_get_from_id-must-check-the-looked-up-kn-is-a-directory.patch
(bsc#1203906 CVE-2022-48638 bsc#1223522).
- commit 3bd7c2d
- netfilter: nf_tables: GC transaction API to avoid race with
control plane (bsc#1215420 CVE-2023-4244).
- commit 361e5a0
- netfilter: nf_tables: don't skip expired elements during walk
(bsc#1215420 CVE-2023-4244).
- commit 47ee234
- Update
patches.suse/scsi-qla2xxx-Fix-memory-leak-in-__qlt_24xx_handle_ab.patch
(bsc#1203935 CVE-2022-48650 bsc#1223509).
- commit c5c2590
- Update
patches.suse/netfilter-nfnetlink_osf-fix-possible-bogus-match-in-.patch
(bsc#1204614 CVE-2022-48654 bsc#1223482).
- commit 1221e0a
- netfilter: nft_set_rbtree: fix overlap expiration walk
(git-fixes).
- commit 90d7112
- netfilter: nft_set_rbtree: fix null deref on element insertion
(git-fixes).
- commit f25e27c
- netfilter: nft_set_rbtree: skip elements in transaction from
garbage collection (git-fixes).
- commit 845bbc6
- netfilter: nft_set_rbtree: Switch to node list walk for overlap
detection (git-fixes).
- commit bd48625
- netfilter: nft_set_rbtree: overlap detection with element
re-addition after deletion (git-fixes).
- commit d362ed4
- netfilter: nft_set_rbtree: Detect partial overlap with start
endpoint match (git-fixes).
- commit 4970ce9
- netfilter: nft_set_rbtree: Handle outcomes of tree rotations
in overlap detection (git-fixes).
- commit bc0387c
- netfilter: nft_set_rbtree: Don't account for expired elements
on insertion (git-fixes).
- commit c90c848
- netfilter: nft_set_rbtree: Add missing expired checks
(git-fixes).
- commit 0d65e63
- netfilter: nft_set_rbtree: Drop spurious condition for overlap
detection on insertion (git-fixes).
- commit a64c352
- netfilter: nft_set_rbtree: Detect partial overlaps on insertion
(git-fixes).
- commit 39167a3
- netfilter: nft_set_rbtree: Introduce and use
nft_rbtree_interval_start() (git-fixes).
- commit 9b991e8
- netfilter: nft_set_rbtree: bogus lookup/get on consecutive
elements in named sets (git-fixes).
- commit 1a2cbfc
- ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
(bsc#1223513 CVE-2022-48651).
- commit 0325bf2
- x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() (bsc#1223202 CVE-2024-26906).
- commit 4dcafb9
- x86/mm: Move is_vsyscall_vaddr() into asm/vsyscall.h (bsc#1223202 CVE-2024-26906).
- commit 4e61cac
- x86/boot: Ignore relocations in .notes sections in walk_relocs() too (bsc#1222624 CVE-2024-26816).
- commit 8d2e301
- x86, relocs: Ignore relocations in .notes section (bsc#1222624 CVE-2024-26816).
- commit b1ed209
- Update
patches.suse/0001-fs-hugetlb-fix-NULL-pointer-dereference-in-hugetlbs_.patch
(bsc#1219264 CVE-2024-0841 CVE-2024-26688 bsc#1222482).
- Update
patches.suse/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch
(bsc#1219170 CVE-2024-22099 CVE-2024-26903 bsc#1223187).
- Update
patches.suse/net-sched-act_mirred-don-t-override-retval-if-we-alr.patch
(CVE-2024-26733 bsc#1222585 CVE-2024-26739 bsc#1222559).
- commit edcb3fa
- Update
patches.suse/ALSA-gus-fix-null-pointer-dereference-on-pointer-blo.patch
(git-fixes CVE-2021-47207 bsc#1222790).
- Update
patches.suse/cfg80211-call-cfg80211_stop_ap-when-switch-from-P2P_.patch
(git-fixes CVE-2021-47194 bsc#1222829).
- Update
patches.suse/i40e-Fix-NULL-ptr-dereference-on-VSI-filter-sync.patch
(git-fixes CVE-2021-47184 bsc#1222666).
- Update
patches.suse/iavf-free-q_vectors-before-queues-in-iavf_disable_vf.patch
(git-fixes CVE-2021-47201 bsc#1222792).
- Update
patches.suse/net-mlx5-Update-error-handler-for-UCTX-and-UMEM.patch
(git-fixes CVE-2021-47212 bsc#1222709).
- Update
patches.suse/scsi-lpfc-Fix-list_add-corruption-in-lpfc_drain_txq.patch
(bsc#1190576 CVE-2021-47203 bsc#1222881).
- Update
patches.suse/scsi-lpfc-Fix-use-after-free-in-lpfc_unreg_rpi-routi.patch
(bsc#1192145 CVE-2021-47198 bsc#1222883).
- Update
patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch
(git-fixes CVE-2021-47185 bsc#1222669).
- Update
patches.suse/usb-host-ohci-tmio-check-return-value-after-calling-.patch
(git-fixes CVE-2021-47206 bsc#1222894).
- commit 8d3f18a
- Update
patches.suse/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
(bsc#1218562 CVE-2023-6270 CVE-2024-26898 bsc#1223016).
- commit 8d6a724
- Update patches.suse/scsi-advansys-Fix-kernel-pointer-leak.patch
(git-fixes CVE-2021-47216 bsc#1222876).
- commit 1856476
- wifi: iwlwifi: fix a memory corruption (CVE-2024-26610
bsc#1221299).
- commit cceba2c
- Update patches.suse/arp-Prevent-overflow-in-arp_req_get.patch
- fix build warning
- commit d969104
- ceph: prevent use-after-free in encode_cap_msg() (CVE-2024-26689
bsc#1222503).
- commit c431df1
- Update patches.suse/thermal-Fix-NULL-pointer-dereferences-in-of_thermal_.patch (git-fixes CVE-2021-47202 bsc#1222878)
- commit 94c254a
- nvme-tcp: can't set sk_user_data without write_lock
(CVE-2021-47041 bsc#1220755).
- commit c3bc01a
- nvme-loop: fix memory leak in nvme_loop_create_ctrl()
(CVE-2021-47074 bsc#1220854).
- nvme-loop: don't put ctrl on nvme_init_ctrl error
(CVE-2021-47074 bsc#1220854).
- commit 8101361
- nvmet-tcp: fix incorrect locking in state_change sk callback
(CVE-2021-47041 bsc#1220755).
- commit ee0c72d
- RDMA/srpt: Support specifying the srpt_service_guid parameter (bsc#1222449 CVE-2024-26744)
- commit 12241af
- Refresh
patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch.
- commit ea3cbb2
- Update patches.suse/bpf-Fix-integer-overflow-involving-bucket_size.patch
Fix CVE refence format.
- commit 86e8797
- Update
patches.suse/btrfs-fix-memory-ordering-between-normal-and-ordered-work-functions.patch
(git-fixes CVE-2021-47189 bsc#1222706).
- commit ed3e4bc
- Update
patches.suse/tty-tty_buffer-Fix-the-softlockup-issue-in-flush_to_.patch
(git-fixes CVE-2021-47185).
- commit 972d0f6
- Update
patches.suse/scsi-lpfc-Fix-link-down-processing-to-address-NULL-p.patch
(bsc#1192145 CVE-2021-47183 bsc#1222664).
- commit add99e0
- Update
patches.suse/usb-musb-tusb6010-check-return-value-after-calling-p.patch
(git-fixes CVE-2021-47181 bsc#1222660).
- commit 87eb148
- tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
(bsc#1222619).
- commit 7db5139
- arp: Prevent overflow in arp_req_get() (CVE-2024-26733
bsc#1222585).
- commit 0a4c958
- net/sched: act_mirred: don't override retval if we already
lost the skb (CVE-2024-26733 bsc#1222585).
- commit cc1339b
- ext4: fix double-free of blocks due to wrong extents moved_len
(bsc#1222422 CVE-2024-26704).
- commit d1a6e8f
- fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super
(bsc#1219264).
- commit bc51f7b
- nfsd: Fix error cleanup path in nfsd_rename() (bsc#1221044
CVE-2023-52591).
- commit 24c2d2e
- Update
patches.suse/nvme-fc-Prevent-null-pointer-dereference-in-nvme_fc_.patch
(bsc#1214842 CVE-2023-52508 bsc#1221015).
- Update
patches.suse/x86-srso-fix-sbpb-enablement-for-spec_rstack_overflow-off.patch
(git-fixes CVE-2023-52575 bsc#1220871).
- commit 61a8300
- Update
patches.suse/Bluetooth-avoid-deadlock-between-hci_dev-lock-and-so.patch
(git-fixes CVE-2021-47038 bsc#1220753).
- Update
patches.suse/Input-elantech-fix-stack-out-of-bound-access-in-elan.patch
(git-fixes CVE-2021-47097 bsc#1220982).
- Update
patches.suse/KEYS-trusted-Fix-TPM-reservation-for-seal-unseal.patch
(git-fixes CVE-2021-46922 bsc#1220475).
- Update
patches.suse/KEYS-trusted-Fix-memory-leak-on-object-td.patch
(git-fixes CVE-2021-47009 bsc#1220733).
- Update
patches.suse/RDMA-rtrs-clt-destroy-sysfs-after-removing-session-f.patch
(jsc#SLE-15176 CVE-2021-47026 bsc#1220685).
- Update
patches.suse/asix-fix-uninit-value-in-asix_mdio_read.patch
(git-fixes CVE-2021-47101 bsc#1220987).
- Update
patches.suse/ath10k-Fix-a-use-after-free-in-ath10k_htc_send_bundl.patch
(git-fixes CVE-2021-47017 bsc#1220678).
- Update patches.suse/ch_ktls-Fix-kernel-panic.patch
(jsc#SLE-15131 CVE-2021-46911 bsc#1220400).
- Update
patches.suse/dmaengine-idxd-Fix-clobbering-of-SWERR-overflow-bit-.patch
(git-fixes CVE-2021-46920 bsc#1220426).
- Update
patches.suse/dmaengine-idxd-Fix-potential-null-dereference-on-poi.patch
(git-fixes CVE-2021-47003 bsc#1220677).
- Update
patches.suse/dmaengine-idxd-clear-MSIX-permission-entry-on-shutdo.patch
(git-fixes CVE-2021-46918 bsc#1220429).
- Update
patches.suse/dmaengine-idxd-fix-wq-cleanup-of-WQCFG-registers.patch
(git-fixes CVE-2021-46917 bsc#1220432).
- Update
patches.suse/dmaengine-idxd-fix-wq-size-store-permission-state.patch
(git-fixes CVE-2021-46919 bsc#1220414).
- Update
patches.suse/drm-amd-display-Fix-off-by-one-in-hdmi_14_process_tr.patch
(git-fixes CVE-2021-47046 bsc#1220758).
- Update patches.suse/drm-i915-Fix-crash-in-auto_retire.patch
(git-fixes CVE-2021-46976 bsc#1220621).
- Update
patches.suse/iommu-vt-d-remove-wo-permissions-on-second-level-paging-entries
(bsc#1187346 CVE-2021-47035 bsc#1220688).
- Update
patches.suse/ipmi-Fix-UAF-when-uninstall-ipmi_si-and-ipmi_msghand.patch
(git-fixes CVE-2021-47100 bsc#1220985).
- Update
patches.suse/ipmi-ssif-initialize-ssif_info-client-early.patch
(git-fixes CVE-2021-47095 bsc#1220979).
- Update
patches.suse/ixgbe-fix-unbalanced-device-enable-disable-in-suspen.patch
(jsc#SLE-13706 CVE-2021-46914 bsc#1220465).
- Update patches.suse/net-dsa-mt7530-fix-VLAN-traffic-leaks.patch
(git-fixes CVE-2021-47160 bsc#1221974).
- Update
patches.suse/net-fec-fix-the-potential-memory-leak-in-fec_enet_in.patch
(git-fixes CVE-2021-47150 bsc#1221973).
- Update
patches.suse/net-lantiq-fix-memory-corruption-in-RX-ring.patch
(git-fixes CVE-2021-47137 bsc#1221932).
- Update
patches.suse/net-mlx5e-Fix-null-deref-accessing-lag-dev.patch
(jsc#SLE-15172 CVE-2021-47164 bsc#1221978).
- Update
patches.suse/net-mlx5e-Wrap-the-tx-reporter-dump-callback-to-extr.patch
(jsc#SLE-15172 CVE-2021-46931 bsc#1220486).
- Update
patches.suse/net-sched-act_ct-fix-wild-memory-access-when-clearin.patch
(bsc#1176447 CVE-2021-47014 bsc#1220630).
- Update
patches.suse/net-sched-fq_pie-fix-OOB-access-in-the-traffic-path.patch
(jsc#SLE-15172 CVE-2021-47175 bsc#1222003).
- Update
patches.suse/netfilter-nft_set_pipapo_avx2-Add-irq_fpu_usable-che.patch
(bsc#1176447 CVE-2021-47174 bsc#1221990).
- Update patches.suse/nvmet-fix-freeing-unallocated-p2pmem.patch
(git-fixes CVE-2021-47130 bsc#1221552).
- Update
patches.suse/nvmet-rdma-Fix-NULL-deref-when-SEND-is-completed-wit.patch
(git-fixes CVE-2021-46983 bsc#1220639).
- Update patches.suse/s390-dasd-add-missing-discipline-function
(bsc#1188130 ltc#193581 CVE-2021-47176 bsc331221996
bsc#1221996).
- Update
patches.suse/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak
(git-fixes CVE-2021-46968 bsc#1220689).
- Update
patches.suse/sched-fair-Fix-shift-out-of-bounds-in-load_balance.patch
(git fixes (sched) CVE-2021-47044 bsc#1220759).
- Update
patches.suse/spi-Fix-use-after-free-with-devm_spi_alloc_.patch
(git-fixes CVE-2021-46959 bsc#1220734).
- Update patches.suse/tee-optee-Fix-incorrect-page-free-bug.patch
(git-fixes CVE-2021-47087 bsc#1220954).
- Update
patches.suse/usb-gadget-f_fs-Clear-ffs_eventfd-in-ffs_data_clear.patch
(git-fixes CVE-2021-46933 bsc#1220487).
- Update
patches.suse/usb-typec-ucsi-Retrieve-all-the-PDOs-instead-of-just.patch
(git-fixes CVE-2021-46980 bsc#1220663).
- Update
patches.suse/virtiofs-fix-memory-leak-in-virtio_fs_probe.patch
(bsc#1185558 CVE-2021-46956 bsc#1220516).
- Update patches.suse/xprtrdma-Fix-cwnd-update-ordering.patch
(git-fixes CVE-2021-47001 bsc#1220670).
- commit d6fc0df
- Update
patches.suse/i2c-imx-fix-reference-leak-when-pm_runtime_get_sync-.patch
(git-fixes CVE-2020-36781 bsc#1220557).
- commit c903cb8
- Update
patches.suse/netfilter-nftables-exthdr-fix-4-byte-stack-OOB-write.patch
(CVE-2023-4881 bsc#1215221 CVE-2023-52628 bsc#1222117).
- Update
patches.suse/scsi-pm80xx-Avoid-leaking-tags-when-processing-OPC_INB_SET_CONTROLLER_CONFIG-command.patch
(bsc#1220883 CVE-2023-52500).
- commit 81ec1ab
- scsi: pm80xx: Avoid leaking tags when processing
OPC_INB_SET_CONTROLLER_CONFIG command (bsc#1220883
cve-2023-52500).
- commit a52992b
- Fixup NULL ptr dereference due to mistake in backporting in
patches.suse/ext2-Avoid-reading-renamed-directory-if-parent-does-.patch.
- commit f07130b
- bpf, sockmap: Prevent lock inversion deadlock in map delete elem
(bsc#1209657 CVE-2023-0160).
- commit 299921b
- blacklist.conf: omit reverted sockmap deadlock fix
- commit 66facc4
- netfilter: nf_tables: disallow anonymous set with timeout flag
(CVE-2024-26642 bsc#1221830).
- commit ca89796
- netfilter: ctnetlink: fix possible refcount leak in
ctnetlink_create_conntrack() (CVE-2023-7192 bsc#1218479).
- commit c40a2c4
- README.BRANCH: Remove copy of branch name
- commit 27396e8
- README.BRANCH: Remove copy of branch name
- commit 757f48f
- Update
patches.suse/net-zero-initialize-tc-skb-extension-on-allocation.patch
(bsc#1176447 CVE-2021-47136 bsc#1221931).
- commit adea53b
- ipv6: init the accept_queue's spinlocks in inet6_create
(bsc#1221293 CVE-2024-26614).
- commit 0cf80b2
- tcp: make sure init the accept_queue's spinlocks once
(bsc#1221293 CVE-2024-26614).
- commit d27abbc
- userfaultfd: release page in error path to avoid BUG_ON
(CVE-2021-46988 bsc#1220706).
- commit 37b27a1
- powerpc/mm: Fix null-pointer dereference in pgtable_cache_add
(CVE-2023-52607 bsc#1221061).
- commit 37ce65f
- perf/core: Fix unconditional security_locked_down() call
(bsc#1220697, CVE-2021-46971).
- commit b2c4fe7
- Update
patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch
(bsc#1208995 CVE-2023-1192 CVE-2023-52572 bsc#1220946).
- Update
patches.suse/nvmet-tcp-Fix-a-kernel-panic-when-host-sends-an-inva.patch
(bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
CVE-2023-6356 CVE-2023-52454 bsc#1220320).
- Update
patches.suse/ocfs2-Avoid-touching-renamed-directory-if-parent-doe.patch
(bsc#1221044 CVE-2023-52591 CVE-2023-52590 bsc#1221088).
- Update
patches.suse/ravb-Fix-use-after-free-issue-in-ravb_tx_timeout_wor.patch
(bsc#1212514 CVE-2023-35827 CVE-2023-52509 bsc#1220836).
- Update
patches.suse/usb-hub-Guard-against-accesses-to-uninitialized-BOS-.patch
(git-fixes CVE-2023-52477 bsc#1220790).
- commit 807fa36
- Update patches.suse/0001-mmc-moxart_remove-Fix-UAF.patch
(bsc#1194516 CVE-2022-0487 CVE-2022-48626 bsc#1220366).
- commit 32e1ae4
- Update
patches.suse/0005-dm-rq-fix-double-free-of-blk_mq_tag_set-in-dev-remov.patch
(git-fixes CVE-2021-46938 bsc#1220554).
- Update
patches.suse/0005-drm-bridge-panel-Cleanup-connector-on-bridge-detach.patch
(bsc#1152489 CVE-2021-47063 bsc#1220777).
- Update
patches.suse/0006-nbd-Fix-NULL-pointer-in-flush_workqueue.patch
(git-fixes CVE-2021-46981 bsc#1220611).
- Update
patches.suse/ARM-9064-1-hw_breakpoint-Do-not-directly-check-the-event-s-overflow_handler-hook.patch
(git-fixes CVE-2021-47006 bsc#1220751).
- Update
patches.suse/ARM-footbridge-fix-PCI-interrupt-mapping.patch
(git-fixes CVE-2021-46909 bsc#1220442).
- Update
patches.suse/HID-magicmouse-fix-NULL-deref-on-disconnect.patch
(git-fixes CVE-2021-47120 bsc#1221606).
- Update
patches.suse/KVM-Destroy-I-O-bus-devices-on-unregister-failure-_a.patch
(bsc#git-fixes CVE-2021-47061 bsc#1220745).
- Update
patches.suse/NFC-nci-fix-memory-leak-in-nci_allocate_device.patch
(git-fixes CVE-2021-47180 bsc#1221999).
- Update
patches.suse/NFS-Don-t-corrupt-the-value-of-pg_bytes_written-in-n.patch
(git-fixes CVE-2021-47166 bsc#1221998).
- Update
patches.suse/NFS-Fix-an-Oopsable-condition-in-__nfs_pageio_add_re.patch
(git-fixes CVE-2021-47167 bsc#1221991).
- Update
patches.suse/NFS-fix-an-incorrect-limit-in-filelayout_decode_layo.patch
(git-fixes CVE-2021-47168 bsc#1222002).
- Update
patches.suse/NFSv4-Fix-a-NULL-pointer-dereference-in-pnfs_mark_ma.patch
(git-fixes CVE-2021-47179 bsc#1222001).
- Update
patches.suse/USB-usbfs-Don-t-WARN-about-excessively-large-memory-.patch
(git-fixes CVE-2021-47170 bsc#1222004).
- Update
patches.suse/bnxt_en-Fix-RX-consumer-index-logic-in-the-error-pat.patch
(git-fixes CVE-2021-47015 bsc#1220794).
- Update
patches.suse/btrfs-fix-race-between-transaction-aborts-and-fsyncs.patch
(bsc#1186441 CVE-2021-46958 bsc#1220521).
- Update
patches.suse/ceph-fix-inode-leak-on-getattr-error-in-_fh_to_dentry.patch
(bsc#1186501 CVE-2021-47000 bsc#1220669).
- Update
patches.suse/cifs-Return-correct-error-code-from-smb2_get_enc_key.patch
(git-fixes CVE-2021-46960 bsc#1220528).
- Update
patches.suse/crypto-qat-ADF_STATUS_PF_RUNNING-should-be-set-after.patch
(git-fixes CVE-2021-47056 bsc#1220769).
- Update
patches.suse/cxgb4-avoid-accessing-registers-when-clearing-filter.patch
(git-fixes CVE-2021-47138 bsc#1221934).
- Update patches.suse/drm-amd-amdgpu-fix-refcount-leak.patch
(git-fixes CVE-2021-47144 bsc#1221989).
- Update patches.suse/drm-amdgpu-Fix-a-use-after-free.patch
(git-fixes CVE-2021-47142 bsc#1221952).
- Update
patches.suse/drm-meson-fix-shutdown-crash-when-component-not-prob.patch
(git-fixes CVE-2021-47165 bsc#1221965).
- Update
patches.suse/ethernet-enic-Fix-a-use-after-free-bug-in-enic_hard_.patch
(git-fixes CVE-2021-46998 bsc#1220625).
- Update
patches.suse/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_spli.patch
(bsc#1187408 CVE-2021-47117 bsc#1221575).
- Update
patches.suse/ext4-fix-memory-leak-in-ext4_fill_super.patch
(bsc#1187409 CVE-2021-47119 bsc#1221608).
- Update
patches.suse/gve-Add-NULL-pointer-checks-when-freeing-irqs.patch
(git-fixes CVE-2021-47141 bsc#1221949).
- Update
patches.suse/i2c-i801-Don-t-generate-an-interrupt-on-bus-reset.patch
(git-fixes CVE-2021-47153 bsc#1221969).
- Update
patches.suse/i40e-Fix-use-after-free-in-i40e_client_subtask.patch
(git-fixes CVE-2021-46991 bsc#1220575).
- Update
patches.suse/iio-adc-ad7124-Fix-potential-overflow-due-to-non-seq.patch
(git-fixes CVE-2021-47172 bsc#1221992).
- Update patches.suse/iommu-vt-d-fix-sysfs-leak-in-alloc_iommu
(bsc#1189218 CVE-2021-47177 bsc#1221997).
- Update
patches.suse/ipc-mqueue-msg-sem-Avoid-relying-on-a-stack-reference.patch
(bsc#1185988 bsc1220826 CVE-2021-47069 bsc#1220826).
- Update
patches.suse/kyber-fix-out-of-bounds-access-when-preempted.patch
(bsc#1187403 CVE-2021-46984 bsc#1220631).
- Update
patches.suse/locking-qrwlock-Fix-ordering-in-queued_write_lock_sl.patch
(bsc#1185041 CVE-2021-46921 bsc#1220468).
- Update
patches.suse/md-raid1-properly-indicate-failure-when-ending-a-fai.patch
(bsc#1185680 CVE-2021-46950 bsc#1220662).
- Update
patches.suse/media-staging-intel-ipu3-Fix-memory-leak-in-imu_fmt.patch
(git-fixes CVE-2021-46944 bsc#1220566).
- Update
patches.suse/media-staging-intel-ipu3-Fix-set_fmt-error-handling.patch
(git-fixes CVE-2021-46943 bsc#1220583).
- Update
patches.suse/misc-uss720-fix-memory-leak-in-uss720_probe.patch
(git-fixes CVE-2021-47173 bsc#1221993).
- Update
patches.suse/mmc-uniphier-sd-Fix-a-resource-leak-in-the-remove-fu.patch
(git-fixes CVE-2021-46962 bsc#1220532).
- Update
patches.suse/msft-hv-2305-Drivers-hv-vmbus-Use-after-free-in-__vmbus_open.patch
(git-fixes CVE-2021-47049 bsc#1220692).
- Update
patches.suse/msft-hv-2316-uio_hv_generic-Fix-a-memory-leak-in-error-handling-p.patch
(git-fixes CVE-2021-47071 bsc#1220846).
- Update
patches.suse/msft-hv-2317-uio_hv_generic-Fix-another-memory-leak-in-error-hand.patch
(git-fixes CVE-2021-47070 bsc#1220829).
- Update
patches.suse/mtd-require-write-permissions-for-locking-and-badblo.patch
(git-fixes CVE-2021-47055 bsc#1220768).
- Update
patches.suse/net-hns3-put-off-calling-register_netdev-until-clien.patch
(bsc#1154353 CVE-2021-47139 bsc#1221935).
- Update
patches.suse/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch
(CVE-2021-23134 bsc#1186060 CVE-2021-47068 bsc#1220739).
- Update
patches.suse/net-usb-fix-memory-leak-in-smsc75xx_bind.patch
(git-fixes CVE-2021-47171 bsc#1221994).
- Update
patches.suse/netfilter-nftables-avoid-overflows-in-nft_hash_bucke.patch
(CVE-2021-47013 bsc#1220641 CVE-2021-46992 bsc#1220638).
- Update patches.suse/ocfs2-fix-data-corruption-by-fallocate.patch
(bsc#1187412 CVE-2021-47114 bsc#1221548).
- Update
patches.suse/pid-take-a-reference-when-initializing-cad_pid.patch
(bsc#1152489 CVE-2021-47118 bsc#1221605).
- Update
patches.suse/platform-x86-dell-smbios-wmi-Fix-oops-on-rmmod-dell_.patch
(git-fixes CVE-2021-47073 bsc#1220850).
- Update
patches.suse/powerpc-64s-Fix-crashes-when-toggling-entry-flush-ba.patch
(bsc#1177666 git-fixes bsc#1186460 ltc#192531 CVE-2021-46990
bsc#1220743).
- Update
patches.suse/powerpc-64s-Fix-pte-update-for-kernel-memory-on-radi.patch
(bsc#1055117 git-fixes CVE-2021-47034 bsc#1220687).
- Update
patches.suse/regmap-set-debugfs_name-to-NULL-after-it-is-freed.patch
(git-fixes CVE-2021-47058 bsc#1220779).
- Update
patches.suse/rtw88-Fix-array-overrun-in-rtw_get_tx_power_params.patch
(git-fixes CVE-2021-47065 bsc#1220749).
- Update
patches.suse/scsi-lpfc-Fix-null-pointer-dereference-in-lpfc_prep_.patch
(bsc#1182574 CVE-2021-47045 bsc#1220640).
- Update
patches.suse/scsi-qedf-Add-pointer-checks-in-qedf_update_link_speed
(git-fixes CVE-2021-47077 bsc#1220861).
- Update
patches.suse/scsi-qla2xxx-Fix-crash-in-qla2xxx_mqueuecommand.patch
(bsc#1185491 CVE-2021-46963 bsc#1220536).
- Update
patches.suse/serial-rp2-use-request_firmware-instead-of-request_f.patch
(git-fixes CVE-2021-47169 bsc#1222000).
- Update
patches.suse/soundwire-stream-fix-memory-leak-in-stream-config-er.patch
(git-fixes CVE-2021-47020 bsc#1220785).
- Update
patches.suse/spi-fsl-lpspi-Fix-PM-reference-leak-in-lpspi_prepare.patch
(git-fixes CVE-2021-47051 bsc#1220764).
- Update
patches.suse/spi-spi-fsl-dspi-Fix-a-resource-leak-in-an-error-han.patch
(git-fixes CVE-2021-47161 bsc#1221966).
- Update
patches.suse/tpm-efi-Use-local-variable-for-calculating-final-log.patch
(git-fixes CVE-2021-46951 bsc#1220615).
- Update
patches.suse/tracing-Restructure-trace_clock_global-to-never-block.patch
(git-fixes CVE-2021-46939 bsc#1220580).
- Update
patches.suse/tun-avoid-double-free-in-tun_free_netdev.patch
(bsc#1209635 CVE-2022-4744 CVE-2021-47082 bsc#1220969).
- Update
patches.suse/x86-kvm-Disable-kvmclock-on-all-CPUs-on-shutdown.patch
(bsc#1185308 CVE-2021-47110 bsc#1221532).
- Update
patches.suse/x86-kvm-Teardown-PV-features-on-boot-CPU-as-well.patch
(bsc#1185308 CVE-2021-47112 bsc#1221541).
- commit 563b877
- Update
patches.suse/i2c-img-scb-fix-reference-leak-when-pm_runtime_get_s.patch
(git-fixes CVE-2020-36783 bsc#1220561).
- Update
patches.suse/i2c-imx-lpi2c-fix-reference-leak-when-pm_runtime_get.patch
(git-fixes CVE-2020-36782 bsc#1220560).
- Update
patches.suse/i2c-sprd-fix-reference-leak-when-pm_runtime_get_sync.patch
(git-fixes CVE-2020-36780 bsc#1220556).
- commit 33b0d9d
- IB/hfi1: Fix bugs with non-PAGE_SIZE-end multi-iovec user SDMA requests (bsc#1220445 CVE-2023-52474)
- commit bdb2e0c
- Update patches.suse/s390-dasd-add-missing-discipline-function
(bsc#1188130 ltc#193581 CVE-2021-47176 bsc331221996).
- commit d918596
- wifi: ath10k: fix NULL pointer dereference in
ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() (bsc#1218336
CVE-2023-7042).
- commit 22d99d7
- dmaengine: fix NULL pointer in channel unregistration function (bsc#1221276 CVE-2023-52492)
- commit b24663f
- Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
(bsc#1219170 CVE-2024-22099).
- commit b8c2f38
- aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
(bsc#1218562 CVE-2023-6270).
- commit 0e87477
- fs: no need to check source (bsc#1221044 CVE-2023-52591).
- commit df2f811
- rename(): avoid a deadlock in the case of parents having no
common ancestor (bsc#1221044 CVE-2023-52591).
- commit faa6432
- kill lock_two_inodes() (bsc#1221044 CVE-2023-52591).
- commit d6f6371
- rename(): fix the locking of subdirectories (bsc#1221044
CVE-2023-52591).
- commit 063df0d
- f2fs: Avoid reading renamed directory if parent does not change
(bsc#1221044 CVE-2023-52591).
- commit 4dfa62d
- ext4: don't access the source subdirectory content on
same-directory rename (bsc#1221044 CVE-2023-52591).
- commit 80ff66b
- ext2: Avoid reading renamed directory if parent does not change
(bsc#1221044 CVE-2023-52591).
- commit 03d3930
- udf_rename(): only access the child content on cross-directory
rename (bsc#1221044 CVE-2023-52591).
- commit 4bff17c
- ocfs2: Avoid touching renamed directory if parent does not
change (bsc#1221044 CVE-2023-52591).
- commit 74fc5ec
- reiserfs: Avoid touching renamed directory if parent does not
change (git-fixes bsc#1221044 CVE-2023-52591).
Refresh patches.suse/reiserfs-add-check-to-detect-corrupted-directory-entry.patch
Refresh patches.suse/reiserfs-don-t-panic-on-bad-directory-entries.patch
- commit f392df9
- fs: don't assume arguments are non-NULL (bsc#1221044
CVE-2023-52591).
- commit a11eadd
- fs: Restrict lock_two_nondirectories() to non-directory inodes
(bsc#1221044 CVE-2023-52591).
- commit 6ad8632
- fs: ocfs2: check status values (bsc#1221044 CVE-2023-52591).
- commit 696c231
- fs: Lock moved directories (bsc#1221044 CVE-2023-52591).
- commit c14fbaa
- fs: Establish locking order for unrelated directories
(bsc#1221044 CVE-2023-52591).
- commit b424ded
- fs: introduce lock_rename_child() helper (bsc#1221044
CVE-2023-52591).
- commit 02e4cc0
- dm: rearrange core declarations for extended use from dm-zone.c
(bsc#1221113).
- Refresh
patches.kabi/kABI-dm-fix-deadlock-when-swapping-to-encrypted-device.patch.
- commit 741eac7
- perf/x86/lbr: Filter vsyscall addresses (bsc#1220703,
CVE-2023-52476).
- commit c46d003
- dm rq: don't queue request to blk-mq during DM suspend
(bsc#1221113).
- commit b77fc22
- neighbour: allow NUD_NOARP entries to be forced GCed
(bsc#1221534 CVE-2021-47109).
- commit d36f6ec
- net/sched: Add module alias for sch_fq_pie (bsc#1210335 CVE-2023-1829).
- commit d985f7c
- net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829).
- net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829).
- net/sched: Add module aliases for cls_,sch_,act_ modules
(bsc#1210335 CVE-2023-1829).
- net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829).
- net/sched: Remove alias of sch_clsact (bsc#1210335 CVE-2023-1829).
- net/sched: Load modules via their alias (bsc#1210335 CVE-2023-1829).
- net/sched: Add module aliases for cls_,sch_,act_ modules
(bsc#1210335 CVE-2023-1829).
- net/sched: Add helper macros with module names (bsc#1210335 CVE-2023-1829).
- commit 6a5afc3
- x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set (bsc#1213456 CVE-2023-28746).
- commit 15a7f43
- Sort already upstream patches
- Refresh
patches.suse/Documentation-hw-vuln-Add-documentation-for-RFDS.patch.
- Refresh
patches.suse/KVM-VMX-Move-VERW-closer-to-VMentry-for-MDS-mitigation.patch.
- Refresh
patches.suse/KVM-VMX-Use-BT-JNC-i.e.-EFLAGS.CF-to-select-VMRESUME-vs.-V.patch.
- Refresh
patches.suse/KVM-x86-Export-RFDS_NO-and-RFDS_CLEAR-to-guests.patch.
- Refresh
patches.suse/x86-bugs-Add-asm-helpers-for-executing-VERW.patch.
- Refresh
patches.suse/x86-bugs-Use-ALTERNATIVE-instead-of-mds_user_clear-static-.patch.
- Refresh
patches.suse/x86-entry_32-Add-VERW-just-before-userspace-transition.patch.
- Refresh
patches.suse/x86-entry_64-Add-VERW-just-before-userspace-transition.patch.
- Refresh
patches.suse/x86-rfds-Mitigate-Register-File-Data-Sampling-RFDS.patch.
- commit 851bcbe
- perf/core: Fix unconditional security_locked_down() call
(bsc#1220697, CVE-2021-46971).
- commit 0b7f805
- io_uring/af_unix: disable sending io_uring over sockets
(bsc#1220754 CVE-2023-6531).
- commit a0d28a2
- usb: mtu3: fix list_head check warning (bsc#1220484
CVE-2021-46930).
- commit b548734
- Refresh patches.kabi/team-Hide-new-member-header-ops.patch.
Fix for kABI workaround.
- commit ff68767
- ceph: fix deadlock or deadcode of misusing dget() (bsc#1221058
CVE-2023-52583).
- commit 5c7a950
- usb: hub: Guard against accesses to uninitialized BOS
descriptors (git-fixes).
Altered because 5.3 does not do SSP
- commit 6d423f3
- Update
patches.suse/scsi-qla2xxx-Fix-SRB-leak-on-switch-command-timeout.patch
added CVE reference to: (jsc#SLE-9714 jsc#SLE-10327 jsc#SLE-10334
bnc#1151927 5.3.17 cve-2021-46963).
- commit bac1eb3
- Update reference of bpf-Use-correct-permission-flag-for-mixed-signed-bou.patch
(bsc#1184942 bsc#1220425 CVE-2021-29155 CVE-2021-46908).
- commit 787c408
- drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() (bsc#1220413 CVE-2023-52470).
- commit d61356a
- drivers/amd/pm: fix a use-after-free in kv_parse_power_table (bsc#1220411 CVE-2023-52469).
- commit 10972e5
- irqchip/gic-v3: Do not enable irqs when handling spurious interrups (bsc#1220529,CVE-2021-46961)
- commit 83fe0b1
- group-source-files.pl: Quote filenames (boo#1221077).
The kernel source now contains a file with a space in the name.
Add quotes in group-source-files.pl to avoid splitting the filename.
Also use -print0 / -0 when updating timestamps.
- commit a005e42
- phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP (bsc#1220340,CVE-2024-26600)
- commit c4890bf
- mm: fix gup_pud_range (bsc#1220824).
- commit d0caaa5
- RDMA/rxe: Clear all QP fields if creation failed (bsc#1220863 CVE-2021-47078)
- commit 23bba26
- RDMA/rxe: Return CQE error if invalid lkey was supplied (bsc#1220860 CVE-2021-47076)
- commit 1171085
- ACPI: extlog: fix NULL pointer dereference check (bsc#1221039
CVE-2023-52605).
- commit a37794c
- Update
patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch
(bsc#1220416 bsc#1220418 CVE-2021-46904 CVE-2021-46905).
Added second CVE reference
- commit 6b7d257
- Update
patches.suse/net-hso-fix-NULL-deref-on-disconnect-regression.patch
(bsc#1220416 CVE-2021-46904).
- Update
patches.suse/net-hso-fix-null-ptr-deref-during-tty-device-unregis.patch
(bsc#1220416 CVE-2021-46904).
Added CVE references
- commit ce2a61e
- kernel-binary: Fix i386 build
Fixes: 89eaf4cdce05 ("rpm templates: Move macro definitions below buildrequires")
- commit f7c6351
- KVM: x86: Export RFDS_NO and RFDS_CLEAR to guests (bsc#1213456 CVE-2023-28746).
- commit d0c95ff
- x86/rfds: Mitigate Register File Data Sampling (RFDS) (bsc#1213456 CVE-2023-28746).
- commit 7725a96
- net: nfc: fix races in nfc_llcp_sock_get() and
nfc_llcp_sock_get_sn() (CVE-2023-52502 bsc#1220831).
- commit 3983469
- btrfs: remove BUG() after failure to insert delayed dir index
item (bsc#1220918 CVE-2023-52569).
- commit ff844fd
- btrfs: improve error message after failure to add delayed dir
index item (bsc#1220918 CVE-2023-52569).
- commit f310611
- Documentation/hw-vuln: Add documentation for RFDS (bsc#1213456 CVE-2023-28746).
- commit bff3e02
- x86/srso: Add SRSO mitigation for Hygon processors (bsc#1220735
CVE-2023-52482).
- commit 1f25b34
- KVM: s390: fix setting of fpc register (bsc#1221040
CVE-2023-52597).
- commit 8155006
- vt: fix memory overlapping when deleting chars in the buffer
(bsc#1220845 CVE-2022-48627).
- commit b8e8505
- kernel-binary: vdso: fix filelist for non-usrmerged kernel
Fixes: a6ad8af207e6 ("rpm templates: Always define usrmerged")
- commit fb3f221
- kabi: team: Hide new member header_ops (bsc#1220870
CVE-2023-52574).
- commit 04e32d4
- i2c: validate user data in compat ioctl (git-fixes bsc#1220469
CVE-2021-46934).
- commit 554cd35
- ravb: Fix use-after-free issue in ravb_tx_timeout_work()
(bsc#1212514 CVE-2023-35827).
- net: mana: Fix TX CQE error handling (bsc#1220932
CVE-2023-52532).
- team: fix null-ptr-deref when team device type is changed
(bsc#1220870 CVE-2023-52574).
- commit 5631a0c
- Update reference of bpf-Fix-masking-negation-logic-upon-negative-dst-reg.patch
(bsc#1155518 bsc#1220700 CVE-2021-46974).
- commit 5f6c988
- wifi: mac80211: fix potential key use-after-free (CVE-2023-52530
bsc#1220930).
- wifi: iwlwifi: mvm: Fix a memory corruption issue
(CVE-2023-52531 bsc#1220931).
- commit 7072ac0
- pinctrl: mediatek: fix global-out-of-bounds issue
(CVE-2021-47083 bsc#1220917).
- commit f54296c
- drm/bridge: sii902x: Fix probing race issue (bsc#1220736 CVE-2024-26607).
- commit 470c611
- KVM: Destroy target device if coalesced MMIO unregistration
fails (git-fixes).
- commit c99d976
- KVM: mmio: Fix use-after-free Read in
kvm_vm_ioctl_unregister_coalesced_mmio (git-fixes).
- commit f7f8d3b
- bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS (bsc#1220255
CVE-2024-26589).
- commit 84782c1
- PCI: endpoint: Fix NULL pointer dereference for ->get_features()
(bsc#1220660 CVE-2021-47005).
- commit 4cda383
- tls: fix race between tx work scheduling and socket close
(CVE-2024-26585 bsc#1220187).
- commit 7207999
- kabi: restore return type of dst_ops::gc() callback
(CVE-2023-52340 bsc#1219295).
- ipv6: remove max_size check inline with ipv4 (CVE-2023-52340
bsc#1219295).
- commit 077e12d
- netfilter: nf_tables: fix 64-bit load issue in
nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- netfilter: nf_tables: fix pointer math issue in
nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- commit b02bdeb
- netfilter: nf_tables: fix 64-bit load issue in
nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- netfilter: nf_tables: fix pointer math issue in
nft_byteorder_eval() (CVE-2024-0607 bsc#1218915).
- commit 67cfeec
- Update patches.suse/sctp-use-call_rcu-to-free-endpoint.patch
(CVE-2022-20154 CVE-2021-46929 bsc#1200599 bsc#1220482).
- commit 8d1b35f
- Update patches.suse/scsi-qla2xxx-Reserve-extra-IRQ-vectors.patch
(bsc#1184436 bsc#1186286 bsc#1220538 CVE-2021-46964).
- commit e5c6db2
- KVM: Stop looking for coalesced MMIO zones if the bus is
destroyed (bsc#1220742 CVE-2021-47060).
- commit 7287801
- netfilter: nft_set_pipapo: skip inactive elements during set
walk (CVE-2023-6817 bsc#1218195).
- commit ba8530f
- tomoyo: fix UAF write bug in tomoyo_write_control() (bsc#1220825
CVE-2024-26622).
- commit 6d24f8e
- Update
patches.suse/s390-zcrypt-fix-zcard-and-zqueue-hot-unplug-memleak
(git-fixes CVE-2021-46968).
- commit a63feba
- doc/README.SUSE: Update information about module support status
(jsc#PED-5759)
Following the code change in SLE15-SP6 to have externally supported
modules no longer taint the kernel, update the respective documentation
in README.SUSE:
* Describe that support status can be obtained at runtime for each
module from /sys/module/$MODULE/supported and for the entire system
from /sys/kernel/supported. This provides a way how to now check that
the kernel has any externally supported modules loaded.
* Remove a mention that externally supported modules taint the kernel,
but keep the information about bit 16 (X) and add a note that it is
still tracked per module and can be read from
/sys/module/$MODULE/taint. This per-module information also appears in
Oopses.
- commit 9ed8107
- powerpc/pseries/memhp: Fix access beyond end of drmem array
(bsc#1220250,CVE-2023-52451).
- commit 9865154
- Input: appletouch - initialize work before device registration
(CVE-2021-46932 bsc#1220444).
- commit 8f106a8
- Update
patches.suse/ipc-mqueue-msg-sem-Avoid-relying-on-a-stack-reference.patch
(bsc#1185988, bsc1220826, CVE-2021-47069).
- commit f01183e
- Update References
patches.suse/ACPI-GTDT-Don-t-corrupt-interrupt-mappings-on-watchd.patch
(git-fixes bsc#1220599 CVE-2021-46953).
- commit 5b10499
- Update References
patches.suse/ACPI-custom_method-fix-potential-use-after-free-issu.patch
(git-fixes bsc#1220572 CVE-2021-46966).
- commit 8eecec3
- efivarfs: force RO when remounting if SetVariable is not
supported (bsc#1220328 CVE-2023-52463).
- commit 0c76724
- RDMA/siw: Fix a use after free in siw_alloc_mr (bsc#1220627
CVE-2021-47012).
- commit 96f4478
- mtd: Fix gluebi NULL pointer dereference caused by ftl notifier
(bsc#1220238 CVE-2023-52449).
- commit d23e49b
- Input: powermate - fix use-after-free in
powermate_config_complete (CVE-2023-52475 bsc#1220649).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
(CVE-2023-52478 bsc#1220796).
- commit 92ea315
- hfsplus: prevent corruption in shrinking truncate (bsc#1220737
CVE-2021-46989).
- commit cc37c78
- Update patch reference for qcom bus fix (CVE-2021-47054 bsc#1220767)
- commit 024411a
- netfilter: nft_limit: avoid possible divide error in
nft_limit_init (bsc#1220436 CVE-2021-46915).
- commit 291b0ff
- NFC: st21nfca: Fix memory leak in device probe and remove
(CVE-2021-46924 bsc#1220459).
- commit 2b46faa
- Update patch reference for HID fix (CVE-2021-46906 bsc#1220421)
- commit 89e5504
- i2c: Fix a potential use after free (bsc#1220409
CVE-2019-25162).
- commit 6421697
- i2c: cadence: fix reference leak when pm_runtime_get_sync fails
(bsc#1220570 CVE-2020-36784).
- commit 5fa02fa
- KVM: Destroy I/O bus devices on unregister failure _after_
sync'ing SRCU (bsc#git-fixes, CVE-2021-47061).
- commit b2a896d
- Update patch reference for media usb fix (CVE-2020-36777 bsc#1220526)
- commit f0fcd0d
- media: pvrusb2: fix use after free on context disconnection
(CVE-2023-52445 bsc#1220241).
- commit 3f02f88
- nfc: nci: fix possible NULL pointer dereference in
send_acknowledge() (bsc#1219125 CVE-2023-46343).
- commit 9371a32
- uio: Fix use-after-free in uio_open (bsc#1220140
CVE-2023-52439).
- commit 758615f
- apparmor: avoid crash when parsed profile name is empty
(CVE-2023-52443 bsc#1220240).
- commit 9d07817
- sched/membarrier: reduce the ability to hammer on sys_membarrier
(git-fixes, bsc#1220398, CVE-2024-26602).
- commit b645222
- i2c: i801: Fix block process call transactions (bsc#1220009
CVE-2024-26593).
- commit c348c97
- netfilter: nftables: avoid overflows in nft_hash_buckets()
(CVE-2021-47013 bsc#1220641).
- commit f0d286e
- net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send
(CVE-2021-47013 bsc#1220641).
- commit 378bb67
- mlxsw: spectrum_acl_tcam: Fix stack corruption (bsc#1220243
CVE-2024-26586).
- mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in
error path (bsc#1220344 CVE-2024-26595).
- commit 76ed3a3
- EDAC/thunderx: Fix possible out-of-bounds string access (bsc#1220330)
- commit 5f2e003
- gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump
(bsc#1220253 CVE-2023-52448).
- commit a731316
- rpm templates: Always define usrmerged
usrmerged is now defined in kernel-spec-macros and not the distribution.
Only check if it's defined in kernel-spec-macros, not everywhere where
it's used.
- commit a6ad8af
- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- commit fda6073
- blacklist.conf: Blacklist a clang fix
- commit 6540830
- rpm templates: Move macro definitions below buildrequires
Many of the rpm macros defined in the kernel packages depend directly or
indirectly on script execution. OBS cannot execute scripts which means
values of these macros cannot be used in tags that are required for OBS
to see such as package name, buildrequires or buildarch.
Accumulate macro definitions that are not directly expanded by mkspec
below buildrequires and buildarch to make this distinction clear.
- commit 89eaf4c
- net: openvswitch: limit the number of recursions from action
sets (bsc#1219835 CVE-2024-1151).
- commit 5a5045f
- rpm/check-for-config-changes: add GCC_ASM_GOTO_OUTPUT_WORKAROUND to IGNORED_CONFIGS_RE
Introduced by commit 68fb3ca0e408 ("update workarounds for gcc "asm
goto" issue").
- commit be1bdab
- compute-PATCHVERSION: Do not produce output when awk fails
compute-PATCHVERSION uses awk to produce a shell script that is
subsequently executed to update shell variables which are then printed
as the patchversion.
Some versions of awk, most notably bysybox-gawk do not understand the
awk program and fail to run. This results in no script generated as
output, and printing the initial values of the shell variables as
the patchversion.
When the awk program fails to run produce 'exit 1' as the shell script
to run instead. That prevents printing the stale values, generates no
output, and generates invalid rpm spec file down the line. Then the
problem is flagged early and should be easier to diagnose.
- commit 8ef8383
- x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (git-fixes).
- commit 6d2e676
- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (git-fixes).
- commit 1f3dbeb
- KVM: x86: synthesize CPUID leaf 0x80000021h if useful (git-fixes).
- commit 2581a0e
- KVM: x86: add support for CPUID leaf 0x80000021 (git-fixes).
- commit 79ab1f6
- x86/asm: Add _ASM_RIP() macro for x86-64 (%rip) suffix (git-fixes).
- commit 26d80bf
- KVM: VMX: Move VERW closer to VMentry for MDS mitigation (git-fixes).
- KVM: VMX: Use BT+JNC, i.e. EFLAGS.CF to select VMRESUME vs. VMLAUNCH (git-fixes).
- x86/bugs: Use ALTERNATIVE() instead of mds_user_clear static key (git-fixes).
Also add the removed mds_user_clear symbol to kABI severities as it is
exposed just for KVM module and is generally a core kernel component so
removing it is low risk.
- x86/entry_32: Add VERW just before userspace transition (git-fixes).
- x86/entry_64: Add VERW just before userspace transition (git-fixes).
- x86/bugs: Add asm helpers for executing VERW (git-fixes).
- commit 8f33ff8
- mbcache: Fixup kABI of mb_cache_entry (bsc#1207653 bsc#1219915).
- commit 52b181f
- ext4: fix deadlock due to mbcache entry corruption
(bsc#1207653 bsc#1219915).
- commit 14e0a9c
- net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv
(bsc#1219127 CVE-2024-23849).
- commit 75b4a5b
- cifs: fix missing unload_nls() in smb2_reconnect()
(bsc#1213476).
- commit 7236d05
- cifs: fix status checks in cifs_tree_connect (bsc#1213476).
- commit a4a76da
- smb: client: fix null auth (bsc#1213476).
- commit 08d9d59
- kernel-binary: Move build script to the end
All other spec templates have the build script at the end, only
kernel-binary has it in the middle. Align with the other templates.
- commit 98cbdd0
- rpm templates: Aggregate subpackage descriptions
While in some cases the package tags, description, scriptlets and
filelist are located together in other cases they are all across the
spec file. Aggregate the information related to a subpackage in one
place.
- commit 8eeb08c
- rpm templates: sort rpm tags
The rpm tags in kernel spec files are sorted at random.
Make the order of rpm tags somewhat more consistent across rpm spec
templates.
- commit 8875c35
- Update to add CVE-2024-23851 tag,
patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch
(bsc#1219827, bsc#1219146, CVE-2023-52429, CVE-2024-23851).
- commit ef15d5e
- dm: limit the number of targets and parameter size area
(bsc#1219827, bsc#1219146, CVE-2023-52429).
- commit 2431307
- vhost: use kzalloc() instead of kmalloc() followed by memset()
(CVE-2024-0340, bsc#1218689).
- commit aa86ef0
- kernel-binary: certs: Avoid trailing space
- commit bc7dc31
- rpm/kernel-binary.spec.in: install scripts/gdb when enabled in config
(bsc#1219653)
They are put into -devel subpackage. And a proper link to
/usr/share/gdb/auto-load/ is created.
- commit 1dccf2a
- Refresh
patches.suse/cifs-Fix-UAF-in-cifs_demultiplex_thread-.patch.
Add the upstream commit ID.
- commit d9857fd
- netfilter: nf_tables: reject QUEUE/DROP verdict parameters
(CVE-2024-1086 bsc#1219434).
- commit 33a2cdd
- drm/amdgpu: Fix potential fence use-after-free v2 (bsc#1219128
CVE-2023-51042).
- commit 2e8464f
- rpm/mkspec: sort entries in _multibuild
Otherwise it creates unnecessary diffs when tar-up-ing. It's of course
due to readdir() using "random" order as served by the underlying
filesystem.
See for example:
https://build.opensuse.org/request/show/1144457/changes
- commit d1155de
- atm: Fix Use-After-Free in do_vcc_ioctl (CVE-2023-51780
bsc#1218730).
- commit 6405c59
- xen-netback: don't produce zero-size SKB frags (CVE-2023-46838,
XSA-448, bsc#1218836).
- commit 7d3a106
- ext4: fix kernel BUG in 'ext4_write_inline_data_end()'
(CVE-2021-33631 bsc#1219412).
- commit 792d624
- kernel-source: Fix description typo
- commit 8abff35
- nvmet-tcp: Fix the H2C expected PDU len calculation
(bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
CVE-2023-6356).
- nvmet-tcp: remove boilerplate code (bsc#1217987 bsc#1217988
bsc#1217989 CVE-2023-6535 CVE-2023-6536 CVE-2023-6356).
- nvmet-tcp: fix a crash in nvmet_req_complete() (bsc#1217987
bsc#1217988 bsc#1217989 CVE-2023-6535 CVE-2023-6536
CVE-2023-6356).
- nvmet-tcp: Fix a kernel panic when host sends an invalid H2C
PDU length (bsc#1217987 bsc#1217988 bsc#1217989 CVE-2023-6535
CVE-2023-6536 CVE-2023-6356).
- commit e2033e6
- wifi: brcmfmac: Fix use-after-free bug in brcmf_cfg80211_detach
(CVE-2023-47233 bsc#1216702).
- commit 6452010
- rpm/constraints.in: set jobs for riscv to 8
The same workers are used for x86 and riscv and the riscv builds take
ages. So align the riscv jobs count to x86.
- commit b2c82b9
- x86/entry/ia32: Ensure s32 is sign extended to s64 (bsc#1193285).
- commit 8395685
- net: sched: sch_qfq: Use non-work-conserving warning handler
(CVE-2023-4921 bsc#1215275).
- commit aabd893
- mkspec: Use variant in constraints template
Constraints are not applied consistently with kernel package variants.
Add variant to the constraints template as appropriate, and expand it
in mkspec.
- commit cc68ab9
- rpm/constraints.in: add static multibuild packages
Commit 841012b049a5 (rpm/mkspec: use kernel-source: prefix for
constraints on multibuild) added "kernel-source:" prefix to the
dynamically generated kernels. But there are also static ones like
kernel-docs. Those fail to build as the constraints are still not
applied.
So add the prefix also to the static ones.
Note kernel-docs-rt is given kernel-source-rt prefix. I am not sure it
will ever be multibuilt...
- commit c2e0681
- drm/atomic: Fix potential use-after-free in nonblocking commits
(bsc#1219120 CVE-2023-51043).
- commit 1f381b4
- Revert "Limit kernel-source build to architectures for which the kernel binary"
This reverts commit 08a9e44c00758b5f3f3b641830ab6affff041132.
The fix for bsc#1108281 directly causes bsc#1218768, revert.
- commit 2943b8a
- mkspec: Include constraints for both multibuild and plain package always
There is no need to check for multibuild flag, the constraints can be
always generated for both cases.
- commit 308ea09
- rpm/mkspec: use kernel-source: prefix for constraints on multibuild
Otherwise the constraints are not applied with multibuild enabled.
- commit 841012b
- rpm/kernel-source.rpmlintrc: add action-ebpf
Upstream commit a79d8ba734bd (selftests: tc-testing: remove buildebpf
plugin) added this precompiled binary blob. Adapt rpmlintrc for
kernel-source.
- commit b5ccb33
- ext4: improve error recovery code paths in __ext4_remount()
(bsc#1219053 CVE-2024-0775).
- commit f053871
- scripts/tar-up.sh: don't add spurious entry from kernel-sources.changes.old
The previous change added the manual entry from kernel-sources.change.old
to old_changelog.txt unnecessarily. Let's fix it.
- commit fb033e8
- rpm/kernel-docs.spec.in: fix build with 6.8
Since upstream commit f061c9f7d058 (Documentation: Document each netlink
family), the build needs python yaml.
- commit 6a7ece3
- smb: client: fix OOB in receive_encrypted_standard()
(bsc#1218832 CVE-2024-0565).
- commit 59d97af
- ida: Fix crash in ida_free when the bitmap is empty (bsc#1218804
CVE-2023-6915).
- commit e0cf5bf
- netfilter: nf_tables: Reject tables of unsupported family
(bsc#1218752 CVE-2023-6040).
- commit 9fd7b64
- net/rose: Fix Use-After-Free in rose_ioctl (CVE-2023-51782
bsc#1218757).
- commit 1ba2d82
- powerpc/powernv: Add a null pointer check in opal_event_init()
(bsc#1065729 CVE-2023-52686).
- commit 0f57a9b
- Store the old kernel changelog entries in kernel-docs package (bsc#1218713)
The old entries are found in kernel-docs/old_changelog.txt in docdir.
rpm/old_changelog.txt can be an optional file that stores the similar
info like rpm/kernel-sources.changes.old. It can specify the commit
range that have been truncated. scripts/tar-up.sh expands from the
git log accordingly.
- commit c9a2566
- smb: client: fix potential OOB in smb2_dump_detail()
(bsc#1217946 CVE-2023-6610).
- commit 838930f
- Limit kernel-source build to architectures for which the kernel binary
is built (bsc#1108281).
- commit 08a9e44
- Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
(CVE-2023-51779 bsc#1218559).
- commit 10b8efc
- clocksource: Suspend the watchdog temporarily when high read
latency detected (bsc#1218105).
- commit 683a4c2
- clocksource: Avoid accidental unstable marking of clocksources
(bsc#1218105).
- commit 0d50b3e
- mkspec: Add multibuild support (JSC-SLE#5501, boo#1211226, bsc#1218184)
When MULTIBUILD option in config.sh is enabled generate a _multibuild
file listing all spec files.
- commit f734347
- Build in the correct KOTD repository with multibuild
(JSC-SLE#5501, boo#1211226, bsc#1218184)
With multibuild setting repository flags is no longer supported for
individual spec files - see
https://github.com/openSUSE/open-build-service/issues/3574
Add ExclusiveArch conditional that depends on a macro set up by
bs-upload-kernel instead. With that each package should build only in
one repository - either standard or QA.
Note: bs-upload-kernel does not interpret rpm conditionals, and only
uses the first ExclusiveArch line to determine the architectures to
enable.
- commit aa5424d
- Bluetooth: avoid memcmp() out of bounds warning (bsc#1215237
CVE-2020-26555).
- Bluetooth: hci_event: Fix coding style (bsc#1215237
CVE-2020-26555).
- Bluetooth: hci_event: Fix using memcmp when comparing keys
(bsc#1215237 CVE-2020-26555).
- commit bb86106
- Bluetooth: Reject connection with the device which has same
BD_ADDR (bsc#1215237 CVE-2020-26555).
- commit 360840a
- Bluetooth: hci_event: Ignore NULL link key (bsc#1215237
CVE-2020-26555).
- commit 13b41ce
- perf: Fix perf_event_validate_size() lockdep splat
(CVE-2023-6931 bsc#1218258).
- perf: Fix perf_event_validate_size() (CVE-2023-6931
bsc#1218258).
- commit e551d3d
- smb: client: fix OOB in smbCalcSize() (bsc#1217947
CVE-2023-6606).
- commit bba90ea
- ipv4: igmp: fix refcnt uaf issue when receiving igmp query
packet (bsc#1218253 CVE-2023-6932).
- commit 1240db6
- io_uring: fix 32-bit compatability with sendmsg/recvmsg (bsc#1217709).
This was originally blacklisted for no good reason. Since now we have
an actual bug report that breaks LTP, drop from blacklist and backport.
- commit 8a7380f
- efi/mokvar: Reserve the table only if it is in boot services
data (bsc#1215375).
- commit 2c6d22d
- nvmet: nul-terminate the NQNs passed in the connect command
(bsc#1217250 CVE-2023-6121).
- commit 3b11907
- kernel-source: Remove config-options.changes (jsc#PED-5021)
The file doc/config-options.changes was used in the past to document
kernel config changes. It was introduced in 2010 but haven't received
any updates on any branch since 2015. The file is renamed by tar-up.sh
to config-options.changes.txt and shipped in the kernel-source RPM
package under /usr/share/doc. As its content now only contains outdated
information, retaining it can lead to confusion for users encountering
this file.
Config changes are nowadays described in associated Git commit messages,
which get automatically collected and are incorporated into changelogs
of kernel RPM packages.
Drop then this obsolete file, starting with its packaging logic.
For branch maintainers: Upon merging this commit on your branch, please
correspondingly delete the file doc/config-options.changes.
- commit adedbd2
- doc/README.SUSE: Simplify the list of references (jsc#PED-5021)
Reduce indentation in the list of references, make the style consistent
with README.md.
- commit 70e3c33
- doc/README.SUSE: Add how to update the config for module signing
(jsc#PED-5021)
Configuration files for SUSE kernels include settings to integrate with
signing support provided by the Open Build Service. This creates
problems if someone tries to use such a configuration file to build
a "standalone" kernel as described in doc/README.SUSE:
* Default configuration files available in the kernel-source repository
unset CONFIG_MODULE_SIG_ALL to leave module signing to
pesign-obs-integration. In case of a "standalone" build, this
integration is not available and the modules don't get signed.
* The kernel spec file overrides CONFIG_MODULE_SIG_KEY to
".kernel_signing_key.pem" which is a file populated by certificates
provided by OBS but otherwise not available. The value ends up in
/boot/config-$VERSION-$RELEASE-$FLAVOR and /proc/config.gz. If someone
decides to use one of these files as their base configuration then the
build fails with an error because the specified module signing key is
missing.
Add information on how to enable module signing and where to find the
relevant upstream documentation.
- commit a699dc3
- doc/README.SUSE: Remove how to build modules using kernel-source
(jsc#PED-5021)
Remove the first method how to build kernel modules from the readme. It
describes a process consisting of the kernel-source installation,
configuring this kernel and then performing an ad-hoc module build.
This method is not ideal as no modversion data is involved in the
process. It results in a module with no symbol CRCs which can be wrongly
loaded on an incompatible kernel.
Removing the method also simplifies the readme because only two main
methods how to build the modules are then described, either doing an
ad-hoc build using kernel-devel, or creating a proper Kernel Module
Package.
- commit 9285bb8
- containerd
-
- Revert noarch for devel subpackage
Switching to noarch causes issues on SLES maintenance updates, reverting it
fixes our image builds
- Update to containerd v1.7.17. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.17>
- Switch back to using tar_scm service. Aside from obs_scm using more bandwidth
and storage than a locally-compressed tar.xz, it seems there's some weird
issue with paths in obscpio that break our SLE-12-only patch.
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.16. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.16>
CVE-2023-45288 bsc#1221400
- Use obs_scm service instead of tar_scm
- Removed patch 0002-shim-Create-pid-file-with-0644-permissions.patch
(merged upstream at
<https://github.com/containerd/containerd/pull/9571>)
- Update to containerd v1.7.15. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.15>
- Update to containerd v1.7.14. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.14>
- Update to containerd v1.7.13. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.13>
- Update to containerd v1.7.12. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.12>
- Update to containerd v1.7.11. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.11>
GHSA-jq35-85cj-fj4p bsc#1224323
- Use %patch -P N instead of deprecated %patchN.
- Enable manpage generation
- Make devel package noarch
- adjust rpmlint filters
- Add patch for bsc#1217952:
+ 0002-shim-Create-pid-file-with-0644-permissions.patch
- Update to containerd v1.7.10. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.10>
- Rebase patches:
* 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- coreutils
-
- coreutils-ls-avoid-triggering-automounts.patch
ls: avoid triggering automounts (bsc#1221632)
- cpio
-
- Fix cpio not working after the fix in bsc#1218571, fixes bsc#1219238
* fix-bsc1219238.patch
- Fix CVE-2023-7207, path traversal vulnerability (bsc#1218571)
* fix-CVE-2023-7207.patch
- samba
-
- Add "net offlinejoin composeodj" command; (bsc#1214076);
- cups
-
- Require the exact matching version-release of all libcups*
sub-packages (bsc#1226192)
- cups-2.2.7-CVE-2024-35235.patch is derived
from the upstream patch against master (CUPS 2.5)
to behave backward compatible for CUPS 2.2.7
in SLE15 and openSUSE Leap 15 to fix CVE-2024-35235
"cupsd Listen port arbitrary chmod 0140777"
without the more secure but backward-incompatible behaviour
of the upstream patch for CUPS 2.5
that ignores domain sockets specified in 'Listen' entries
in /etc/cups/cupsd.conf when cupsd is lauched via systemd
(in particular when launched on-demand by systemd)
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
bsc#1225365
- cups-2.2.7-web-ui-kerberos-authentication.patch, update
patch to handle local 'Negotiate' authentication response
for cli clients. (bsc#1223179).
- Remove '--enable-debug-printfs' from configure options, see
https://github.com/OpenPrinting/cups/issues/875
(bsc#1217119).
- curl
-
- regression fix [bsc#1219273]
https://github.com/curl/curl/commit/91b53efa4b6854dc3688f55bfb329b0cafcf5325
- added patches
+ curl-CVE-2023-27534-tilde-back.patch
- Security fix: [bsc#1221667, CVE-2024-2398]
* curl: HTTP/2 push headers memory-leak
* Add curl-CVE-2024-2398.patch
- Fix: libssh: Implement SFTP packet size limit (bsc#1216987)
* Add curl-libssh_Implement_SFTP_packet_size_limit.patch
- desktop-data-SLE
-
- Fix typo in the desktop files for some of the wallpapers
(bsc#1222146).
- docker
-
[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2506>
- This update includes a fix for CVE-2024-41110. bsc#1228324
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
* 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and
<https://github.com/moby/buildkit/pull/5060>. bsc#1221916
+ 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
- Write volume options atomically so sudden system crashes won't result in
future Docker starts failing due to empty files. Backport of
<https://github.com/moby/moby/pull/48034>. bsc#1214855
+ 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.5-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2505> bsc#1223409
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
- 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- Update --add-runtime to point to correct binary path.
[NOTE: This update was only ever released in SLES and Leap.]
- Add patch to fix bsc#1220339
* 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
- Allow to disable apparmor support (ALP supports only SELinux)
- Update to Docker 25.0.3-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2503>
- Fixes:
* bsc#1219267 - CVE-2024-23651
* bsc#1219268 - CVE-2024-23652
* bsc#1219438 - CVE-2024-23653
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
- 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
- Vendor latest buildkit v0.11:
Add patch 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch that
vendors in the latest v0.11 buildkit branch including bugfixes for the following:
* bsc#1219438: CVE-2024-23653
* bsc#1219268: CVE-2024-23652
* bsc#1219267: CVE-2024-23651
- rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- switch from %patchN to %patch -PN syntax
- remove unused rpmlint filters and add filters to silence pointless bash & zsh
completion warnings
- Update to Docker 24.0.7-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513
* Deny containers access to /sys/devices/virtual/powercap by default.
- CVE-2020-8694 bsc#1170415
- CVE-2020-8695 bsc#1170446
- CVE-2020-12912 bsc#1178760
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Add a patch to fix apparmor on SLE-12, reverting the upstream removal of
version-specific templating for the default apparmor profile. bsc#1213500
+ 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- Update to Docker 24.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Switch from disabledrun to manualrun in _service.
- Add a docker.socket unit file, but with socket activation effectively
disabled to ensure that Docker will always run even if you start the socket
individually. Users should probably just ignore this unit file. bsc#1210141
- fence-agents
-
- L3: fence_vmware_rest : monitoring is not detecting problems accessing the fence device
(bsc#1218718)
o Add upstream patch:
0001-fence_vmware_rest-monitoring-action-is-not-detecting.patch
- gdk-pixbuf
-
- Add CVE-2022-48622.patch: ANI: Reject files with multiple anih
chunks(bsc#1219276, CVE-2022-48622, glgo#GNOME/gdk-pixbuf#202).
- glib2
-
- Add patches to fix CVE-2024-34397 (boo#1224044):
glib2-allocate-SignalSubscriber-structs-individually.patch
glib2-CVE-2024-34397.patch (glgo#GNOME/glib#3268).
glib2-fix-ibus-regression.patch (glgo#GNOME/glib#3353)
- glibc
-
- nscd-netgroup-cache-timeout.patch: Use time_t for return type of
addgetnetgrentX (CVE-2024-33602, bsc#1223425)
- ulp-prologue-into-asm-functions.patch: Avoid creating ULP prologue
for _start routine (bsc#1221940)
- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch:
nscd: Stack-based buffer overflow in netgroup cache
(CVE-2024-33599, bsc#1223423, BZ #31677)
- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch:
nscd: Avoid null pointer crashes after notfound response
(CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch:
nscd: Do not send missing not-found response in addgetnetgrentX
(CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch:
netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601,
CVE-2024-33602, bsc#1223425, BZ #31680)
- iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound
writes when writing escape sequence (CVE-2024-2961, bsc#1222992)
- duplocale-global-locale.patch: duplocale: protect use of global locale
(bsc#1220441, BZ #23970)
- qsort-invalid-cmp.patch: qsort: handle degenerated compare function
(bsc#1218866)
- getaddrinfo-eai-memory.patch: getaddrinfo: translate ENOMEM to
EAI_MEMORY (bsc#1217589, BZ #31163)
- aarch64-rawmemchr-unwind.patch: aarch64: correct CFI in rawmemchr
(bsc#1217445, BZ #31113)
- gnutls
-
- Security fix: [bsc#1218865, CVE-2024-0553]
* Incomplete fix for CVE-2023-5981.
* The response times to malformed ciphertexts in RSA-PSK
ClientKeyExchange differ from response times of ciphertexts
with correct PKCS#1 v1.5 padding.
* Add gnutls-CVE-2024-0553.patch
- Security fix: [bsc#1217277, CVE-2023-5981]
* Fix timing side-channel inside RSA-PSK key exchange.
* auth/rsa_psk: side-step potential side-channel
* Add curl-CVE-2023-5981.patch
- google-cloud-sap-agent
-
- Update to version 3.4 (bsc#1227134, bsc#1227135)
* Adding project to exclusion list
* Add machine type to configure instance proto for WLM metric collection.
* Add test channel for Guest Actions. Make default channel the registered channel.
* Set backup object's customTime field as part of backint backups
* Add workload discovery to configure command
* Add multiple workers support in parallelreader for parallel downloading during restore.
* `configureinstance` with `overrideVersion` set should log a warning and continue.
* Minor log change in balanceirq
* Add common function to parse parameters for guest action handlers
* BalanceIRQ OTE added to Agent for SAP
* Remove output from stdout for DIAGNOSE
* Small hyperThreading change for configureinstance
* Add initial steps to initialize the SystemDiscovery OTE in IIOTE and command mode.
* Adding single worker support in parallelreader for download.
* Read encryption key from file if specified in parameters file
* Run configureinstance OTE only on supported instances during WLM metric collection.
* Add instance ID to user agent string for SAP Agent.
* Return `UsageError` as exit status instead of `Failure` in case of invalid parameters
* Bumping up the agent version
* Use json marshalling instead of manually parsing from map in configure handler
* Move metric override modules to metricoverrides.go for general use
* Updating the gcbdr proto
* Updating param names to make it more clear in performance diagnostics
* Add DiskSizeGb to Disk for disk creation.
* Add Demo Metrics for Process Metrics
* Add warning message for configureinstance overrideVersion
* Add 3.3 to configureinstance versioning
* Fix log message in configureinstance
* Rename scope and param file to type and backint-param-file to avoid confusion
* Add new OTE structure for SystemDiscovery.
* Allows SAP system data to be read from an override file instead
of discovered from the system. Useful for testing.
* Refactor buildSupportBundleCommand by marshalling command parameters
* Remove cluster member check for cluster collection
* Add connectParameters as a function parameter in restoreFile function to have
multiple bucket handles in parallelreader for parallel downloading.
* Enable auto discovery of disks and make datadiskname and zone optional parameters
* Add support for performancediagnostics OTE guest action handler
* Add override version flag to configureinstance
* Rename LVM volume group of restored disk to that of the target disk.
* Sleep during TestCommunicateWithUAP to only execute intended
code path once instead of many times.
* Update grub configuration for X4 configureinstance
* Extend result-bucket support to support bundle guest action
* Add provisioned-iops and provisioned-throughput labels
to snapshots and extract them during restore.
* Configureinstance updates for SAP ECS
* Add sequential in parallel download functionality for restore to SAP Agent.
* Implement hanadiskbackup guest action handler
* Add operation_id to UAP status labels.
* Add user agent overrides for cloud monitoring
* Updating generated protobufs
* Update sanity check for fast collector metric
* Reliability Metrics - Use the usage metrics instead of
internal cloud monitoring metrics
* Fix restoreFromGroupSnapshot and restoreFromSingleSnapshot logic
* Implement support bundle handler. This CL follows a pattern for
implementing handler which was developed in cl/636640791
* Move timeseries.go and cloudmonitoring.go to shared/
* Only stop HANA monitoring if successive errors are auth related
* Use flag names for command parameters in configureHandler
* Add check and apply finished metrics to configureinstance
* Add snapshot / group backup name to success log message
* Better handling of experimental flag in hanamonitoring
* Return error if physical device is empty
* Added an experiemntal flag to control role based awareness in hana monitoring
* Adding role based awareness logic in HANA Monitoring
* Add upload feature to support bundle
* Add context to onetime logging functions
* Fix logging and make confirm-data-snapshot-after-create true by default
* Add debug logs for hanabackup to help troubleshoot issues.
* Remove HDB User requirement when HDBUserstore key is passed for hanadiskbackup
* Append labels to detached disk in hanadiskrestore
* Add placeholder for parallel reader in Backint
* Modify restore handlers to be able to restore from either
source snapshot or group snapshot.
* Modify checking preconditions and adding fakes for group snapshot restore.
* Add initial support for restoring from group snapshot.
* Add UAP Communication to startdaemon (gated by a configuration).
* Fixing the commands in perfdiag
* Refactor handleAgentCommand with guestActionsHandlers map
* Add replication sites to system component proto
* Build updated to use -mod=vendor during build
* Updated go.mod and go.sum with dependencies for safetext,
using go mod vendor for github action
* Adding changes for target based config in hana monitoring
* Overriding the user agent for Cloud Logging API calls
* Fix typo in guestactions.proto
* WLM Hana Full Backup Validation Metric collection
* Add configure command to guest actions. Establish how the new proto
format will be used in message handling.
* Add ping check to HANA monitoring
* [commandlineexecutor] Add the ability to directly pass data into Stdin, avoiding
the need for intermediary piping commands, such as "echo 'data' | my_app".
- Update to version 3.3 (bsc#1225166, bsc#1225558)
* Build updated to use -mod=vendor during build
* Updated go.mod and go.sum with dependencies for safetext,
using go mod vendor for github action
* Add actual values and comments to usagemetrics.go to ensure that
error and action codes are only appended to the end of the list.
* Remove usage metrics from configureinstance.go
* Add a hard Disable for reliability metrics collection
until the namespace is created and tested.
* Adding metrics for time taken by each query
* Add SHA224 of labels as a new label.
* Remove collect_reliability_metrics from configuration.json
* Small tweaks to backint log and inquire path generation
* Fix for unmarshalling backint configuration.
* Implementation of instant snapshot group backup workflow
* Backint changes around shorten_folder_path
* Rename max_diagnose_size_gb to diagnose_file_max_size_gb
* Adding start and finish logs in performance diagnostics
* Validate that all disks mapped to /hana/data belong to the same consistency group.
* Rename backint monitoring metrics parameter
* Trim folder prefix for Backint INQUIRE output.
* Add the ability to test the database connection
* Reduce log level of some storage messages to debug.
* Finalize guest action request and response format.
* Backint dashboard fix logs
* Add scorecards to backint dashboard
* Making proto changes for HANA Monitoring support
for multiple tennats and ha setup
* Add total upload/download time to log.
* Add HANA indexserver.ini metrics to WLM metric collection.
* Add Netweaver role metrics as part of process metrics
* Rotate old support bundles.
* Update the default value of confirm-data-snapshot-after-create
to false. and add to usage()
* Add option to confirm HANA snapshot as successful before disk snapshot is uploaded.
* Change log level from warn to info for non-critical messages.
* Add diagnose_folder parameter to Backint
* Add a 1 GB buffer to needed bytes for diagnostic
* Add labels to group snapshot backup.
* Enable the show status and restart agent functions for Windows.
* Add WLM metric collection for num_completion_queues and num_submit_queues.
* Collect support bundle on Backint errors.
* Adding usage metrics to performance diagnostics
* Collect agent-only support bundle on failure of backint and hanadiskbackup.
* Minor Backint improvements
* Add ability collect only agent logs using agent-logs-only flag to supportbundle
* Bump version to 3.3
* Add Backint metrics dashboard
* DO NOT remove log files on uninstall
* Adding more unit tests
* Changing location of zipped file to within the
final folder identified by unique timestamp.
* Minor refactorings and improvements with increasing code coverage
* Make sure DB instance number is recorded in System data.
* Change configuration.json to 0664 to ensure world cannot write.
* Add Netweaver Java discovery to SAP Agent.
* Add a new version of functions to read cloud properties from metadata server.
* Updating generated protos to proc-gen-go v1.34.1
* Updating runConfigureInstance method and adding unit tests
for covering configure instance ote invocation
* Zip the final bundle and add upload functionality
* Record database SID alongside tenant DB SIDs
* Reduce log severity in discovery
* Add HANA version to product version data
* Fix race condition in tests
* Read disk mapping from instance info if source disk
is not provided to hanadiskbackup
* Add option to shorten the folder path in the bucket.
* Add SSL support for cmdline-based querying and some bugfixes
* Move recovery package to shared directory.
* Update protoc-gen-go version to v1.34.0 in multiple protos
* Adding FIO commands to performance diagnostics
* Remove error logs when errors are being returned
* Adding perfdiag to performance diagnostics
* Add AppInstance data to discovery data uploads.
* Introduce protos for guestactions messages and responses.
Support multiple commands per message.
* Update wording for HANA Insights rules.
* Configureinstance updates.
* Adding a check for retention policy before performing backup operation.
* Remove the unused loglevel flag from logusage OTE
* Change the language around the default parameters being
optimized for performance in backint
* Add instance role to SAP System properties
* Increase wait time for index server to stop.
* Integrating backint OTE into performancediagnostics
* Update wording around configureinstance unsupported machine type.
* Pass the right disk name to check if disk is attached
* Integrating new DB Handle and hdbuserstore key support
with remaining HANA DB dependant workflows
* Refactor HANA and filesystems specific code to a common hanabackup package
* Bumps x/net dependency to v0.23
* Append HANA Insights rule to WLM fake metrics file in script to generate WLM rule.
* Integrating configure instance ote in performance diagnostics
* Update disk backup OTE to parse paths even with /dev/mapper
in the middle of path, not necessarily as a prefix
* Adding a few missing labels to wlm-fake-metrics.yaml
* Changing loglevel for onetime.Init() calls
* Refactor change - Move PD related functions to gce.go
* Fix agentcommunication import replace statements
* Update replace functions for new open source dependencies.
* Set up scaffolding for guest actions handling in SAP Agent along with UAP library code
* Backint upload/download metrics sent to cloud monitoring.
* Cleaning up the performance diagntics file wth recent changes
* Fixes to usage strings in OTEs for optional params
* Integrating new database connector with HANA Monitoring
and adding support for HDBUserstore Key
* Implement hdbsql commandline result parsing
* SAP Discovery - Add SAP Instance Numbers to instance properties
* Updating OTEs to include params for when OTE is invoked internally
* Modifying flags to follow design changes
* Create fake WLM metric overrides for testing
* Implement constructors and query functions for querying
HANA DB via hdbuserstore using cmdline
* Skeleton for querying HANA DB via hdbuserstore using cmdline
* Parameterize Backint Diagnose max file size.
* Metadata parameter added to Backint.
* Adding initial layout for performance diagnostics OTE
* Create a new API CreateClient() in shared logging which
returns an error in case of failures
* Backint no longer writes ERROR if temporary chunk failed to delete.
* Create onetime.Init() to condense reused code.
* Fixing a typo in a process metrics retry logic comment
* Rename workload_validation param with workload_evaluation in configure OTE
* Send agent version in Write Insight requests
* Ensuring /sap/cluster/resources covers all the nodes.
- Update to version 3.2 (bsc#1222215, bsc#1222216)
* Remove internal gensupport package.
* Restore additional error handling and response checking to internal data warehouse client.
* Updating the aggregate function in HANA insight rules
* Remove a leftover debug log
* Allow multipart uploads for PIPE file types.
* Update go-hdb version to v1.8.0
* Perform log restores in serial rather than parallel.
* Add sample usage examples to commandlineexecutor
* Small update to configureinstance OTE
* Add nil check in backup and restore flows to protect against panics.
* Close http response body in WriteInsight() and soap.go
* Record topology type.
* Initialize usagemetrics for OTEs
* Add Instance Number to SAP System instance properties
* Set `min_version` for WLM `os_settings` system metric.
* Increase timeout for saptune re-apply commands.
* Adding handling for encrypted snapshots in backup and restore
* Change the version check comparisons to account for versions
older than those listed in SAP Note.
* Skip the Netweaver metrics that need dpmon on NW kernels
affected by SAP Note: 3366597
* Fix imports
* No public description
* Use internal data warehouse client.
* Fix disp+work command invocation for Netweaver Kernel version discovery.
* Add note about default parameter values to installbackint.
* Add mutex in multipart writer for potential data races.
* Update go.mod and go.sum
* Skip XFS freeze by default unless user passes a parameter to do it explicitly
* configureinstance minor updates.
* Add safety check for usage metrics on BMS
* Storage Class parameter added to Backint.
* Update configureinstance's X4 saptune conf.
* XML Multipart Write() and Close() methods completed.
* Fixes the vmmanager policies for sles12 and sles15 used in the cloud console removes
the individual cloud console policies and consolidates them into one Adds a general
gcloud command line policy
* Standardize logging for workloadmanager package.
* Multipart XML API Uploads for Backint.
* Add database system SID to database properties.
* Fix NW HA node identification for RedHat deployments.
* Add workload properties to discovery object returned by discoverSAPSystems
* Add ASCS instance number to application data
* Add Workload Manager validation rule for checking OS settings.
* Enable WLM metric collection by default, disable submission of data to Cloud Monitoring.
* Decoupling primary executable command and providing an alternative to lsof
* Added HANA version in support bundle collection
* Add WorkloadProperties to merged system details and to WLM Insights
* Replace the link placeholder with the actual link
* Add instance number to SAP discovery data
* Tranche 12: HRE Rules
* Minor typo fix in workloadmanager's hana metrics module
* Add pacemaker metrics with SID labels to process metrics
* updating the regex for backup and backint files to take care of log rotation in support bundle
* Add support for disk snapshot labels for easy lifecycle management of snapshots
* Added new OTE for changedisktype workflow
* Add WorkloadProperties to SapSystemDetails for apps_discovery
* Testing the timeseries in unit tests instead of just checking the count
* Record Netweaver kernel version.
* Tranche 12: HRE Rules
* Testing the timeseries in unit tests instead of just checking the count
* Testing the timeseries in unit tests instead of just checking the count
* Relocating pacemaker collection related packages to internal/pacemaker
for common use between process metrics and WLM
* Use results from latest round of discovery for the collection of process metrics.
* Handling zero rows returned case better in HANA insights
* Adding docstrings to workloadmanager package
* Adding docstring to configure OTE
* adding docstrings to methods in support bundle
* Add X4 specific configurations to configureinstance OTE.
* Add helper functions to configureinstance OTE.
* Display updates for HANA Insights WLM rules rollout.
* configureinstance OTE
* We expect the command to return a non-zero exit code and we should not be
returning an error. Execute treats non-zero exit code as error.
* Removing the sap control process command line params
* Revert "Fixing system replication status code being returned"
* configureinstance OTE
* We expect the command to return a non-zero exit code and we should not be
returning an error. Execute treats non-zero exit code as error.
* Removing the sap control process command line params
* Fixing system replication status code being returned
* Wait for hdbindex server to stop after HANA is stopped
* Log error to console in cases where LVM is not being used
* Adding JournalCTL logs to support bunddle
* hanadiskbckup - Add missing params to the Usage string
* Move usagemetrics package into shared folder
* Fixed data race error in TestCollectAndSendSlowMovingMetrics()
* Disk backup/restore - Enable send-metrics-to-monitoring by default
- Update to version 3.1 (bsc#1220010, bsc#1220111)
* Fixing system replication status code being returned
* Reduce disk snapshot wait durations
* Fix test flakes in workloadcollector test.
* adding metrics for db freeze time and total workflow time
* Fix for SAP System discovery adding the current host to all components.
* Restore default WLM metric collection settings.
* change description of validate OTE
* fix a typo in the command name and add a delay before we try the unmount
* Use underscore as separator for flags in place of hyphens
* Enable host_metrics and disable reliability_metrics by default in configure OTE
* Collect reliability metrics in the free namespace
* Remove user from cmd params for HANA Replication
* Enable workload manager metric collection by default.
* Add support configuration flag to enable legacy WLM metric data submission workflow.
* Lowers the log level of discovery to info
* Fix for HANA Replication Config
* Add additional instance-id parameter for users who do not want to provide port number
* Use _ instead of - for parameters in configurebackint
* Implementing panic recovery to HANA Monitoring: CreateWorkerPool
* Fix issue with process metrics subroutine starting.
* Add a flag to enable or disable workload discovery.
* Reduce logs in sapdiscovery to debug, these are now run a
lot more frequently and are flooding the logs
* Use bucket `cloudsapdeploystaging` for staging environment.
* Updates default value handling for system discovery flag.
* Added default values to some frequency flags in configure OTE
* force a sync before unmounting to clear out stale file handles
* Retain recoverable routine in process metrics.
* Ensures slow metrics workers stop on context cancellation.
* Log lsof output if unmount fails during restore
* SAP Discovery - Discover R3trans data
* Add panic recovery to collectiondefinition update routine
* configurebackint OTE.
* Adding panic recovery to remote.go
* Prevent host metrics from restarting the daily metrics report if it has already been started.
* Add panic recovery to agent metrics
* Implementing panic recovery for hana monitoring: logging action daily
* Routines now use their own context and cancel in the event of a panic recovery.
* Add panic recovery to host metrics routines
* Removed -path flag and fixed usage string
* Add workload properties to the SAP System definition.
* Add panic recovery to collectMetricsFromConfig routines.
* Add panic recovery to fast metric collection routine.
* Reduces the log severity to debug for the exponential backoff policy
* Add panic recovery to heartbeat routine.
* Updating configuration.json file to remove deprecated sap_discovery field
* Use protojson instead of custom function for snake_case marshaling
* Add panic recovery to WLM metrics collection
* HANA Insights rules tranche 11: Create unit tests and add to auto push
* Add panic recovery to workload collector daily usage metrics.
* Processmetrics - suppress Error and Warn logs that really need to be debug
* Formatting the output of messages printed by configure OTE
* Changing flag names of configure OTE to align better with configuration.json fields
* Add automatic panic recovery to slow metrics collection
* Add panic recovery to goroutine collectAndSend
* Add panic recovery to goroutine
* Retain recoverable routines beyond function scope.
* Implement recovery handler for SAP System discovery package
* Tranche 11: HRE Rules
* Update github build
* Adds generic panic recovery to SAP System discovery package
* Initialize the sidadm env to ensure restore can be run as root user
* not pacaking gcbdr scripts till launch of the feature
* Change datatype of frequency flags from string to int
* Breaking down --frequency flag into separate flags for different features for better isolation
* Fix configuration.json file from being written in camelCase to snake_case
* Tranche 6,7,8,9,10: HRE Rules
* Suppress pacemaker related log from Error to Debug
* creating the OTE for GCBDR discovery
* Update HA node identification
* Tranche 10: HRE Rules
* Update file permissions and ownership for installbackint when running as root.
* Adding newline after version print.
* Exposing HANA Logical volumes availability metrics
* Make workloadmanager parameters test more robust.
* Fix panic in cloud discovery
* Tranche 10: HRE Rules
* Add recovery_folder_prefix parameter to Backint.
* Mark process_metrics_send_frequency as deprecated
* Add snapshot-type param to hanadiskbackup with default as STANDARD
type. Users can override to ARCHIVE type if needed.
* Add new folder_prefix parameter to Backint.
* Add HANA new HANA insight rules to BUILD file and embed sources
* Tranche 10a: HRE Rules
* Tranche 6b: HRE Rules
* Tranche 8b: HRE Rules
* Fix for sending isABAP value
* Updating logusage command line flags
- Update to version 3.0 (bsc#1218736, bsc#1218737)
* Suppress packemaker command error to debug to avoid log flooding
* Expand load balancing cluster discovery.
* Log success messages in OTEs to STDOUT instead of STDERR used by log.Print
* Use bash always to avoid variation of behavior across OS/Shell types
* Minor updates to installbackint.
* Backint compose step properly saves metadata.
* Fix issue with discovery on ASCS instances.
* hanadiskrestore - fix the format of disktype string for disk create API
* Fix issue with PCS cluster address discovery.
* Update transform to insight
* Rename HANA backup/restore OTEs to reflect they are supported
for all disks and not just persistent disk
* Increase the timeout for HDB stop to account for busy DBs
* Adding project sap-ecs-testing to the list.
* PD Restore - Support provisioned-iops and provisioned-throughput
* Integration test for configure OTE
* Added precondition in hana pd backup for stripped LVM
* Add a precondition check to verify user has passed a valid
snapshot name that is present in the current project
* Update the usage to reflect additional required param
* Minor path update for supportbundle OTE.
* Fixing bug in slow moving metrics partial collection scenarios
* Adding check for agent status after restart.
* Ensure Backint ComposeChunks has a valid bucket handle
* Discover whether a Netweaver instance is ABAP or Java
* Replace standard slices package with third party version
* WLM HANA metric `ha_in_same_zone` now reports instance
names for HA nodes in the same zone
* Fix data race condition for Backint Backup with new client connections
* Make -new-disk-name a required parameter to avoid the 63 char
limit in the name length due to auto-generated names
* Fix command for collecting Corosync metric `two_node_runtime`
* Make snapshot name similar to disk name
* Bump golang.org/x/crypto from 0.15.0 to 0.17.0
* Enable Discovery config flag controls submission
to Data Warehouse and Cloud Logging
* Create new clients for each operation in Backint
* Add `client_endpoint` to Backint proto.
* Getting the build number into the version for display
* Backint config name change: service_account to service_account_key
* Add HANA HA metrics to collection definition.
* Fix sorting bug in a diff in apps_discovery_test.go
* Add discoverHANATenantDBs to main code path
* Change PIPE filemode to WRONLY to allow us to detect broken pipes
* Deprecate `sap_system_discovery` config field in favor of `enable_discovery`
* Move the validation of whether user passed correct PD, before stopping HANA
* Add a placeholder for public doc link with next steps
after hanapdrestore workflow has completed
* Fix executable path for HDB version command
* Add optional param `new-disk-name` to hanapdrestore
for users that wish to override the default
* Sort the skipmetrics in unit test to avoid order related flakes
* Generalizing configure OTE
* Discover Netweaver kernel version
* Fix Sprintf call
* Use SAP System data to determine if HANA HA nodes share the same zone.
* hanapdrestore - do not delete PDs in case of failures
* Create discoverHANATenantDBs method to support multiple SIDs for HANA tenant DBs
* Send additional fields in Data Warehouse WriteInsightRequest
* Updating the username parameters for hana pd backup and restore
* Retrieve Reliability data every 2 hours instead of 24
* Discover HANA version
* Fix import for GitHub build
* Add instance properties, and topology information to system data
* Keep the device nam and disk name same after restore
* Move sapdiscovery package into system package
* Changer the default name of the disk created by restore workflow
* Updates the generated protobuf go for system.proto
* Update generated system proto
* Update go.yml
* Add topology and instance properties info to SAP System data
* Add a check to verify the disk is attached to instance, fail if disk is not attached
* Add application and database software properties to system representation
* Fix race condition in heartbeat test case
* Add error handling to restore workflow to try and keep
the HANA system in a clean state on failures
* Enable LogToCloud by default for both OTE and Daemon modes
* Bump Agent version to 3.0
* Reliability OTE added to SAP Agent
* Declare public Get interface for SAP System discovery data
* Integration testing for Networkstats Package
* Adding project sap-ecs-testing to the list
* Adding one time execution for enabling/disabling of features
* Change to using custom retries for initial bucket connection
* Default collection definition to be fetched from GCS
* Add a 2 minute context timeout for initial bucket connection
* Add `collection_config_version` as a WLM system metric
* Make project, host param optional for hanapdbackup,
in addition make user param optional for hanapdrestore
* Fix potential nil dereference WLM metrics collection
* Add force-stop-hana to restore workflow to forcefully stop
HANA when the param is passed
* Rename the HANA PD snapshot and restore workflows
* Add unit tests for GetProvisionIOps and GetProvisionedThoughput
* Remove the TestCollect unit test which relies on nc
command which can be flaky in unit tests
* Increase Backint timeout for PIPE files to 3 minutes
* Add XFS freeze and unfreeze to PD based snapshot
- Update to version 2.8 (bsc#1217373, bsc#1217374)
* Bump agent version to 2.8 to support C3/M3 certification
* Update go.yml to use go 1.21
* Switch from "slices" to "go_exp.../slices" for go version dependency
* Use newly refactored discovery packages.
* Fixes issue with diskname from source or device name
* Adds extreme disk type IOps and Throughput for host metrics
* Add `INTEGRATION` target config environment for collection definition testing
* Add project number to SAP System proto
* Add a cache to discovered resources. This reduces the number of API
calls needed to perform System Discovery
* Replace windows wmic hardware queries with PowerShell wmi queries
* Fix test flakiness
* Improve development process for collection definition configuration
* HANA PD based snapshot and restore - changes to add wait for uploading
* Fix for kokoro build issue in processmetrics/networkstats
* GCBDR SAPCoreAPP Package in Agent for SAP
* Add version tracking for WLM validation config
* Send workload validation config to remote instances for use during remote collection
* Add flag for passing in workload validation config into remote collection OTE
* Bump google.golang.org/grpc from 1.58.2 to 1.58.3
- from version 2.7
* Added ote for hma dashboards migration
* Increase Max backoff in storage package to 300 seconds
* Added subpaths for collection of required TCP metrics
* Add more debug logs and increase the wait-time for PD operations in restore
* No public description
* Add 30 second timeout to read/write from the local file system for Backint
* No public description
* Adds RHEL 9 VM Manager policy
* Extract cloud-related discovery functions into separate file
* Adding timeout to systemReplication.py command execution
* Allow download attempts without verifying connection to bucket
* Invoke `collectiondefinition.Start` when starting the agent in daemon mode
* SAP Agent CLI - usability improvements for flags and help menu
* Add host project information to HANA DB component discovery data.
* Use proto names for default configuration during Backint installation
* Extending logging capabilities to all packages of the agent
* Added a feature for exposing TCP connection metrics
* Migrating context logging logic to all packages of SAP Agent
* Add an ifthisthenthatlint to ensure new script is kept in sync with rule proto
* (collectiondefition) - Discard unknown fields and remove breaking metrics
* Moving commandlineexecutor from internal to shared for sqlserveragent
* Define startup function for collectiondefinition package
* Check error on close of destFile in backint restore
* Allow trailing zeros for millisecond timestamps in Backint
* Add pid to all agent logs
* Bump SAP Agent version to 2.7 (placeholder release version)
* Separate collection definition validation functionality into a separate file
* Add datetime to migration folder for Backint installation
* Add symlink for Backint log file to install directory
* Set a deadline for the final flush to cloud logging
* Increase chunk retry deadline in storage package
* Fix order dependent tests in sapagent/internal/storage
* Change support bundle feature to collect the OTE logs from new path
* Usage logging for remote WLM validation metrics collection from the collector instance
* Extract discovery functions performed on the host to a separate file
* Improve agent shutdown experience in daemon mode
* Fix Backint restoring incorrect file
* Google Events - rule proto initial submission
* Move gce package to shared folder for use by SQL Server agent
* Add GCS integration into collectiondefinition package
* Standardize import aliases
* go mod updates
* Fixing go/gotsan data race error in processmetrics_test
* Add Backint support for Inquire line: `#EBID <external_backup_id>`
* Chown Backint install directories to user/group of the opt/ folder
* Create OTE logs under a subdir under /var/log as /var/log is only writable by root
* Will not create an empty log file for logusage logs and one
time execution logs will have 0666 file mode
* Setting the log file created to world read+write permission
* Bump golang.org/x/net from 0.15.0 to 0.17.0
* Add recovery_bucket parameter to Backint
* Extract SAP related discovery functions to a separate file
* Fix Backint install directory
* Fix Backint parallel uploads
* Move maintenance collector to beta API
* Pruning batches to prevent time series duplication
* Added a logger for incorporating service context keys in logs
* Encode the DB password string to handle passwords with special characters
* Handling non error scenarios better in netweaver.go
* Internal change
* fixes typo on backint install
* Allow all users to execute google_cloud_sap_agent
* Fix hdbbackint script.
* Subdirs for Backint DIAGNOSE temporary files
* Report zero-value metrics for upcoming maintenance
* Clean up gcealpha functionality
* Fix default configuration values in daemon and backint
* Update the comment in proto to reflect that the metric
path in skip list should start with /sap
* Implemented separation of context of different services
- Update to version 2.6 (bsc#1215672, bsc#1215673)
* Rolling back previous change for storing Project Number,
Project ID is sufficient, no need to add complexity
* Determine location of HANA global.ini using SAP system discovery logic
* Add numeric project ID prefix to object name for ReadMetrics
* Discovery now looks up and stores project number with discovery data
* ReadMetrics updates for IAM permissions and bucket object names
* fixing the bug in backoff logic, using separate policies
for each collector and adding some logs
* Backint migration from the old agent and supporting legacy parameters
* adding new backoff policies for process metrics and fixing the
bug in process metrics sapservice collector
* Bump SAP Agent version to 2.6
* Fix an issue where HANA hosts may not be discovered
properly if hostname differs from instance name
* Use Go 1.20 friendly sorting solution
* adding retries in process metrics logic with backoffs
* Fix parsing of instance (host/VM) name in Pacemaker pcmk_delay_max metric
* Add the collection definition changes for the SAP HANA Topology metrics
* Template for Cloud Monitoring Alerts for Backint errors
* adding backoff to InstanceProperties to each collector
* Reduced the number of parameters of startXX functions
by consolidating them into respective structs
* completing TODO (b/298315981): Create a map from skipped
list metrics and pass it to collectors.
* Proto package name changes to reflect the current path
* Use instance_name instead of instance_id for baremetal systems
* Decode encryption keys for Backint.
* Moving hareplication metric to fast moving metrics
* Added backoffs package in process metrics to keep the backoff policies
and retry policies separately and make it reusable acrosss process metrics
* Install Backint OTE
* Adding skip list logic to process metrics
* Separating fastmoving metrics into a separate file from other process metrics
* Update remote collection to use collected instance's Cloud Properties
* ReadMetrics upload to bucket and send status to monitoring
* Remove local implementation of DW API in favor of using generated third_party version
* ReadMetrics read input file and write results to local filesystem
* Clean up command line executions to collect SAP Control metrics
* Adding new OTE structure for ReadMetrics
* Add the SUSE specific spec file to keep upstream changes and SUSE packaging in sync
* Collect and report upcoming maintenance
* Add basepath override and gcealpha functionality
* Making proto changes for process metrics re-arch
* Changes for generating HANA Insights locally into a markdown file
* Delay feature specific daily action logs by 24 hours
to avoid noise created by startup failures
* Update to the rule "maximum_invalid_connect_attempts"
* Add some missing related resources
* Fix rate limiting for compression enabled uploads/downloads
* Optional User-Agent parameter added to storage package client connection
* Relocate gcealpha to /internal
* Fix parse_test error
* Retries added for opening files in Backint
* Make processmetrics unit tests hermetic
* Remove if-this-then-that requirement from WLM validation rule
* Fix WriteInsight JSON encoding, and add missing elements
* Add configuration value to change API endpoint for Data Warehouse calls
* Storage package progress messages based off of read/writes directly to the bucket
* Make Collect DB Metrics as NO-OP when metrics are being read from override file
* Remove unused field from backint proto
* Custom retries for the storage package with exponential backoff and MaxRetries setting
- Update to version 2.5
+ No upstream changelog provided
- google-guest-agent
-
- Update to version 20240314.00 (bsc#1221900, bsc#1221901)
* NetworkManager: only set secondary interfaces as up (#378)
* address manager: make sure we check for oldMetadata (#375)
* network: early setup network (#374)
* NetworkManager: fix ipv6 and ipv4 mode attribute (#373)
* Network Manager: make sure we clean up ifcfg files (#371)
* metadata script runner: fix script download (#370)
* oslogin: avoid adding extra empty line at the end of /etc/security/group.conf (#369)
* Dynamic vlan (#361)
* Check for nil response (#366)
* Create NetworkManager implementation (#362)
* Skip interface manager on Windows (#363)
* network: remove ignore setup (#360)
* Create wicked network service implementation and its respective unit (#356)
* Update metadata script runner, add tests (#357)
* Refactor guest-agent to use common retry util (#355)
* Flush logs before exiting #358 (#359)
- Refresh patches for new version
* dont_overwrite_ifcfg.patch
- No need for double %setup.
- Use %patch -P N instead of deprecated %patchN.
- Update to version 20240213.00
* Create systemd-networkd unit tests (#354)
- from version 20240209.00
* Update network manager unit tests (#351)
- from version 20240207.02
* Implement retry util (#350)
- from version 20240207.01
* Refactor utils package to not dump everything unrelated into one file (#352)
- from version 20240207.00
* Set version on metadata script runner (#353)
* Implement cleanup of deprecated configuration directives (#348)
* Ignore DHCP offered routes only for secondary nics (#347)
* Deprecate DHClient in favor of systemd-networkd (#342)
* Generate windows and linux licenses (#346)
- from version 20240122.00
* Remove quintonamore from OWNERS (#345)
- from version 20240111.00
* Delete integration tests (#343)
- from version 20240109.00
* Update licenses with dependencies of go-winio (#339)
* Add github.com/Microsoft/go-winio to third party licensing (#337)
- Add explicit versioned dependency on google-guest-oslogin (bsc#1219642)
- Refresh patches for new version
* dont_overwrite_ifcfg.patch
- Update to version 20231214.00
* Fix snapshot test failure (#336)
- from version 20231212.00
* Implement json-based command messaging system for guest-agent (#326)
- from version 20231118.00
* sshca: Remove certificate caching (#334)
- from version 20231115.00
* revert: 3ddd9d4a496f7a9c591ded58c3f541fd9cc7e317 (#333)
* Update script runner to use common cfg package (#331)
- Update to version 20231110.00
* Update Google UEFI variable (#329)
* Update owners (#328)
- from version 20231103.00
* Make config parsing order consistent (#327)
- Update to version 20231031.01 (bsc#1216547, bsc#1216751)
* Add prefix to scheduler logs (#325)
- from version 20231030.00
* Test configuration files are loaded in the documented
order. Fix initial integration test. (#324)
* Enable mTLS by default (#323)
- from version 20231026.00
* Rotate MDS root certificate (#322)
- from version 20231020.00
* Update response struct, add tests (#315)
* Don't try to schedule mTLS job twice (#317)
- from version 20231019.00
* snapshot: Add context cancellation handling (#318)
- Bump the golang compiler version to 1.21 (bsc#1216546)
- Update to version 20231016.00
* instance setup: trust/rely on metadata package's retry (#316)
- from version 20231013.01
* Update known cert dirs for updaters (#314)
- from version 20231011.00
* Verify cert refresher is enabled before running (#312)
- from version 20231009.00
* Add support for the SSH key options (#296)
- from version 20231006.01
* Events interface improvement (#290)
- from version 20231006.00
* Refactor script runner to use common metadata package (#311)
* Schedule MTLS job before notifying systemd (#310)
* Refactor authorized keys to use metadata package (#300)
- from version 20231005.00
* docs update: add configuration and event manager's docs. (#309)
- from version 20231004.01
* Fix license header (#301)
* packaging(deb): add epoch to oslogin dep declaration (#308)
- from version 20231004.00
* packaging(deb): ignore suffix of version (#306)
* packaging: force epoch and ignore suffix of version (#305)
- from version 20231003.01
* oslogin: declare explicitly dependency (#304)
* oslogin: remove Unstable.pamless_auth_stack feature flag (#303)
- from version 20231003.00
* oslogin: resort ssh configuration keys (#299)
- from version 20230925.00
* oslogin: introduce a feature flag to cert auth (#298)
- from version 20230923.00
* gitignore: unify ignore in the root dir (#297)
- from version 20230921.01
* managers: we accidentally disabled addressMgr, bring it back (#295)
* cfg: fix typos (#294)
* cfg: config typos (#293)
* cfg: introduce a configuration management package (#288)
- from version 20230921.00
* mtls: bring it back (#292)
- from version 20230920.01
* Fix permissions on file created by SaferWriteFile() (#291)
- from version 20230920.00
* sshca: re-enable the event watcher & handler (#289)
- from version 20230919.01
* oslogin: add PAMless Authorization Stack configuration (#285)
- from version 20230919.00
* Preparing it for review (#287)
* sshca: make sure to restore SELinux context of the pipe (#286)
* remove deprecated usage, fix warnings (#282)
* Update system store (#278)
* Update workload certificate endpoints, use metadata package (#275)
* metadata: use url package to form metadata URLs (#284)
- from version 20230913.00
* release prep: disable ssh trusted ca module (#281)
- from version 20230912.00
* New Guest Agent Release (#280)
- from version 20230909.00
* Revert "service: remove the use of the service library (#273)" (#276)
* service: remove the use of the service library (#273)
- from version 20230906.01
* Store keys to machine keyset (#272)
- from version 20230905.00
* restorecon: first try to determine if it's installed (#271)
* run: change all commands to use CommandContext (#268)
* Notify systemd after scheduling required jobs (#270)
* Store certs in ProgramData instead of Program Files (#269)
* metadata watcher: remove local retry & implement unit tests (#267)
* run: split command running utilities into its own package (#265)
- Update to version 20230828.00
* snapshot: Use main context rather than create its own (#266)
- from version 20230825.01
* Verify if cert was successfully added to certpool (#264)
- from version 20230825.00
* Find previous cert for cleanup using one stored on disk (#263)
- from version 20230823.00
* Revert "sshtrustedca: configure selinux context
for sshtrustedca pipe (#256)" (#262)
* Update credentials directory on Linux (#260)
- from version 20230821.00
* Update owners (#261)
- from version 20230819.00
* Revert "guest-agent: prepare for public release (#258)" (#259)
- from version 20230817.00
* guest-agent: prepare for public release (#258)
- from version 20230816.01
* Enable telemetry collection by default (#253)
- from version 20230816.00
* Add pkcs12 license and update retry logic (#257)
* sshtrustedca: Configure selinux context for sshtrustedca pipe (#256)
* Store windows certs in certstore (#255)
* events: Multiplex event watchers (#250)
* Scheduler fixes (#254)
* Update license files (#251)
* Run telemetry every 24 hours, record pretty name on linux (#248)
- Update to version 20230811.00
* sshca: move the event handler to its own package (#247)
- from version 20230809.02
* Move scheduler package to google_guest_agent (#249)
- from version 20230809.01
* Add scheduler utility to run jobs at interval (#244)
- from version 20230809.00
* sshca: transform the format from json to openssh (#246)
- from version 20230803.00
* Add support for reading UEFI variables on windows (#243)
- from version 20230801.03
* sshtrustedca watcher: fix concurrency error (#242)
- from version 20230801.02
* metadata: add a delta between http client timeout and hang (#241)
- from version 20230801.00
* metadata: properly set request config (#240)
* main: bring back the mds client initialization (#239)
* metadata: don't try to use metadata before agentInit() is done (#238)
* Add (disabled) telemetry logic to GuestAgent (#219)
* metadata event handler: updates and bug fixes (#235)
* Verify client credentials are signed by root CA before writing on disk (#236)
* metadata: properly handle context cancelation (#234)
* metadata: fix context cancelation error check (#233)
* metadata: remove the sleep around metadata in instance setup (#232)
* metadata: implement backoff strategy (#231)
* Decrypt and store client credentials on disk (#230)
* Upgrade Go version 1.20 (#228)
* Fetch guest credentials and add MDS response proto (#226)
* metadata: pass main context to WriteGuestAttributes() (#227)
* Support for reading & writing Root CA cert from UEFI variable (#225)
* ssh_trusted_ca: enable the feature (#224)
* sshTrustedCA: add pipe event handler (#222)
* events: start using events layer (#223)
- from version 20230726.00
* events: introducing a events handling subsystem (#221)
- from version 20230725.00
* metadata: add metadata client interface (#220)
- from version 20230711.00
* metadata: moving to its own package (#218)
- from version 20230707.00
* snapshot: fix request handling error (#217)
- Bump Go API version to 1.20
- google-guest-configs
-
- Update to version 20240307.00 (bsc#1221146, bsc#1221900, bsc#1221901)
* Support dot in NVMe device ids (#68)
- from version 20240304.00
* google_set_hostname: Extract rsyslog service name
with a regexp for valid systemd unit names (#67)
- from version 20240228.00
* Remove quintonamore from OWNERS (#64)
- from version 20240119.00
* Setup smp affinity for IRQs and XPS on A3+ VMs (#63)
- Update to version 20231214.00
* set multiqueue: A3 check set timeout the MDS call in 1s (#62)
- from version 20231103.00
* Update owners (#61)
* Update owners (#58)
- Update to version 20230929.00
* Update multinic filter to pick only pci devices (#59)
- google-guest-oslogin
-
- Fix file permissions for google_authorized_principals binary (bsc#1222171)
- Update to version 20240311.00 (bsc#1218548, bsc#1221900, bsc#1221901)
* pam: Bring back pam's account management implementation (#133)
* Change error messages when checking login policy (#129)
* Remove quintonamore from OWNERS (#128)
- Add explicit versioned dependency on google-guest-agent (bsc#1219642)
- Update to version 20231116.00
* build: Fix DESTDIR concatenation (#124)
- from version 20231113.00
* build: Fix clang build (#122)
- from version 20231103.00
* Update owners (#121)
- Update to version 20231101.00 (bsc#1216548, bsc#1216750)
* Fix HTTP calls retry logic (#117)
- Update to version 20231004
* packaging: Make the dependency explicit (#120)
- update to 20230926.00:
* fix suse build
* selinux: fix selinux build (#114)
* test: align CXX Flags
* sshca: Make the implementation more C++ like
* sshca: Add a SysLog wrapper
* oslogin_utils: introduce AuthorizeUser() API
* sshca: move it out of pam dir
* pam: start disabling the use of oslogin_sshca
* sshca: consider sshca API to assume a cert only
* authorized principals: introduce the new command
* authorize keys: update to use new APIs
* pam modules: remove pam_*_admin and update pam_*_login
* cache_refresh: should be catching by reference.
- Update to version 20230823.00
* selinux: Add sshd_key_t type enforcement to trusted user ca (#113)
- from version 20230822.00
* sshca: Add tests with fingerprint and multiple extensions (#111)
- from version 20230821.01
* sshca: Support method token and handle multi line (#109)
- from version 20230821.00
* Update owners (#110)
- Update to version 20230808.00
* byoid: extract and apply the ca fingerprint to policy call (#106)
- Update to version 20230502.00
* Improve the URL in 2fa prompt (#104)
- from version 20230406.02
* Check open files (#101)
- from version 20230406.01
* Initialize variables (#100)
* Fix formatting (#102)
- from version 20230406.00
* PAM cleanup: remove duplicates (#97)
- from version 20230405.00
* NSS cleanup (#98)
- from version 20230403.01
* Cleanup Makefiles (#95)
- from version 20230403.00
* Add anandadalton to the owners list (#96)
- Update to version 20230217.00
* Update OWNERS (#91)
- from version 20230202.00
* Update owners file (#89)
- google-osconfig-agent
-
- Update to version 20240320.00 (bsc#1221900, bsc#1221901)
* Enable OSConfig agent to read GPG keys files with multiple entities (#537)
- from version 20240314.00
* Update OWNERS file to replace mahmoudn GitHub
username by personal email GitHub username (#534)
- from version 20240313.01
* Bump google.golang.org/protobuf from 1.30.0 to 1.33.0 in /e2e_tests (#535)
- from version 20240313.00
* Adds a console and gcloud example policies (#533)
- from version 20240228.00
* GuestPolicies e2e: Remove ed package if exist for zypper
startup_script in recipe-steps tests (#532)
- from version 20240126.00
* Fix Enterprise Linux Recipe-Steps tests to install
info dependency package in the startup-script (#530)
- from version 20240125.01
* Fix SUSE pkg-update and pkg-no-update e2e tests (#529)
- from version 20240125.00
* Fix zypper patch info parser to consider conflicts-pkgs float versions (#528)
- from version 20240123.01
* Fix SUSE package update e2e tests to use another existing package (#527)
- from version 20240123.00
* Update cis-exclude-check-once-a-day.yaml (#526)
- Update to version 20231219.00
* Bump golang.org/x/crypto from 0.14.0 to 0.17.0 (#524)
- from version 20231207.01
* Some change to create an agent release (#523)
- from version 20231207.00
* Some change to create an agent release (#522)
- from version 20231205.00
* Some change to create an agent release (#521)
- from version 20231130.02
* Merge pull request #519 from Gulio/just-release
* Merge branch 'master' into just-release
* Some change to create an agent release
* Some change to create an agent release
- from version 20231130.00
* Some change to create an agent release (#518)
- from version 20231129.00
* Fix parse yum updates to consider the packages under
installing-dependencies keyword (#502)
* Update feature names in the README file (#517)
- from version 20231128.00
* Updating owners (#508)
- from version 20231127.00
* Move OS policy CIS examples under the console folder (#514)
- from version 20231123.01
* Adds three more OS Policy examples to CIS folder (#509)
* Added ekrementeskii and MahmoudNada0 to OWNERS (#505)
- from version 20231123.00
* docs(osconfig):add OS policy examples for CIS scanning (#503)
- from version 20231121.02
* Added SCODE to Windows error description (#504)
- from version 20231121.01
* Update OWNERS (#501)
* Update go version to 1.21 (#507)
- from version 20231121.00
* Call fqdn (#481)
- from version 20231116.00
* Removing obsolete MS Windows 2019 images (#500)
- from version 20231107.00
* Update owners. (#498)
- from version 20231103.02
* Increasing test timeouts (#499)
* Update OWNERS (#497)
- from version 20231103.01
* Bump google.golang.org/grpc from 1.53.0 to 1.56.3 in /e2e_tests (#493)
* Bump google.golang.org/grpc from 1.53.0 to 1.56.3 (#494)
- from version 20231103.00
* Removing deprecated Win for containers OSs (#496)
- from version 20231027.00
* Shortening the reported image names (#495)
- from version 20231025.00
* Merge pull request #492 from GoogleCloudPlatform/michaljankowiak-patch-1
* Merge branch 'master' into michaljankowiak-patch-1
* Fixing name changes
* Fixing rename issue
* Fixed formatting
* Fixed formatting
* Fixing formatting
* Removing support for RHEL 6, adding RHEL 9
* Removing support for RHEL 6, adding for RHEL 9
* Removing support for RHEL 6 and adding for RHEL 9
* Removing step needed for RHEL 6
* Fixing build issues
* Removing nonexistent images and adding new ones
- from version 20231024.00
* Removing obsolete OS images and adding new ones (#491)
- from version 20231020.00
* Change debug messages when parsing zypper patch output (#490)
- from version 20231013.00
* Bump golang.org/x/net from 0.7.0 to 0.17.0 (#489)
- from version 20231010.00
* Revert "Added [main] section with gpgcheck to
the agent-managed repo file (#484)" (#488)
- from version 20231003.00
* Bump google.golang.org/grpc from 1.42.0 to 1.53.0 in /e2e_tests (#478)
- from version 20230920.00
* Update OWNERS (#485)
- from version 20230912.00
* Added [main] section with gpgcheck to the agent-managed repo file (#484)
* Migrate empty interface to any (#483)
- Bump the golang compiler version to 1.21 (bsc#1216546)
- Update to version 20230829.00
* Added burov, dowgird, paulinakania and Gulio to OWNERS (#482)
>>>>>>> ./google-osconfig-agent.changes.new
- growpart-rootgrow
-
- Update to version 1.0.7 (bsc#1219941)
+ Support root to be in a btrfs snapshot
+ 1.0.6 had different implementation for btrfs in snapshot support
- hawk2
-
- Update to version 2.6.4+git.1708604510.dc8c081f:
* Enable ACL (bsc#1214396,bsc#1219548)
- Update to version 2.6.4+git.1702030539.5fb7d91b:
* Enable HttpOnly secure flag by default (bsc#1216508)
* Enforce CSRF in errors_controller.rb (bsc#1216571)
* Fix mime type issue in MS windows (bsc#1215438)
* Parametrize CORS Access-Control-Allow-Origin header (bsc#1213454)
* Tests: upgrate tests for ruby3.2 (tumbleweed) (bsc#1215976)
* Upgrade for ruby3.2 (tumbleweed) (bsc#1215976)
* Forbid special symbols in the category (bsc#1206217)
* Fix the sass-rails version on ~5.0 (bsc#1208533)
* Don't delete the private key if the public key is missing (bsc#1207930)
* make-sle155-compatible.patch . No bsc, it's for backwards compatibility.
- krb5
-
- Fix vulnerabilities in GSS message token handling, add patch
0013-Fix-vulnerabilities-in-GSS-message-token-handling.patch
* CVE-2024-37370, bsc#1227186
* CVE-2024-37371, bsc#1227187
- Fix memory leaks, add patch 0012-Fix-two-unlikely-memory-leaks.patch
* CVE-2024-26458, bsc#1220770
* CVE-2024-26461, bsc#1220771
- resource-agents
-
- Azure-lb fails if IPv6 disabled (bsc#1223554)
Add upstream patch:
Add a new parameter: listen
This parameter can have following walues:
default: Neither -4 nor -6 will be used. The default behavior of socat and nc will be used.
socat: Listen only on IPv4 addresses
nc: If net.ipv6.bindv6only = 0 => Listen on both IPv4 and IP6 addresses
If net.ipv6.bindv6only = 1 => Listen only on IPv4 addresses
ipv4only: Listen only on IPv4 addresses.
ipv6enable: Enable TCP6 support.
nc: Listen only on IPv6 adresses independent of net.ipv6.bindv6only
socat: If net.ipv6.bindv6only = 0 => Listen on both IPv4 and IP6 addresses.
If net.ipv6.bindv6only = 1 => Listen only on IPv6 adresses.
Add patch:
0001-Azure-lb-fails-if-IPv6-disabled.patch
- resource-agents:azure-lb IPv6 support (bsc#1220997)
Add patch:
0001-Support-IPv6-with-Azure-load-balncer.patch
- less
-
- Fix CVE-2024-32487, mishandling of \n character in paths when
LESSOPEN is set leads to OS command execution
(CVE-2024-32487, bsc#1222849)
* CVE-2024-32487.patch
- Fix CVE-2022-48624, LESSCLOSE handling in less does not quote shell
metacharacters, bsc#1219901
* CVE-2022-48624.patch
- gcc13
-
- Update to GCC 13.3 release
- Update to gcc-13 branch head, b7a2697733d19a093cbdd0e200, git8761
- Removed gcc13-pr111731.patch now included upstream
- Add gcc13-amdgcn-remove-fiji.patch removing Fiji support from
the GCN offload compiler as that is requiring Code Object version 3
which is no longer supported by llvm18.
- Add gcc13-pr101523.patch to avoid combine spending too much
compile-time and memory doing nothing on s390x. [boo#1188441]
- Make requirement to lld version specific to avoid requiring the
meta-package.
- Add gcc13-pr111731.patch to fix unwinding for JIT code.
[bsc#1221239]
- Revert libgccjit dependency change. [boo#1220724]
- Fix libgccjit-devel dependency, a newer shared library is OK.
- Fix libgccjit dependency, the corresponding compiler isn't required.
- Use %patch -P N instead of %patchN.
- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
crypt and crypt_r interceptors. The crypt API change in SLE15 SP3
breaks them. [bsc#1219520]
- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
- Add gcc13-pr88345-min-func-alignment.diff to add support for
- fmin-function-alignment. [bsc#1214934]
- Use %{_target_cpu} to determine host and build.
- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
* Includes fix for building TVM. [boo#1218492]
- Add cross-X-newlib-devel requires to newlib cross compilers.
[boo#1219031]
- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
in gcc13-devel. [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
are linked against libstdc++6.
- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205
- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
* Includes fix for building mariadb on i686. [bsc#1217667]
* Remove pr111411.patch contained in the update.
- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
%product_libs_llvm_ver where available and adjust tool discovery
accordingly. This should also properly trigger re-builds when
the patchlevel version of llvmVER changes, possibly changing
the binary names we link to. [bsc#1217450]
- avahi
-
- Add avahi-CVE-2023-38472.patch: Fix reachable assertion in
avahi_rdata_parse (bsc#1216853, CVE-2023-38472).
- Add avahi-CVE-2023-38471.patch: Extract host name using
avahi_unescape_label (bsc#1216594, CVE-2023-38471).
- Add avahi-CVE-2023-38469.patch: Reject overly long TXT resource
records (bsc#1216598, CVE-2023-38469).
- Add avahi-CVE-2023-38470.patch: Ensure each label is at least one
byte long (bsc#1215947, CVE-2023-38470).
- Add avahi-CVE-2023-38473.patch: derive alternative host name from
its unescaped version (bsc#1216419 CVE-2023-38473).
- util-linux
-
- fix Xen virtualization type misidentification bsc#1215918
lscpu-fix-parameter-order-for-ul_prefix_fopen.patch
- Properly neutralize escape sequences in wall
(util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
and its prerequisites: util-linux-fputs_careful1.patch,
util-linux-wall-migrate-to-memstream.patch
util-linux-fputs_careful2.patch).
- Add upstream patch
util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch
bsc#1207987 gh#util-linux/util-linux@1d98827edde4
- c-ares
-
- CVE-2024-25629.patch: fix out of bounds read in ares__read_line()
(bsc#1220279, CVE-2024-25629)
- libxcrypt
-
- fix variable name for datamember in 'struct crypt_data' [bsc#1215496]
- added patches
fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2
+ libxcrypt-man-fix-variable-name.patch
- libfastjson
-
- fix CVE-2020-12762 integer overflow and out-of-bounds write via a
large JSON file (bsc#1171479)
add 0001-Fix-CVE-2020-12762.patch
- mozilla-nss
-
- Require `sed` for mozilla-nss-sysinit, as setup-nsssysinit.sh
depends on it and will create a broken, empty config, if sed is
missing (bsc#1227918)
- update to NSS 3.101.2
* bmo#1905691 - ChaChaXor to return after the function
- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
- Updated nss-fips-approved-crypto-non-ec.patch and
nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
bsc#1222828, bsc#1222834.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.
- update to NSS 3.101.1
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
* bmo#1900413 - add diagnostic assertions for SFTKObject refcount.
* bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed
* bmo#1899883 - fix formatting issues.
* bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS.
* bmo#1899593 - remove invalid acvp fuzz test vectors.
* bmo#1898830 - pad short P-384 and P-521 signatures gtests.
* bmo#1898627 - remove unused FreeBL ECC code.
* bmo#1898830 - pad short P-384 and P-521 signatures.
* bmo#1898825 - be less strict about ECDSA private key length.
* bmo#1854439 - Integrate HACL* P-521.
* bmo#1854438 - Integrate HACL* P-384.
* bmo#1898074 - memory leak in create_objects_from_handles.
* bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1748105 - clean up escape handling
* bmo#1896353 - Use lib::pkix as default validator instead of the old-one
* bmo#1827444 - Need to add high level support for PQ signing.
* bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1893404 - Allow for non-full length ecdsa signature when using softoken
* bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects
* bmo#1793811 - Implement support for PBMAC1 in PKCS#12
* bmo#1897487 - disable VLA warnings for fuzz builds.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1893334 - add PK11_ReadDistrustAfterAttribute.
* bmo#215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update
* bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile.
* bmo#1830415 - Switch to the mozillareleases/image_builder image
- Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain)
- Remove part of nss-fips-zeroization.patch that got removed upstream
- update to NSS 3.100
- bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for
faster Xyber operations.
- bmo#1893752 - remove ckcapi.
- bmo#1893162 - avoid a potential PK11GenericObject memory leak.
- bmo#671060 - Remove incomplete ESDH code.
- bmo#215997 - Decrypt RSA OAEP encrypted messages.
- bmo#1887996 - Fix certutil CRLDP URI code.
- bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
- bmo#676118 - Add ability to encrypt and decrypt CMS messages using ECDH.
- bmo#676100 - Correct Templates for key agreement in smime/cmsasn.c.
- bmo#1548723 - Moving the decodedCert allocation to NSS.
- bmo#1885404 - Allow developers to speed up repeated local execution
of NSS tests that depend on certificates.
- update to NSS 3.99
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
- update to NSS 3.98
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
in TLS
* bmo#1879513 - Certificate Compression: enabling the check that
the compression was advertised
* bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
* bmo#1879945 - Remove Email trust bit from OISTE WISeKey
Global Root GC CA
* bmo#1877344 - Replace `distutils.spawn.find_executable` with
`shutil.which` within `mach` in `nss`
* bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
support Certificate compression
* bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
* bmo#1875356 - Add valgrind annotations to freebl kyber operations
for constant-time execution tests
* bmo#1870673 - Set nssckbi version number to 2.66
* bmo#1874017 - Add Telekom Security roots
* bmo#1873095 - Add D-Trust 2022 S/MIME roots
* bmo#1865450 - Remove expired Security Communication RootCA1 root
* bmo#1876179 - move keys to a slot that supports concatenation in
PK11_ConcatSymKeys
* bmo#1876800 - remove unmaintained tls-interop tests
* bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
flags
* bmo#1874937 - bogo: add support for the -curves shim flag and
update Kyber expectations
* bmo#1874937 - bogo: adjust expectation for a key usage bit test
* bmo#1757758 - mozpkix: add option to ignore invalid subject
alternative names
* bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
* bmo#1876390 - take ownership of ecckilla shims
* bmo#1874458 - add valgrind annotations to freebl/ec.c
* bmo#864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* bmo#1875965 - Update zlib to 1.3.1
- Use %patch -P N instead of deprecated %patchN.
- update to NSS 3.97
* bmo#1875506 - make Xyber768d00 opt-in by policy
* bmo#1871631 - add libssl support for xyber768d00
* bmo#1871630 - add PK11_ConcatSymKeys
* bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken
* bmo#1871152 - add a FreeBL API for Kyber
* bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo
* bmo#1835828 - Removing the calls to RSA Blind from loader.*
* bmo#1874111 - fix worker type for level3 mac tasks
* bmo#1835828 - RSA Blind implementation
* bmo#1869642 - Remove DSA selftests
* bmo#1873296 - read KWP testvectors from JSON
* bmo#1822450 - Backed out changeset dcb174139e4f
* bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* bmo#1871219 - Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
* bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
* bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
* bmo#1867408 - add a defensive check for large ssl_DefSend return values
* bmo#1869378 - Add dependency to the taskcluster script for Darwin
* bmo#1869378 - Upgrade version of the MacOS worker for the CI
- add nss-allow-slow-tests-s390x.patch: "certutil dump keys with
explicit default trust flags" test needs longer than the allowed
6 seconds on s390x
- update to NSS 3.95
* bmo#1842932 - Bump builtins version number.
* bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion
Firmaprofesional CIF A62634068 root cert.
* bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS.
* bmo#1850982 - Remove Camerfirma root certificates from NSS.
* bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional
Certificate.
* bmo#1860670 - Add four Commscope root certificates to NSS.
* bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
* bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL*
* bmo#1861728 - Include P-256 Scalar Validation from HACL*.
* bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes
256 ECC without DER wrapping at the softoken level
* bmo#1837987 - Add means to provide library parameters to C_Initialize
* bmo#1573097 - clang format
* bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
* bmo#1858241 - Typo in ssl3_AppendHandshakeNumber
* bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber
* bmo#1573097 - Fix Invalid casts in instance.c
- update to NSS 3.94
* bmo#1853737 - Updated code and commit ID for HACL*
* bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
current NSS
* bmo#1827303 - Softoken C_ calls should use system FIPS setting
to select NSC_ or FC_ variants
* bmo#1774659 - NSS needs a database tool that can dump the low level
representation of the database
* bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
* bmo#1852179 - avoid implicit conversion for ByteString
* bmo#1818766 - update rust version for acvp docker
* bmo#1852011 - Moving the init function of the mpi_ints before
clean-up in ec.c
* bmo#1615555 - P-256 ECDH and ECDSA from HACL*
* bmo#1840510 - Add ACVP test vectors to the repository
* bmo#1849077 - Stop relying on std::basic_string<uint8_t>
* bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
- Update to NSS 3.93:
* bmo#1849471 - Update zlib in NSS to 1.3.
* bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
* bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
- update to NSS 3.92
* bmo#1822935 - Set nssckbi version number to 2.62
* bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS
* bmo#1839992 - Add 4 SSL.com Root CA certificates
* bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates
* bmo#1840437 - Add LAWtrust Root CA2 (4096)
* bmo#1822936 - Remove E-Tugra Certification Authority root
* bmo#1827224 - Remove Camerfirma Chambers of Commerce Root.
* bmo#1840505 - Remove Hongkong Post Root CA 1
* bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3
* bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
* bmo#1837431 - Implementation of the HW support check for ADX instruction
* bmo#1836925 - Removing the support of Curve25519
* bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
* bmo#1839327 - Adding args to enable-legacy-db build
* bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
default trust flags"
* bmo#1837617 - Initialize flags in slot structures
* bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
* bmo#1829112 - Followup Fixes
* bmo#1784253 - avoid processing unexpected inputs by checking for
m_exptmod base sign
* bmo#1826652 - add a limit check on order_k to avoid infinite loop
* bmo#1834851 - Update HACL* to commit 5f6051d2
* bmo#1753026 - add SHA3 to cryptohi and softoken
* bmo#1753026 - HACL SHA3
* bmo#1836781 - Disabling ASM C25519 for A but X86_64
- removed upstreamed patch nss-fix-bmo1836925.patch
- update to NSS 3.90.3
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1748105 - clean up escape handling.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1836925 - Disable ASM support for Curve25519.
* bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64.
- remove upstreamed nss-fix-bmo1836925.patch
- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
when using FIPS-mode (bsc#1223724).
- Added "Provides: nss" so other RPMs that require 'nss' can
be installed (jira PED-6358).
- update to NSS 3.90.2
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
decryption in TLS. (bsc#1216198)
* bmo#1867408 - add a defensive check for large ssl_DefSend
return values.
- update to NSS 3.90.1
* bmo#1813401 - regenerate NameConstraints test certificates.
* bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
- Remove nss-fix-bmo1813401.patch which is now upstream.
- Add nss-fix-bmo1813401.patch to fix bsc#1214980
- libgudev
-
- Update to version 237:
+ Fix reading double precision floats from sysfs attributes in
locales that use comma as a separator
+ Fix compilation warning
+ Fix headers to help with build reproducibility
+ Clarify licensing information
- Changes from version 236:
+ Fix meson project name to match autotools.
- Changes from version 235:
+ Port build system to meson and remove autotools
+ Fix conversion of sysfs attributes to boolean.
- Add meson BuildRequires and macros following upstreams port.
- Enable pkgconfig(umockdev-1.0) BuildRequires and test macro.
- Update Licence tag to LGPL-2.1-or-later.
- update to 234:
* Clarify that _get_sysfs_attr() functions are cached
* Add functions to get uncached sysfs attributes
- Update to version 233:
+ Require glib 2.38.
+ Small documentation updates.
+ Remove gnome-common build dependency.
- Use modern macros.
- Modernize spec-file by calling spec-cleaner
- jbigkit
-
- security update
- added patches
fix CVE-2022-1210 [bsc#1198146], Malicious file leads to a denial of service in TIFF File Handler
+ jbigkit-CVE-2022-1210.patch
- ncurses
-
- Add patch ncurses-6.1-bsc1220061.patch (bsc#1220061, CVE-2023-45918)
* Backport from ncurses-6.4-20230615.patch
improve checks in convert_string() for corrupt terminfo entry
- Add patch bsc1218014-cve-2023-50495.patch
* Fix CVE-2023-50495: segmentation fault via _nc_wrap_entry()
(bsc#1218014)
- Add patch boo1201384.patch
* Do not fully reset serial lines
- nghttp2
-
- security update
- added patches
fix CVE-2024-28182 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+ nghttp2-CVE-2024-28182-1.patch
fix CVE-2024-28182-2 [bsc#1221399], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+ nghttp2-CVE-2024-28182-2.patch
- openssl-1_1
-
- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
security vulnerability. Calling the function SSL_free_buffers()
potentially caused memory to be accessed that was previously
freed in some situations and a malicious attacker could attempt
to engineer a stituation where this occurs to facilitate a
denial-of-service attack. [CVE-2024-4741, bsc#1225551]
- Security fix: [bsc#1222548, CVE-2024-2511]
* Fix unconstrained session cache growth in TLSv1.3
* Add openssl-CVE-2024-2511.patch
- Security fix: [bsc#1219243, CVE-2024-0727]
* Add NULL checks where ContentInfo data can be NULL
* Add openssl-CVE-2024-0727.patch
- pacemaker
-
- tools: CIB clients retry signon upon an EAGAIN error (gh#ClusterLabs/pacemaker#3567, bsc#1224183)
* bsc#1224183-0002-Fix-tools-CIB-clients-retry-signon-upon-an-EAGAIN-er.patch
- libcib: new function cib__signon_attempts() (gh#ClusterLabs/pacemaker#3567, bsc#1224183)
* bsc#1224183-0001-Refactor-libcib-new-function-cib__signon_attempts.patch
- libcrmcommon: reject ISO 8601 duration without any values (gh#ClusterLabs/pacemaker#3517)
* pacemaker#3517-0002-Low-libcrmcommon-reject-ISO-8601-duration-without-an.patch
- libstonithd: prevent to free 'op_reply' repeatedly in 'stonith_send_command' (gh#ClusterLabs/pacemaker#3517)
* pacemaker#3517-0001-prevent-to-free-op_reply-repeatedly-in-stonith_send_.patch
- tools: make crm_mon exit upon loss of the attached pseudo-terminal (bsc#1220229, gh#ClusterLabs/pacemaker#3430)
* bsc#1220229-0001-Fix-tools-make-crm_mon-exit-upon-loss-of-the-attache.patch
- libcib: Don't incorrectly expand "++" and "+=" in XML attr values (gh#ClusterLabs/pacemaker#3413)
* pacemaker#3413-0003-Fix-libcib-Don-t-incorrectly-expand-and-in-XML-attr-.patch
- libpacemaker: pcmk__inject_failcount should set an integer value (gh#ClusterLabs/pacemaker#3413)
* pacemaker#3413-0001-Low-libpacemaker-pcmk__inject_failcount-should-set-a.patch
- scheduler: log unknown nodes in location constraints (gh#ClusterLabs/pacemaker#3409, CLBZ#5415)
* pacemaker#3409-0007-Log-scheduler-log-unknown-nodes-in-location-constrai.patch
- scheduler: correct lifetime deprecation warning (gh#ClusterLabs/pacemaker#3409)
* pacemaker#3409-0006-Log-scheduler-correct-lifetime-deprecation-warning.patch
- tools: honor rules when getting utilization attributes with crm_resource (gh#ClusterLabs/pacemaker#3409)
* pacemaker#3409-0005-Fix-tools-honor-rules-when-getting-utilization-attri.patch
- scheduler: deprecate support for default instance attributes (gh#ClusterLabs/pacemaker#3409)
* pacemaker#3409-0004-Low-scheduler-deprecate-support-for-default-instance.patch
- scheduler: use default timeout (20s) if user configures 0 (gh#ClusterLabs/pacemaker#3409)
* pacemaker#3409-0003-Fix-scheduler-use-default-timeout-20s-if-user-config.patch
- tools: crm_resource should ignore resource meta-attribute node expressions (gh#ClusterLabs/pacemaker#3409)
* pacemaker#3409-0001-Fix-tools-crm_resource-should-ignore-resource-meta-a.patch
- fencer: always format time_t values as long long (gh#ClusterLabs/pacemaker#3407)
* pacemaker#3407-0001-Log-fencer-always-format-time_t-values-as-long-long.patch
- libcrmcommon: NULL-check strdup() in pcmk__register_message() (gh#ClusterLabs/pacemaker#3394)
* pacemaker#3394-0004-Low-libcrmcommon-NULL-check-strdup-in-pcmk__register.patch
- libcrmcommon: NULL-check strdup() in pcmk__register_format() (gh#ClusterLabs/pacemaker#3394)
* pacemaker#3394-0003-Low-libcrmcommon-NULL-check-strdup-in-pcmk__register.patch
- libpacemaker: Correctly free graphs and synapses (gh#ClusterLabs/pacemaker#3394)
* pacemaker#3394-0002-Low-libpacemaker-Correctly-free-graphs-and-synapses.patch
- libcrmcommon: Initialize some variables (gh#ClusterLabs/pacemaker#3394)
* pacemaker#3394-0001-Low-libcrmcommon-Initialize-some-variables.patch
- HealthSMART:fix the description of temp_lower_limit (gh#ClusterLabs/pacemaker#3392)
* pacemaker#3392-0001-Doc-HealthSMART-fix-the-description-of-temp_lower_li.patch
- cibsecret: Use 'ps axww' to avoid truncating issue (gh#ClusterLabs/pacemaker#3384)
* pacemaker#3384-0001-Fix-cibsecret-Use-ps-axww-to-avoid-truncating-issue.patch
- libcrmcommon: Don't try to parse XML from bad .bz2 file (gh#ClusterLabs/pacemaker#3361)
* pacemaker#3361-0001-Low-libcrmcommon-Don-t-try-to-parse-XML-from-bad-.bz.patch
- libcrmcommon: use uint32_t for 32-bit magic numbers (gh#ClusterLabs/pacemaker#3381)
* pacemaker#3381-0001-Fix-libcrmcommon-use-uint32_t-for-32-bit-magic-numbe.patch
- libcrmcommon: Use free_xml in html_free_priv. (gh#ClusterLabs/pacemaker#3380)
* pacemaker#3380-0003-Low-libcrmcommon-Use-free_xml-in-html_free_priv.patch
- libcrmcommon: Free error strings in html/xml outputters. (gh#ClusterLabs/pacemaker#3380)
* pacemaker#3380-0002-Low-libcrmcommon-Free-error-strings-in-html-xml-outp.patch
- libcrmcommon: Free text/curses private list data. (gh#ClusterLabs/pacemaker#3380)
* pacemaker#3380-0001-Low-libcrmcommon-Free-text-curses-private-list-data.patch
- tools: Fix argument validation for crm_attribute update. (gh#ClusterLabs/pacemaker#3379)
* pacemaker#3379-0001-Low-tools-Fix-argument-validation-for-crm_attribute-.patch
- libcrmcommon: Always output request= in XML output. (gh#ClusterLabs/pacemaker#3362)
* pacemaker#3362-0001-Low-libcrmcommon-Always-output-request-in-XML-output.patch
- tools: Fix memory leak in crm_mon with HTML output (gh#ClusterLabs/pacemaker#3332)
* pacemaker#3332-0001-Low-tools-Fix-memory-leak-in-crm_mon-with-HTML-outpu.patch
- attrd: write Pacemaker Remote node attributes even if not in cache (gh#ClusterLabs/pacemaker#3304)
* pacemaker#3304-0001-Fix-attrd-write-Pacemaker-Remote-node-attributes-eve.patch
- agents: Use attrd_updater dampen delay in SysInfo (gh#ClusterLabs/pacemaker#3286)
* pacemaker#3286-0002-Fix-agents-Use-attrd_updater-dampen-delay-in-SysInfo.patch
- libcrmcommon: Check correct env vars in pcmk__node_attr_target() (gh#ClusterLabs/pacemaker#3286)
* pacemaker#3286-0001-Low-libcrmcommon-Check-correct-env-vars-in-pcmk__nod.patch
- scheduler: restore nvpair behavior without id-ref (gh#ClusterLabs/pacemaker#3292)
* pacemaker#3292-0004-Low-scheduler-restore-nvpair-behavior-without-id-ref.patch
- libcrmcommon: fix NULL dereference in expand_idref() (gh#ClusterLabs/pacemaker#3292)
* pacemaker#3292-0002-Low-libcrmcommon-fix-NULL-dereference-in-expand_idre.patch
- scheduler: improve logs for invalid id-ref's (gh#ClusterLabs/pacemaker#3292)
* pacemaker#3292-0001-Log-scheduler-improve-logs-for-invalid-id-ref-s.patch
- pacemaker-attrd,libcrmcluster: avoid use-after-free when remote node in cluster node cache (gh#ClusterLabs/pacemaker#3293)
* pacemaker#3293-0002-Fix-pacemaker-attrd-libcrmcluster-avoid-use-after-fr.patch
- libcrmcluster: avoid use-after-free in trace log (gh#ClusterLabs/pacemaker#3293)
* pacemaker#3293-0001-Low-libcrmcluster-avoid-use-after-free-in-trace-log.patch
- HealthSmart: Check the parameter values of check_temperature to avoid error output (gh#ClusterLabs/pacemaker#3289)
* pacemaker#3289-0001-Fix-HealthSmart-Check-the-parameter-values-of-check_.patch
- agents: handle dampening parameter consistently and correctly
* 0001-Fix-agents-handle-dampening-parameter-consistently-a.patch
- crm_resource: make --wait wait for pending actions in CIB
* 0001-Refactor-crm_resource-make-wait-wait-for-pending-act.patch
- agents: HealthCPU - fix the validation of input
* 0001-fix-the-validation-of-input.patch
- libcrmcommon: wait for reply from appropriate controller commands (bsc#1218312, rh#2225631, rh#2221084)
* bsc#1218312-0001-Fix-libcrmcommon-wait-for-reply-from-appropriate-con.patch
- polkit
-
- Change permissions for rules folders (bsc#1209282)
- procps
-
- Submit latest procps 3.3.17 to SLE-15 tree for jira#PED-3244
and jira#PED-6369
- The patches now upstream had been dropped meanwhile
* procps-vmstat-1b9ea611.patch (bsc#1185417)
- For support up to 2048 CPU as well
* bsc1209122-a6c0795d.patch (bnc#1209122)
- allow `-´ as leading character to ignore possible errors
on systctl entries
* patch procps-ng-3.3.9-bsc1121753-Cpus.patch (bsc#1121753)
- was a backport of an upstream fix to get the first CPU
summary correct
- Enable pidof for SLE-15 as this is provided by sysvinit-tools
- Use a check on syscall __NR_pidfd_open to decide if
the pwait tool and its manual page will be build
- Modify patches
* procps-ng-3.3.9-w-notruncate.diff
* procps-ng-3.3.17-logind.patch
to real to not truncate output of w with option -n
- procps-ng-3.3.17-logind.patch: Backport from 4.x git, prefer
logind over utmp (jsc#PED-3144)
- python3
-
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
condition in ssl.SSLContext certificate store methods.
- Add bpo38361-syslog-no-slash-ident.patch (bsc#1222109,
gh#python/cpython!16557) fixes syslog making default "ident"
from sys.argv[0].
- Update CVE-2023-52425-libexpat-2.6.0-backport.patch so that
it uses features sniffing, not just comparing version number
(bsc#1220664, bsc#1219559, bsc#1221563, bsc#1222075).
- Remove support-expat-CVE-2022-25236-patched.patch, which was
the previous name of this patch.
- Add CVE-2023-52425-remove-reparse_deferral-tests.patch skipping
failing tests.
- Refresh patches:
- CVE-2023-27043-email-parsing-errors.patch
- fix_configure_rst.patch
- skip_if_buildbot-extend.patch
- bsc#1221854 (CVE-2024-0450) Add
CVE-2024-0450-zipfile-avoid-quoted-overlap-zipbomb.patch
detecting the vulnerability of the "quoted-overlap" zipbomb
(from gh#python/cpython!110016).
- Add bh42369-thread-safety-zipfile-SharedFile.patch (from
gh#python/cpython!26974) required by the previous patch.
- Add expat-260-test_xml_etree-reparse-deferral.patch to make the
interpreter work with patched libexpat in our distros.
- Move all patches from locally sourced to the branch
opensuse-3.6 branch at GitHub repo, and move all metadata to
commits themselves (readable in the headers of each patch).
- Add bpo-41675-modernize-siginterrupt.patch to make Python build
cleanly even on more recent SPs of SLE-15
(gh#python/cpython#85841).
- Remove patches:
- bpo36263-Fix_hashlib_scrypt.patch - fix against bug in
OpenSSL fixed in 1.1.1c (gh#openssl/openssl!8483), so this
patch is redundant on all SUSE-supported distros
- python-3.3.0b1-test-posix_fadvise.patch - protection
against the kernel issues which has been fixed in
gh#torvalds/linux@3d3727cdb07f, which has been included in
all our kernels more recent than SLE-11.
- python-3.3.3-skip-distutils-test_sysconfig_module.patch -
skips a test, which should be relevant only for testing on
Mac OS X systems with universal builds. I have no valid
record, that this test would be ever problematic on Linux.
- bpo-36576-skip_tests_for_OpenSSL-111.patch, which was
included already in Python 3.5.
- (bsc#1219666, CVE-2023-6597) Add
CVE-2023-6597-TempDir-cleaning-symlink.patch (patch from
gh#python/cpython!99930) fixing symlink bug in cleanup of
tempfile.TemporaryDirectory.
- Merge together bpo-36576-skip_tests_for_OpenSSL-111.patch into
skip_SSL_tests.patch, and make them include all conditionals.
- Refresh CVE-2023-27043-email-parsing-errors.patch to
gh#python/cpython!111116, fixing bsc#1210638 (CVE-2023-27043).
- libqb
-
- ipc: Retry receiving credentials if the the message is short (gh#ClusterLabs/libqb#476, rh#2111711, bsc#1224183)
* bsc#1224183-0001-ipc-Retry-receiving-credentials-if-the-the-message-i.patch
- qrencode
-
- update to 4.1.1 (jsc#PED-7296):
* Some minor bugs in Micro QR Code generation have been fixed.
* The data capacity calculations are now correct. These bugs probably did not
affect the Micro QR Code generation.
- update to 4.1.0:
* Command line tool "qrencode" has been improved:
* New option "--inline" has been added. (Thanks to @jp-bennett)
* New option "--strict-version" has been added.
* UTF8 mode now supports ANSI256 color. (Thanks to András Veres-
Szentkirályi)
* Micro QR Code no longer requires to specify the version number.
* 'make check' allows to run the test programs. (Thanks to Jan Tojnar)
* Some compile time warnings have been fixed.
* Various CMake support improvements. (Thanks to @mgorny and @sdf5)
* Some minor bug fixes. (Thanks to Lonnie Abelbeck and Frédéric Wang)
* Some documentation/manpage improvements. (Thanks to Dan Jacobson)
* Some performance improvements. (Thanks to @4061N and Mika Lindqvist)
- remove qrencode-fix-installation.patch (upstream)
- Update to version 4.0.2
* Build script fixes. (Thanks to @mgorny)
version 4.0.1
* CMake support improved.
* New test scripts have been added.
* Some compile time warnings have been fixed.
- Refreshed qrencode-fix-installation.patch
- libsolv
-
- add a conflict to older libsolv-tools to libsolv-tools-base
- improve updating of installed multiversion packages
- fix decision introspection going into an endless loop in some
cases
- added experimental lua bindings
- bump version to 0.7.29
- split libsolv-tools into libsolv-tools-base [jsc#PED-8153]
- build for multiple python versions [jsc#PED-6218]
- bump version to 0.7.28
- add zstd support for the installcheck tool
- add putinowndirpool cache to make file list handling in
repo_write much faster
- bump version to 0.7.27
- fix evr roundtrip in testcases
- do not use deprecated headerUnload with newer rpm versions
- bump version to 0.7.26
- support complex deps in SOLVABLE_PREREQ_IGNOREINST
- fix minimization not prefering installed packages in some cases
- reduce memory usage in repo_updateinfoxml
- fix lock-step interfering with architecture selection
- fix choice rule handing for package downgrades
- fix complex dependencies with an "else" part sometimes leading
to unsolved dependencies
- bump version to 0.7.25
- libssh
-
- Fix regression parsing IPv6 addresses provided as hostname (bsc#1227396)
- added libssh-fix-ipv6-hostname-regression.patch
- Update to 0.9.8: [jsc#PED-7719, bsc#1218126, CVE-2023-48795]
* Rebase 0001-disable-timeout-test-on-slow-buildsystems.patch
* Remove patches fixed in the update:
- CVE-2019-14889.patch
- 0001-CVE-2020-1730-Fix-a-possible-segfault-when-zeroing-A.patch
- Update to version 0.9.8
* Fix CVE-2023-6004: Command injection using proxycommand (bsc#1218209)
* Fix CVE-2023-48795: Potential downgrade attack using strict kex (bsc#1218126)
* Fix CVE-2023-6918: Missing checks for return values of MD functions (bsc#1218186)
* Allow @ in usernames when parsing from URI composes
- Update to version 0.9.7
* Fix CVE-2023-1667: a NULL dereference during rekeying with algorithm
guessing (bsc#1211188)
* Fix CVE-2023-2283: a possible authorization bypass in
pki_verify_data_signature under low-memory conditions (bsc#1211190)
* Fix several memory leaks in GSSAPI handling code
- Update to version 0.9.6 (bsc#1189608, CVE-2021-3634)
* https://git.libssh.org/projects/libssh.git/tag/?h=libssh-0.9.6
- Add missing BR for openssh needed for tests
- update to 0.9.5 (bsc#1174713, CVE-2020-16135):
* CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
* Improve handling of library initialization (T222)
* Fix parsing of subsecond times in SFTP (T219)
* Make the documentation reproducible
* Remove deprecated API usage in OpenSSL
* Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
* Define version in one place (T226)
* Prevent invalid free when using different C runtimes than OpenSSL (T229)
* Compatibility improvements to testsuite
- Update to version 0.9.4
* https://www.libssh.org/2020/04/09/libssh-0-9-4-and-libssh-0-8-9-security-release/
* Fix possible Denial of Service attack when using AES-CTR-ciphers
CVE-2020-1730 (bsc#1168699)
- libssh2_org
-
- Fix an issue with Encrypt-then-MAC family. [bsc#1221622]
* Test the ETM feature in the remote end's configuration when
receiving data. Upstream issue: #1331.
* Add libssh2_org-ETM-remote.patch
- Always add the KEX pseudo-methods "ext-info-c" and "kex-strict-c-v00@openssh.com"
when configuring custom method list. [bsc#1218971, CVE-2023-48795]
* The strict-kex extension is announced in the list of available
KEX methods. However, when the default KEX method list is modified
or replaced, the extension is not added back automatically.
* Add libssh2_org-CVE-2023-48795-ext.patch
- Security fix: [bsc#1218127, CVE-2023-48795]
* Add 'strict KEX' to fix CVE-2023-48795 "Terrapin Attack"
* Add libssh2_org-CVE-2023-48795.patch
- suseconnect-ng
-
- Update version to 1.11
- Added uname as collector
- Added SAP workload detection
- Added detection of container runtimes
- Multiple fixes on ARM64 detection
- Use `read_values` for the CPU collector on Z
- Fixed data collection for ppc64le
- Grab the home directory from /etc/passwd if needed (bsc#1226128)
- Update version to 1.10.0
* Build zypper-migration and zypper-packages-search as standalone
binaries rather then one single binary
* Add --gpg-auto-import-keys flag before action in zypper command (bsc#1219004)
* Include /etc/products.d in directories whose content are backed
up and restored if a zypper-migration rollback happens. (bsc#1219004)
* Add the ability to upload the system uptime logs, produced by the
suse-uptime-tracker daemon, to SCC/RMT as part of keepalive report.
(jsc#PED-7982) (jsc#PED-8018)
* Add support for third party packages in SUSEConnect
* Refactor existing system information collection implementation
- Update to version 1.9.0
* Fix certificate import for Yast when using a registration proxy with
self-signed SSL certificate (bsc#1223107)
- Update to version 1.8.0
* Allow "--rollback" flag to run on readonly filesystem (bsc#1220679)
- Update to version 1.7.0
* Allow SUSEConnect on read write transactional systems (bsc#1219425)
- Update to version 1.6.0
* Disable EULA display for addons (bsc#1218649 and bsc#1217961)
- Update to version 1.5.0
* Configure docker credentials for registry authentication
* Feature: Support usage from Agama + Cockpit for ALP Micro system registration (bsc#1218364)
* Add --json output option
- tiff
-
- security update:
* CVE-2023-3164 [bsc#1212233]
Fix heap buffer overflow in tiffcrop
+ tiff-CVE-2023-3164.patch
- security update:
* CVE-2023-40745[bsc#1214687] CVE-2023-41175[bsc#1214686] [bsc#1221187]
CVE-2023-38288[bsc#1213590]
Fix potential int overflow in raw2tiff.c and tiffcp.c
Rename tiff-CVE-2023-38288.patch into
tiff-CVE-2023-38288,CVE-2023-40745,CVE-2023-41175.patch
- security update:
* CVE-2023-52356 [bsc#1219213]
Fix segfault in TIFFReadRGBATileExt()
+ tiff-CVE-2023-52356.patch
- security update:
* CVE-2023-2731 [bsc#1211478]
Fix null pointer deference in LZWDecode()
This patch also contains a required commit which is marked
to fix CVE-2022-1622 [bsc#1199483] but we are not vulnerable
to that CVE because relevant code is not present.
+ tiff-CVE-2023-2731.patch
* CVE-2023-26965 [bsc#1212398]
Fix heap-based use after free in loadImage()
+ tiff-CVE-2023-26965.patch
* CVE-2022-40090 [bsc#1214680]
Fix infinite loop in TIFFReadDirectory()
+ tiff-CVE-2022-40090.patch
* CVE-2023-1916 [bsc#1210231]
Fix out-of-bounds read in extractImageSection()
+ tiff-CVE-2023-1916.patch
- libvirt
-
- CVE-2024-2494: remote: check for negative array lengths before
allocation
8a3f8d95-CVE-2024-2494.patch, 1b8c1ce7-adapt-libssh2-api.patch
bsc#1221815
- libxml2
-
- Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in
xmlHTMLPrintFileContext in xmllint.c
* Added libxml2-CVE-2024-34459.patch
- Security fix (CVE-2024-25062, bsc#1219576) use-after-free in XMLReader
* Added libxml2-CVE-2024-25062.patch
- libzypp
-
- zypp-tui: Make sure translated texts use the correct textdomain
(fixes #551)
- Skip libproxy1 requires for tumbleweed.
- version 17.34.1 (34)
- don't require libproxy1 on tumbleweed, it is optional now
- version 17.34.0 (34)
- Fix versioning scheme
- version 17.33.4 (35)
- add one more missing export for libyui-qt-pkg
- Revert eintrSafeCall behavior to setting errno to 0.
- version 17.33.3 (34)
- fix up requires_eq usage for libsolv-tools-base
- add one more missing export for PackageKit
- version 17.33.2
- version 17.33.1 (33)
- switch to reduced size libsolv-tools-base (jsc#PED-8153)
- Fixed check for outdated repo metadata as non-root user
(bsc#1222086)
- Add ZYPP_API for exported functions and switch to
visibility=hidden (jsc#PED-8153)
- Dynamically resolve libproxy (jsc#PED-8153)
- version 17.33.0 (33)
- Fix download from gpgkey URL (bsc#1223430, fixes openSUSE/zypper#546)
- version 17.32.6 (32)
- Don't try to refresh volatile media as long as raw metadata are
present (bsc#1223094)
- version 17.32.5 (32)
- Fix creation of sibling cache dirs with too restrictive mode
(bsc#1222398)
Some install workflows in YAST may lead to too restrictive (0700)
raw cache directories in case of newly created repos. Later
commands running with user privileges may not be able to access
these repos.
- version 17.32.4 (32)
- Update RepoStatus fromCookieFile according to the files mtime
(bsc#1222086)
- TmpFile: Don't call chmod if makeSibling failed.
- version 17.32.3 (32)
- Fixup New VendorSupportOption flag VendorSupportSuperseded
(jsc#OBS-301, jsc#PED-8014)
Fixed the name of the keyword to "support_superseded" as it was
agreed on in jsc#OBS-301.
- version 17.32.2 (32)
- Add resolver option 'removeUnneeded' to file weak remove jobs
for unneeded packages (bsc#1175678)
- version 17.32.1 (32)
- Add resolver option 'removeOrphaned' for distupgrade
(bsc#1221525)
- New VendorSupportOption flag VendorSupportSuperseded
(jsc#OBS-301, jsc#PED-8014)
- Tests: fix vsftpd.conf where SUSE and Fedora use different
defaults (fixes #522)
- Add default stripe minimum (#529)
- Don't expose std::optional where YAST/PK explicitly use c++11.
- Digest: Avoid using the deprecated OPENSSL_config.
- version 17.32.0 (32)
- ProblemSolution::skipsPatchesOnly overload to handout the
patches.
- Remove https->http redirection exceptions for
download.opensuse.org.
- version 17.31.32 (22)
- tui: allow to access the underlying ostream of out::Info.
- Add MLSep: Helper to produce not-NL-terminated multi line
output.
- version 17.31.31 (22)
- applydeltaprm: Create target directory if it does not exist
(bsc#1219442)
- Add ProblemSolution::skipsPatchesOnly (for openSUSE/zypper#514)
- Fix problems with EINTR in ExternalDataSource::getline (fixes
bsc#1215698)
- version 17.31.30 (22)
- CheckAccessDeleted: fix running_in_container detection
(bsc#1218782)
- Detect CURLOPT_REDIR_PROTOCOLS_STR availability at runtime
(bsc#1218831)
- Make Wakeup class EINTR safe.
- Add a way to cancel media operations on shutdown
(openSUSE/zypper#522)
This patch adds a mechanism to signal libzypp that a shutdown was
requested, usually when CTRL+C was pressed by the user. Currently
only the media backend will utilize this, but can be extended to
all code paths that use g_poll() to wait for events.
- Manually poll fds for curl in MediaCurl.
Using curl_easy_perform does not give us the required control on
when we want to cancel a download. Switching to the MultiCurl
implementation with a external poll() event loop will give us
much more freedom and helps us to improve our Ctrl+C handling.
- Move reusable curl poll code to curlhelper.h.
- version 17.31.29 (22)
- Fix to build with libxml 2.12.x (fixes #505)
- version 17.31.28 (22)
- CheckAccessDeleted: fix 'running in container' filter
(bsc#1218291)
- version 17.31.27 (22)
- Call zypp commit plugins during transactional update (fixes #506)
- Add support for loongarch64 (fixes #504)
- Teach MediaMultiCurl to download HTTP Multibyte ranges.
- Teach zsync downloads to MultiCurl.
- Expand RepoVars in URLs downloading a .repo file (bsc#1212160)
Convenient and helps documentation as it may refer to a single
command for a bunch of distributions. Like e.g. "zypper ar
'https://server.my/$releasever/my.repo'".
- version 17.31.26 (22)
- Fix build issue with zchunk build flags (fixes #500)
- version 17.31.25 (22)
- Open rpmdb just once during execution of %posttrans scripts
(bsc#1216412)
- Avoid using select() since it does not support fd numbers >
1024 (fixes #447)
- tools/DownloadFiles: use standard zypp progress bar (fixes #489)
- Revert "Color download progress bar" (fixes #475)
Cyan is already used for the output of RPM scriptlets. Avoid this
colorific collision between download progress bar and scriptlet
output.
- Fix ProgressBar's calculation of the printed tag position (fixes #494)
- Switch zypp::Digest to Openssl 3.0 Provider API (fixes #144)
- Fix usage of deprecated CURL features (fixes #486)
- version 17.31.24 (22)
- Stop using boost version 1 timer library (fixes #489,
bsc#1215294)
- version 17.31.23 (22)
- shadow
-
- bsc#1228770: Fix not copying of skel files
Update shadow-CVE-2013-4235.patch
- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
Add shadow-CVE-2013-4235.patch
- netcfg
-
- Add krb-prop entry, fix for bsc#1211886.
- ocfs2-tools
-
- OCFS2 writes delay on large volumes - slow la window lookup from global_bitmap (bsc#1219224)
* bsc1219224-debugfs.ocfs2-support-recording-gd-bg_contig_free_bi.patch
- fsck.ocfs2: add the ability to clear jbd2 errno (bsc#1216834)
+ mounted.ocfs2-use-sys-sysmacros.h-include-for-makede.patch
+ Fix-build-failure-with-glibc-2.28.patch
+ bsc1216834-fsck.ocfs2-add-the-ability-to-clear-jbd2-errno.patch
- openssh
-
- Add patches from upstream to change the default value of
UpdateHostKeys to Yes (unless VerifyHostKeyDNS is enabled).
This makes ssh update the known_hosts stored keys with all
published versions by the server (after it's authenticated
with an existing key), which will allow to identify the
server with a different key if the existing key is considered
insecure at some point in the future (bsc#1222831).
* 0001-upstream-enable-UpdateHostkeys-by-default-when-the.patch
* 0002-upstream-disable-UpdateHostkeys-by-default-if.patch
- Add patches openssh-7.7p1-seccomp_getuid.patch and
openssh-bsc1216474-s390-leave-fds-open.patch
(bsc#1216474, bsc#1218871)
- Fix hostbased ssh login failing occasionally with "signature
unverified: incorrect signature" by fixing a typo in patch
(bsc#1221123):
* openssh-7.8p1-role-mls.patch
- Added openssh-cve-2023-51385.patch (bsc#1218215, CVE-2023-51385).
This limits the use of shell metacharacters in host- and
user names.
- Added openssh-cve-2023-48795.patch (bsc#1217950, CVE-2023-48795).
This mitigates a prefix truncation attack that could be used to
undermine channel security.
- Enhanced SELinux functionality. Added
* openssh-7.8p1-role-mls.patch
Proper handling of MLS systems and basis for other SELinux
improvements
* openssh-6.6p1-privsep-selinux.patch
Properly set contexts during privilege separation
* openssh-6.6p1-keycat.patch
Add ssh-keycat command to allow retrival of authorized_keys
on MLS setups with polyinstantiation
* openssh-6.6.1p1-selinux-contexts.patch
Additional changes to set the proper context during privilege
separation
* openssh-7.6p1-cleanup-selinux.patch
Various changes and putting the pieces together
For now we don't ship the ssh-keycat command, but we need the patch
for the other SELinux infrastructure
This change fixes issues like bsc#1214788, where the ssh daemon
needs to act on behalf of a user and needs a proper context for this
- pam-config
-
- Fix pam_gnome_keyring module for AUTH.
[pam-config-fix-pam_gnome_keyring.patch, bsc#1219767]
- pam
-
- Add missing O_DIRECTORY flag in `protect_dir()` for pam_namespace module.
[bsc#1218475, pam-bsc1218475-pam_namespace-O_DIRECTORY-flag.patch]
- pam_lastlog: check localtime_r() return value (bsc#1217000)
* Added: pam-bsc1217000-pam_lastlog-check-localtime_r-return-value.patch
- perl
-
- fix space calculation issues in pp_pack.c [bnc#1082216]
[CVE-2018-6913]
* new patch: perl-pack-overflow.diff
- fix heap buffer overflow in regexec.c [bnc#1082233]
[CVE-2018-6798]
new patch: perl-regexec-heap-overflow.diff
- make Net::FTP work with TLS 1.3 [bnc#1213638]
new patch: perl-net-ftp-tls13.diff
- python-instance-billing-flavor-check
-
- Version 0.0.6 (bsc#1218561)
Support proxy setup on the client to access the update infrastructure
API
- Version 0.0.5
Add IPv6 support (bsc#1218739)
- Version 0.0.4
Run the command as sudo only (bsc#1217696, bsc#1217695)
- Version 0.0.3
Handle exception for Python 3.4
- python-Jinja2
-
- Add CVE-2024-34064.patch upstream patch
(CVE-2024-34064, bsc#1223980, gh#pallets/jinja@0668239dc6b4)
Also fixes (CVE-2024-22195, bsc#1218722)
- python-chardet
-
- Fix update-alternative in %postun, bsc#1218765
- python-cryptography
-
- Add CVE-2023-49083.patch to fix A null-pointer-dereference and
segfault could occur when loading certificates from a PKCS#7 bundle.
bsc#1217592
- python-idna
-
- Add CVE-2024-3651.patch, backported from upstream commit
gh#kjd/idna#172/commits/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7
(bsc#1222842, CVE-2024-3651)
- python-pycryptodome
-
- Add CVE-2023-52323-side_channel-RSA_decrypt.patch (bsc#1218564,
CVE-2023-52323) fixing side-channel leakage in RSA decryption.
- Add CVE-2023-52323-const_time-decoding.patch (bsc#1218564,
CVE-2023-52323) using constant-time (faster) padding decoding
also for OAEP.
- python-requests
-
- Update CVE-2024-35195.patch to allow the usage of "verify" parameter
as a directory, bsc#1225912
- Add CVE-2024-35195.patch (CVE-2024-35195, bsc#1224788)
- Add httpbin.patch to fix a test failure caused by the previous patch.
- salt
-
- Speed up salt.matcher.confirm_top by using __context__
- Do not call the async wrapper calls with the separate thread
- Prevent OOM with high amount of batch async calls (bsc#1216063)
- Add missing contextvars dependency in salt.version
- Skip tests for unsupported algorithm on old OpenSSL version
- Remove redundant `_file_find` call to the master
- Prevent possible exception in tornado.concurrent.Future._set_done
- Make reactor engine less blocking the EventPublisher
- Make salt-master self recoverable on killing EventPublisher
- Improve broken events catching and reporting
- Make logging calls lighter
- Remove unused import causing delays on starting salt-master
- Mark python3-CherryPy as recommended package for the testsuite
- Added:
* add-missing-contextvars-dependency-in-salt.version.patch
* make-reactor-engine-less-blocking-the-eventpublisher.patch
* prevent-possible-exception-in-tornado.concurrent.fut.patch
* skip-tests-for-unsupported-algorithm-on-old-openssl-.patch
* remove-unused-import-causing-delays-on-starting-salt.patch
* prevent-oom-with-high-amount-of-batch-async-calls-bs.patch
* remove-redundant-_file_find-call-to-the-master.patch
* make-logging-calls-lighter.patch
* improve-broken-events-catching-and-reporting.patch
* do-not-call-the-async-wrapper-calls-with-the-separat.patch
* make-salt-master-self-recoverable-on-killing-eventpu.patch
* speed-up-salt.matcher.confirm_top-by-using-__context.patch
- Make "man" a recommended package instead of required
- Convert oscap output to UTF-8
- Make Salt compatible with Python 3.11
- Ignore non-ascii chars in oscap output (bsc#1219001)
- Fix detected issues in Salt tests when running on VMs
- Make importing seco.range thread safe (bsc#1211649)
- Fix problematic tests and allow smooth tests executions
on containers
- Discover Ansible playbook files as "*.yml" or "*.yaml"
files (bsc#1211888)
- Provide user(salt)/group(salt) capabilities for RPM 4.19
- Extend dependencies for python3-salt-testsuite
and python3-salt packages
- Improve Salt and testsuite packages multibuild
- Enable multibuilld and create test flavor
- Prevent exceptions with fileserver.update when called
via state (bsc#1218482)
- Improve pip target override condition with VENV_PIP_TARGET
environment variable (bsc#1216850)
- Fixed KeyError in logs when running a state that fails
- Added:
* fixed-keyerror-in-logs-when-running-a-state-that-fai.patch
* fix-salt-warnings-and-testuite-for-python-3.11-635.patch
* discover-both-.yml-and-.yaml-playbooks-bsc-1211888.patch
* decode-oscap-byte-stream-to-string-bsc-1219001.patch
* fix-tests-failures-and-errors-when-detected-on-vm-ex.patch
* allow-kwargs-for-fileserver-roots-update-bsc-1218482.patch
* improve-pip-target-override-condition-with-venv_pip_.patch
* make-importing-seco.range-thread-safe-bsc-1211649.patch
* fix-problematic-tests-and-allow-smooth-tests-executi.patch
* switch-oscap-encoding-to-utf-8-639.patch
- Prevent directory traversal when creating syndic cache directory
on the master (CVE-2024-22231, bsc#1219430)
- Prevent directory traversal attacks in the master's serve_file
method (CVE-2024-22232, bsc#1219431)
- Added:
* fix-cve-2024-22231-and-cve-2024-22232-bsc-1219430-bs.patch
- Ensure that pillar refresh loads beacons from pillar without restart
- Fix the aptpkg.py unit test failure
- Prefer unittest.mock to python-mock in test suite
- Enable "KeepAlive" probes for Salt SSH executions (bsc#1211649)
- Revert changes to set Salt configured user early in the stack (bsc#1216284)
- Align behavior of some modules when using salt-call via symlink (bsc#1215963)
- Fix gitfs "__env__" and improve cache cleaning (bsc#1193948)
- Remove python-boto dependency for the python3-salt-testsuite package for Tumbleweed
- Added:
* enable-keepalive-probes-for-salt-ssh-executions-bsc-.patch
* update-__pillar__-during-pillar_refresh.patch
* fix-gitfs-__env__-and-improve-cache-cleaning-bsc-119.patch
* prefer-unittest.mock-for-python-versions-that-are-su.patch
* revert-make-sure-configured-user-is-properly-set-by-.patch
* fix-the-aptpkg.py-unit-test-failure.patch
* dereference-symlinks-to-set-proper-__cli-opt-bsc-121.patch
- python-shaptools
-
- Create version 0.3.14
- Make shaptools available for venv-salt-minion (bsc#1212695)
- python-urllib3
-
- Add CVE-2024-37891.patch (bsc#1226469, CVE-2024-37891)
- rubygem-actionpack-5_1
-
- modified patches
+ 0009-CVE-2020-8166.patch (fixed)
- rubygem-actionpack-5_1-CVE-2020-8166.patch (renamed)
- security update
* fix CVE-2020-8166 patch port [bsc#1215707]
- security update
- added patches
fix CVE-2020-8166 [bsc#1172182], Ability to forge per-form CSRF tokens given a global CSRF token
+ rubygem-actionpack-5_1-CVE-2020-8166.patch
- rubygem-rack
-
- security update
- added patches
fix CVE-2024-25126 [bsc#1220239], Denial of Service Vulnerability in Rack Content-Type Parsing
+ rubygem-rack-CVE-2024-25126.patch
fix CVE-2024-26141 [bsc#1220242], Denial of Service Vulnerability in Range request header parsing
+ rubygem-rack-CVE-2024-26141.patch
fix CVE-2024-26146 [bsc#1220248], Denial of Service vulnerability in Rack headers parsing routine
+ rubygem-rack-CVE-2024-26146.patch
- rubygem-sass
-
- updated to version 3.7.4
no changelog found
- updated to version 3.7.3
no changelog found
- updated to version 3.7.2
no changelog found
- updated to version 3.6.0
no changelog found
- updated to version 3.5.7
no changelog found
- updated to version 3.5.6
no changelog found
- updated to version 3.5.5
no changelog found
- runc
-
[ This was only ever released for SLES and Leap. ]
- Update to runc v1.1.13. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.12>.
- Rebase patches:
* 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
* 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
* 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
- Backport <https://github.com/opencontainers/runc/pull/3931> to fix a
performance issue when running lots of containers, caused by system getting
too many mount notifications. bsc#1214960
+ 0004-bsc1214960-nsenter-cloned_binary-remove-bindfd-logic.patch
- Add upstream patch <https://github.com/opencontainers/runc/pull/4219> to
properly fix -ENOSYS stub on ppc64le. bsc#1192051 bsc#1221050
+ 0001-bsc1221050-libct-seccomp-patchbpf-rm-duplicated-code.patch
+ 0002-bsc1221050-seccomp-patchbpf-rename-nativeArch-linuxA.patch
+ 0003-bsc1221050-seccomp-patchbpf-always-include-native-ar.patch
- Update to runc v1.1.12. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.12>. bsc#1218894
* This release fixes a container breakout vulnerability (CVE-2024-21626). For
more details, see the upstream security advisory:
<https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
* Remove upstreamed patches:
- CVE-2024-21626.patch
* Update runc.keyring to match upstream changes.
[ This was only ever released for SLES. ]
- Add upstream patch to fix embargoed issue CVE-2024-21626. bsc#1218894
<https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv>
+ CVE-2024-21626.patch
- Update to runc v1.1.11. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.11>.
- sapconf
-
- version update from 5.0.6 to 5.0.7
- add require of package sysctl-logger
(jsc#PED-5025)
- suppress error message regarding missing systemd service file
during posttrans script
- saptune
-
- update package version of saptune to 3.1.2
* to support setups with saptune monitoring and heavy automation
we limited the setting of our saptune lock to commands having
the potential to change anything in the system.
(bsc#1219500)
* fix timestamp in log messages of saptune
* remove redundant version information in header comment of
note definition files
* SAP Note 1656250 updated to Version 63
SAP Note 1771258 updated to Version 8
SAP Note 2382421 updated to Version 45
SAP Note 3024346 updated to Version 10
but without parameter value changes, only house keeping of the
version section and comment updates
* SAP Note 1984787 updated to Version 42
SAP Note 2578899 updated to Version 47
- add require of package sysctl-logger
(jsc#PED-5025)
- sed
-
- 0001-sed-set-correct-umask-on-temporary-files.patch
Fix for bsc#1221218
- 000release-packages:sle-ha-release
-
n/a
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-desktop-applications-release
-
n/a
- 000release-packages:sle-module-development-tools-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-sap-applications-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- sudo
-
- Fix NOPASSWD issue introduced by patches for CVE-2023-42465
[bsc#1221151, bsc#1221134]
* Update sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
* Enable running regression selftests during build time.
- Security fix: [bsc#1219026, bsc#1220389, CVE-2023-42465]
* Try to make sudo less vulnerable to ROWHAMMER attacks.
* Add sudo-CVE-2023-42465-1of2.patch sudo-CVE-2023-42465-2of2.patch
- supportutils-plugin-ha-sap
-
- Update to version 0.0.5+git.1709295499.1c8e8cd
* adapt documentation links
* add support for SAP systemd services regarding SID retrieval
* add information about SAP related systemd services
* add information about sapcontrol function GetStartProfile
* add information from daemon.ini
* collect hook script logs (suschksrv and saphanasr_multitarget_hook)
* collect logs of sap_suse_cluster_connector and sapstartsrv
* Add python version
* Check sudoers for srhook configuration
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.9 (bsc#1218762, bsc#1218763)
+ Remove duplicate data collection for the plugin itself
+ Collect archive metering data when available
+ Query billing flavor status
- supportutils
-
- Changes in version 3.1.30
+ Added -V key:value pair option (bsc#1222021, PED-8211)
+ Avoid getting duplicate kernel verifications in boot.text (pr#193)
+ Suppress file descriptor leak warnings from lvm commands (pr#192, bsc#1220082)
+ Includes container log timestamps (pr#197)
- Changes to version 3.1.29
+ Extended scaling for performance (bsc#1214713)
+ Fixed kdumptool output error (bsc#1218632)
+ Corrected podman ID errors (bsc#1218812)
+ Duplicate non root podman entries removed (bsc#1218814)
+ Corrected get_sles_ver for SLE Micro (bsc#1219241)
+ Check nvidida-persistenced state (bsc#1219639)
- Additional changes in version 3.1.28
+ ipset - List entries for all sets
+ ipvsadm - Inspect the virtual server table (pr#185)
+ Correctly detects Xen Dom0 (bsc#1218201)
+ Fixed smart disk error (bsc#1218282)
- Changes in version 3.1.28
+ Inhibit the conversion of port numbers to port names for network files (cherry picked from commit 55f5f716638fb15e3eb1315443949ed98723d250)
+ powerpc: collect rtas_errd.log and lp_diag.log files (pr#175)
+ Get list of pam.d file (cherry picked from commit eaf35c77fd4bc039fd7e3d779ec1c2c6521283e2)
+ Remove supportutils requires for util-linux-systemd and kmod (bsc#1193173)
+ Added missing klp information to kernel-livepatch.txt (bsc#1216390)
+ Fixed plugins creating empty files when using supportconfig.rc (bsc#1216388)
+ Provides long listing for /etc/sssd/sssd.conf (bsc#1211547)
+ Optimize lsof usage (bsc#1183663)
+ Added mokutil commands for secureboot (pr#179)
+ Collects chrony or ntp as needed (bsc#1196293)
- Changes in version 3.1.27
+ Fixed podman display issue (bsc#1217287)
+ Added nvme-stas configuration to nvme.txt (bsc#1216049)
+ Added timed command to fs-files.txt (bsc#1216827)
+ Collects zypp history file issue#166 (bsc#1216522)
+ Changed -x OPTION to really be exclude only (issue#146)
+ Collect HA related rpm package versions in ha.txt (pr#169)
- suse-build-key
-
- added missing ; in shell script (bsc#1227681)
- Added new keys of the SLE Micro 6.0 / SLES 16 series, and auto import
them. (bsc#1227429)
gpg-pubkey-09d9ea69-645b99ce.asc: Main SLE Micro 6/SLES 16 key
gpg-pubkey-73f03759-626bd414.asc: Backup SLE Micro 6/SLES 16 key.
- Switch container key to be default RSA 4096bit. (jsc#PED-2777)
- run rpm commands in import script only when libzypp is not
active. bsc#1219189 bsc#1219123
- run import script also in %posttrans section, but only when
libzypp is not active. bsc#1219189 bsc#1219123
- suse-module-tools
-
- Update to version 15.3.18:
* rpm-script: add symlink /boot/.vmlinuz.hmac (bsc#1217775)
- systemd-default-settings
-
- Import 0.10
5088997 SLE: Disable pids controller limit under user instances (jsc#SLE-10123)
- Import 0.9
bb859bf user@.service: Disable controllers by default (jsc#PED-2276)
- The usage of drop-ins is now the official way for configuring systemd and its
various daemons on Factory/ALP. Hence the early drop-ins SUSE specific
"feature" has been abandoned.
- Import 0.8
f34372f User priority '26' for SLE-Micro
c8b6f0a Revert "Convert more drop-ins into early ones"
- Import commit 6b8dde1d4f867aff713af6d6830510a84fad58d2
6b8dde1 Convert more drop-ins into early ones
- systemd-presets-branding-SLE
-
- Enable sysctl-logger (jsc#PED-5024)
- systemd-presets-common-SUSE
-
- Split hcn-init.service to hcn-init-NetworkManager and hcn-init-wicked
(bsc#1200731 ltc#198485 https://github.com/ibm-power-utilities/powerpc-utils/pull/84)
Support both the old and new service to avoid complex version interdependency.
- tar
-
- Fix CVE-2023-39804, Incorrectly handled extension attributes in
PAX archives can lead to a crash, bsc#1217969
* fix-CVE-2023-39804.patch
- timezone
-
- update to 2024a:
* Kazakhstan unifies on UTC+5. This affects Asia/Almaty and
Asia/Qostanay which together represent the eastern portion of the
country that will transition from UTC+6 on 2024-03-01 at 00:00 to
join the western portion. (Thanks to Zhanbolat Raimbekov.)
* Palestine springs forward a week later than previously predicted
in 2024 and 2025. (Thanks to Heba Hamad.) Change spring-forward
predictions to the second Saturday after Ramadan, not the first;
this also affects other predictions starting in 2039.
* Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00
not 00:00. (Thanks to Đoàn Trần Công Danh.)
* From 1947 through 1949, Toronto's transitions occurred at 02:00
not 00:00. (Thanks to Chris Walton.)
* In 1911 Miquelon adopted standard time on June 15, not May 15.
* The FROM and TO columns of Rule lines can no longer be "minimum"
or an abbreviation of "minimum", because TZif files do not support
DST rules that extend into the indefinite past - although these
rules were supported when TZif files had only 32-bit data, this
stopped working when 64-bit TZif files were introduced in 1995.
This should not be a problem for realistic data, since DST was
first used in the 20th century. As a transition aid, FROM columns
like "minimum" are now diagnosed and then treated as if they were
the year 1900; this should suffice for TZif files on old systems
with only 32-bit time_t, and it is more compatible with bugs in
2023c-and-earlier localtime.c. (Problem reported by Yoshito
Umaoka.)
* localtime and related functions no longer mishandle some
timestamps that occur about 400 years after a switch to a time
zone with a DST schedule. In 2023d data this problem was visible
for some timestamps in November 2422, November 2822, etc. in
America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.)
* strftime %s now uses tm_gmtoff if available. (Problem and draft
patch reported by Dag-Erling Smørgrav.)
* The strftime man page documents which struct tm members affect
which conversion specs, and that tzset is called. (Problems
reported by Robert Elz and Steve Summit.)
- update to 2023d:
* Ittoqqortoormiit, Greenland changes time zones on
2024-03-31.
* Vostok, Antarctica changed time zones on 2023-12-18.
* Casey, Antarctica changed time zones five times since
2020.
* Code and data fixes for Palestine timestamps starting in
2072.
* A new data file zonenow.tab for timestamps starting now.
* Fix predictions for DST transitions in Palestine in
2072-2075, correcting a typo introduced in 2023a.
* Vostok, Antarctica changed to +05 on 2023-12-18. It had
been at +07 (not +06) for years.
* Change data for Casey, Antarctica to agree with
timeanddate.com, by adding five time zone changes since 2020.
Casey is now at +08 instead of +11.
* Much of Greenland, represented by America/Nuuk, changed
its standard time from -03 to -02 on 2023-03-25, not on
2023-10-28.
* localtime.c no longer mishandles TZif files that contain
a single transition into a DST regime. Previously,
it incorrectly assumed DST was in effect before the transition
too.
* tzselect no longer creates temporary files.
* tzselect no longer mishandles the following:
* Spaces and most other special characters in BUGEMAIL,
PACKAGE, TZDIR, and VERSION.
* TZ strings when using mawk 1.4.3, which mishandles
regular expressions of the form /X{2,}/.
* ISO 6709 coordinates when using an awk that lacks the
GNU extension of newlines in -v option-arguments.
* Non UTF-8 locales when using an iconv command that
lacks the GNU //TRANSLIT extension.
* zic no longer mishandles data for Palestine after the
year 2075.
- Refresh tzdata-china.diff
- util-linux-systemd
-
- Properly neutralize escape sequences in wall
(util-linux-CVE-2024-28085.patch, bsc#1221831, CVE-2024-28085,
and its prerequisites: util-linux-fputs_careful1.patch,
util-linux-wall-migrate-to-memstream.patch
util-linux-fputs_careful2.patch).
- Add upstream patch
util-linux-libuuid-avoid-truncate-clocks.txt-to-improve-perform.patch
bsc#1207987 gh#util-linux/util-linux@1d98827edde4
- vim
-
- Updated to version 9.1 with patch level 0330, fixes the following problems
* Fixing bsc#1220763 - vim gets Segmentation fault after updating to version 9.1.0111-150500.20.9.1
- refreshed vim-7.3-filetype_spec.patch
- refreshed vim-7.3-filetype_ftl.patch
- Update spec.skeleton to use autosetup in place of setup macro.
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.1.0111...v9.1.0330
- Updated to version 9.1 with patch level 0111, fixes the following security problems
* Fixing bsc#1217316 (CVE-2023-48231) - VUL-0: CVE-2023-48231: vim: Use-After-Free in win_close()
* Fixing bsc#1217320 (CVE-2023-48232) - VUL-0: CVE-2023-48232: vim: Floating point Exception in adjust_plines_for_skipcol()
* Fixing bsc#1217321 (CVE-2023-48233) - VUL-0: CVE-2023-48233: vim: overflow with count for :s command
* Fixing bsc#1217324 (CVE-2023-48234) - VUL-0: CVE-2023-48234: vim: overflow in nv_z_get_count
* Fixing bsc#1217326 (CVE-2023-48235) - VUL-0: CVE-2023-48235: vim: overflow in ex address parsing
* Fixing bsc#1217329 (CVE-2023-48236) - VUL-0: CVE-2023-48236: vim: overflow in get_number
* Fixing bsc#1217330 (CVE-2023-48237) - VUL-0: CVE-2023-48237: vim: overflow in shift_line
* Fixing bsc#1217432 (CVE-2023-48706) - VUL-0: CVE-2023-48706: vim: heap-use-after-free in ex_substitute
* Fixing bsc#1219581 (CVE-2024-22667) - VUL-0: CVE-2024-22667: vim: stack-based buffer overflow in did_set_langmap function in map.c
* Fixing bsc#1215005 (CVE-2023-4750) - VUL-0: CVE-2023-4750: vim: Heap use-after-free in function bt_quickfix
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.2103...v9.1.0111
- wget
-
- Fix mishandled semicolons in the userinfo subcomponent could lead to an
insecure behavior in which data that was supposed to be in the userinfo
subcomponent is misinterpreted to be part of the host subcomponent.
[bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]
- wicked
-
- Update to version 0.6.76
- compat-suse: warn user and create missing parent config of
infiniband children (gh#openSUSE/wicked#1027)
- client: fix origin in loaded xml-config with obsolete port
references but missing port interface config, causing a
no-carrier of master (bsc#1226125)
- ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
- wireless: add frequency-list in station mode (jsc#PED-8715)
- client: fix crash while hierarchy traversing due to loop in
e.g. systemd-nspawn containers (bsc#1226664)
- man: add supported bonding options to ifcfg-bonding(5) man page
(gh#openSUSE/wicked#1021)
- arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019)
- man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018)
- client: warn on interface wait time reached (gh#openSUSE/wicked#1017)
- compat-suse: fix dummy type detection from ifname to not cause
conflicts with e.g. correct vlan config on dummy0.42 interfaces
(gh#openSUSE/wicked#1016)
- compat-suse: fix infiniband and infiniband child type detection
from ifname (gh#openSUSE/wicked#1015)
- Removed patches included in the source archive:
[- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
[- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]
- arp: increase arp-send retry value to avoid address configuration
failure due to ENOBUF reported by kernel while duplicate address
detection with underlying bonding in 802.3ad mode reporting link
"up & running" too early (bsc#1218668, gh#openSUSE/wicked#1020,
gh#openSUSE/wicked#1020).
[+ 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]
- client: fix ifreload to pull UP ports/links again when the config
of their master/lower changed (bsc#1224100,gh#openSUSE/wicked#1014).
[+ 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
- Update to version 0.6.75:
- cleanup: fix ni_fsm_state_t enum-int-mismatch warnings
- cleanup: fix overflow warnings in a socket testcase on i586
- ifcheck: report new and deleted configs as changed (bsc#1218926)
- man: improve ARP configuration options in the wicked-config.5
- bond: add ports when master is UP to avoid port MTU revert (bsc#1219108)
- cleanup: fix interface dependencies and shutdown order (bsc#1205604)
- Remove port arrays from bond,team,bridge,ovs-bridge (redundant)
and consistently use config and state info attached to the port
interface as in rtnetlink(7).
- Cleanup ifcfg parsing, schema configuration and service properties
- Migrate ports in xml config and policies already applied in nanny
- Remove "missed config" generation from finite state machine, which
is completed while parsing the config or while xml config migration.
- Issue a warning when "lower" interface (e.g. eth0) config is missed
while parsing config depending on it (e.g. eth0.42 vlan).
- Resolve ovs master to the effective bridge in config and wickedd
- Implement netif-check-state require checks using system relations
from wickedd/kernel instead of config relations for ifdown and add
linkDown and deleteDevice checks to all master and lower references.
- Add a `wicked <ifup|ifdown|ifreload> --dry-run …` option to show the
system/config interface hierarchies as notice with +/- marked
interfaces to setup and/or shutdown.
- Removed patches included in the source archive:
[- 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
[- 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
[- 0003-move-all-attribute-definitions-to-compiler-h.patch]
[- 0004-hide-secrets-in-debug-log-bsc-1221194.patch]
[- 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]
- client: do not convert sec to msec twice (bsc#1222105)
[+ 0005-client-do-to-not-convert-sec-to-msec-twice-bsc-1222105.patch]
- addrconf: fix fallback-lease drop (bsc#1220996)
[+ 0001-addrconf-fix-fallback-lease-drop-bsc-1220996.patch]
- extensions/nbft: use upstream `nvme nbft show` (bsc#1221358)
[+ 0002-extensions-nbft-replace-nvme-show-nbft-with-nvme-nbf.patch]
- hide secrets in debug log (bsc#1221194)
[+ 0003-move-all-attribute-definitions-to-compiler-h.patch]
[+ 0004-hide-secrets-in-debug-log-bsc-1221194.patch]
- update to version 0.6.74
+ team: add new options like link_watch_policy (jsc#PED-7183)
+ Fix memory leaks in dbus variant destroy and fsm free (gh#openSUSE/wicked#1001)
+ xpath: allow underscore in node identifier (gh#openSUSE/wicked#999)
+ vxlan: don't format unknown rtnl attrs (bsc#1219751)
- removed patches included in the source archive:
[- 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
[- 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
[- 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
[- 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
[- 0005-duid-fix-comment-for-v6time.patch]
[- 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
[- 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
[- 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
[- 0001-fix_arp_notify_loop_and_burst_sending.patch]
- ifreload: VLAN changes require device deletion (bsc#1218927)
[+ 0009-ifreload-VLAN-changes-require-device-deletion-bsc-12.patch]
- ifcheck: fix config changed check (bsc#1218926)
[+ 0008-ifcheck-fix-config-changed-check-bsc-1218926.patch]
- client: fix exit code for no-carrier status (bsc#1219265)
[+ 0007-Fix-ifstatus-exit-code-for-NI_WICKED_ST_NO_CARRIER-s.patch]
- dhcp6: omit the SO_REUSEPORT option (bsc#1215692)
[+ 0006-dhcp6-omit-the-SO_REUSEPORT-option-bsc-1215692.patch]
- duid: fix comment for v6time
(https://github.com/openSUSE/wicked/pull/989)
[+ 0005-duid-fix-comment-for-v6time.patch]
- rtnl: fix peer address parsing for non ptp-interfaces
(https://github.com/openSUSE/wicked/pull/987,
https://github.com/openSUSE/wicked/pull/988)
[+ 0003-rtnl-pass-ifname-in-newaddr-parsing-and-logging.patch]
[+ 0004-rtnl-parse-peer-address-on-non-ptp-interfaces.patch]
- system-updater: Parse updater format from XML configuration to
ensure install calls can run.
(https://github.com/openSUSE/wicked/pull/985)
[+ 0002-system-updater-Parse-updater-format-from-XML-configu.patch]
- xen
-
- bsc#1227355 - VUL-0: CVE-2024-31143: xen: double unlock in x86
guest IRQ handling (XSA-458)
xsa458.patch
- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
History Injection (XSA-456)
Corrections to the following patches
xsa456-5.patch
xsa456-6.patch
- bsc#1222453 - VUL-0: CVE-2024-2201: xen: x86: Native Branch
History Injection (XSA-456)
xsa456-0a.patch
xsa456-0b.patch
xsa456-0c.patch
xsa456-0d.patch
xsa456-0e.patch
xsa456-0f.patch
xsa456-0g.patch
xsa456-0h.patch
xsa456-0i.patch
xsa456-0j.patch
xsa456-0k.patch
xsa456-0l.patch
xsa456-0m.patch
xsa456-0n.patch
xsa456-0o.patch
xsa456-0p.patch
xsa456-1.patch
xsa456-2.patch
xsa456-3.patch
xsa456-4.patch
xsa456-5.patch
xsa456-6.patch
xsa456-7.patch
- bsc#1221984 - VUL-0: CVE-2023-46842: xen: x86 HVM hypercalls may
trigger Xen bug check (XSA-454)
xsa454-1.patch
xsa454-2.patch
- bsc#1222302 - VUL-0: CVE-2024-31142: xen: x86: Incorrect logic
for BTC/SRSO mitigations (XSA-455)
xsa455.patch
- bsc#1221332 - VUL-0: CVE-2023-28746: xen: x86: Register File Data
Sampling (XSA-452)
xsa452-1.patch
xsa452-2.patch
xsa452-3.patch
xsa452-4.patch
xsa452-5.patch
xsa452-6.patch
xsa452-7.patch
- bsc#1221334 - VUL-0: CVE-2024-2193: xen: GhostRace: Speculative
Race Conditions (XSA-453)
xsa453-1.patch
xsa453-2.patch
xsa453-3.patch
xsa453-4.patch
xsa453-5.patch
xsa453-6.patch
xsa453-7.patch
xsa453-8.patch
- Modified xsa451.patch (bsc#1219885)
- bsc#1219885 - VUL-0: CVE-2023-46841: xen: x86: shadow stack vs
exceptions from emulation stubs (XSA-451)
xsa451.patch
- bsc#1218851 - VUL-0: CVE-2023-46839: xen: phantom functions
assigned to incorrect contexts (XSA-449)
xsa449.patch
- xkbcomp
-
- U_Ignore-xkb_keycodes.maximum-of-255.patch
* fix keyboard layouts in XWayland applications when having
several keyboard layouts enabled (boo#1219505)
- xterm
-
- xterm-reset-parsing-state.patch: A bug in the parser for several
escape sequences causes the first character following the
sequence to be ignored (bsc#1220585). Patch backported from
version 335n.
- yast2
-
- Reimplemented the hardcoded product mapping to support also the
migration from SLE_HPC to SLES SP6+ (with the HPC module)
(bsc#1220567)
- 4.3.70
- yast2-network
-
- Guard secret attributes against leaking to the log (bsc#1221194)
- 4.3.89
- yast2-packager
-
- Reimplemented the hardcoded product mapping to support also the
migration from SLE_HPC to SLES SP6+ (with the HPC module)
(bsc#1220567)
- 4.3.27
- yast2-pkg-bindings
-
- Fixed repository and service probing with libzypp 7.31.26
and newer, fixes broken repository handling (bsc#1218977,
bsc#1218399)
- 4.3.13
- yast2-registration
-
- Set the new product mapping when upgrading SLE_HPC to SLES SP6+
(with the HPC module), use the old product mapping when upgrading
from SLE_HPC-SP3 to SLE_HPC-SP4 (bsc#1220567)
- 4.3.29
- Adapted to SCC API change 'base' -> 'isbase' (bsc#1217317):
Cherry-picked igonzalezsosa's commit 431d937b78c209c0d35
- 4.3.28
- zypper
-
- Fixed check for outdated repo metadata as non-root user
(bsc#1222086)
- BuildRequires: libzypp-devel >= 17.33.0.
- Delay zypp lock until command options are parsed (bsc#1223766)
- version 1.14.73
- Unify message format(fixes #485)
- version 1.14.72
- switch cmake build type to RelWithDebInfo
- modernize spec file (remove Authors section, use proper macros,
remove redundant clean section, don't mark man pages as doc)
- switch to -O2 -fvisibility=hidden -fpie:
* PIC is not needed as no shared lib is built
* fstack-protector-strong is default on modern dists and would
be downgraded by fstack-protector
* default visibility hidden allows better optimisation
* O2 is reducing inlining bloat
- > 18% reduced binary size
- remove procps requires (was only for ZMD which is dropped)
(jsc#PED-8153)
- Do not try to refresh repo metadata as non-root user
(bsc#1222086)
Instead show refresh stats and hint how to update them.
- man: Explain how to protect orphaned packages by collecting
them in a plaindir repo.
- packages: Add --autoinstalled and --userinstalled options to
list them.
- Don't print 'reboot required' message if download-only or
dry-run (fixes #529)
Instead point out that a reboot would be required if the option
was not used.
- Resepect zypper.conf option `showAlias` search commands
(bsc#1221963)
Repository::asUserString (or Repository::label) respects the
zypper.conf option, while name/alias return the property.
- version 1.14.71
- dup: New option --remove-orphaned to remove all orphaned
packages in dup (bsc#1221525)
- version 1.14.70
- info,summary: Support VendorSupportOption flag
VendorSupportSuperseded (jsc#OBS-301, jsc#PED-8014)
- BuildRequires: libzypp-devel >= 17.32.0.
API cleanup and changes for VendorSupportSuperseded.
- Show active dry-run/download-only at the commit propmpt.
- patch: Add --skip-not-applicable-patches option (closes #514)
- Fix printing detailed solver problem description.
The problem description() is one rule out possibly many in
completeProblemInfo() the solver has chosen to represent the
problem. So either description or completeProblemInfo should be
printed, but not both.
- Fix bash-completion to work with right adjusted numbers in the
1st column too (closes #505)
- Set libzypp shutdown request signal on Ctrl+C (fixes #522)
- lr REPO: In the detailed view show all baseurls not just the
first one (bsc#1218171)
- version 1.14.69
- Fix search/info commands ignoring --ignore-unknown (bsc#1217593)
The switch makes search commands return 0 rather than 104 for
empty search results.
- version 1.14.68
- patch: Make sure reboot-needed is remembered until next boot
(bsc#1217873)
- version 1.14.67