- bind
-
- Update named.root to latest version
- Update to release 9.18.33
Security Fixes:
* DNS-over-HTTPS flooding fixes.
Fix DNS-over-HTTPS implementation issues that arise under heavy
query load. Optimize resource usage for named instances that
accept queries over DNS-over-HTTPS.
Previously, named processed all incoming HTTP/2 data at once,
which could overwhelm the server, especially when dealing with
clients that sent requests but did not wait for responses. That
has been fixed. Now, named handles HTTP/2 data in smaller
chunks and throttles reading until the remote side reads the
response data. It also throttles clients that send too many
requests at once.
In addition, named now evaluates excessive streams opened by
clients that include no DNS data, which is considered
“flooding.” It logs these clients and drops connections from
them.
In some cases, named could leave DNS-over-HTTPS connections in
the CLOSE_WAIT state indefinitely. That has also been fixed.
(CVE-2024-12705)
[bsc#1236597]
* Limit additional section processing for large RDATA sets.
When answering queries, don’t add data to the additional
section if the answer has more than 13 names in the RDATA. This
limits the number of lookups into the database(s) during a
single client query, reducing the query-processing load.
(CVE-2024-11187)
[bsc#1236596]
New Features:
* Add a new option to configure the maximum number of outgoing
queries per client request.
* The configuration option max-query-count sets how many outgoing
queries per client request are allowed. The existing
max-recursion-queries value is the number of permissible
queries for a single name and is reset on every CNAME
redirection. This new option is a global limit on the client
request. The default is 200.
* The default for max-recursion-queries is changed from 32 to 50.
This allows named to send a few more queries while looking up a
single name.
* Print the full path of the working directory in startup log
messages.
named now prints its initial working directory during startup,
and the changed working directory when loading or reloading its
configuration file, if it has a valid directory option defined.
* Added WALLET type.
Add the new record type WALLET (262). This provides a mapping
from a domain name to a cryptographic currency wallet. Multiple
mappings can exist if multiple records exist.
* Update built-in bind.keys file with the new 2025 IANA root key.
* Add an initial-ds entry to bind.keys for the new root key, ID
38696, which is scheduled for publication in January 2025.
Feature Changes:
* Tighten max-recursion-queries and add max-query-restarts
configuration statement.
There were cases when the max-recursion-queries quota was
ineffective. It was possible to craft zones that would cause a
resolver to waste resources by sending excessive queries while
attempting to resolve a name. This has been addressed by
correcting errors in the implementation of
max-recursion-queries and by reducing the default value from
100 to 32.
In addition, a new max-query-restarts configuration statement
has been added, which limits the number of times a recursive
server will follow CNAME or DNAME records before terminating
resolution. This was previously a hard-coded limit of 16 but is
now configurable with a default value of 11.
* Raise the log level of priming failures.
When a priming query is complete, it was previously logged at
level DEBUG(1), regardless of success or failure. It is now
logged to NOTICE in the case of failure.
* Add a compatibility shim for older libuv versions (< 1.19.0)
The function uv_stream_get_write_queue_size() is supported only
in relatively new versions of libuv (1.19.0 or higher). Provide
a compatibility shim for this function so BIND 9 can be built
in environments with older libuv versions.
* Improve performance for queries that require an NSEC3 wildcard
proof.
Rather than starting from the longest matching part of the
requested name, lookup the shortest partial match. Most of the
time this will be the actual closest encloser.
* Follow the number of CPUs set by taskset/cpuset.
Administrators may wish to constrain the set of cores that
named runs on via the taskset, cpuset, or numactl programs (or
equivalents on other OSes).
If the admin has used taskset, named now automatically uses the
given number of CPUs rather than the system-wide count.
* Allow IXFR-to-AXFR fallback on DNS_R_TOOMANYRECORDS.
This change allows fallback from an IXFR failure to AXFR when
the reason is DNS_R_TOOMANYRECORDS.
* Emit more helpful log messages for exceeding
max-records-per-type.
* The new log message is emitted when adding or updating an RRset
fails due to exceeding the max-records-per-type limit. The log
includes the owner name and type, corresponding zone name, and
the limit value. It will be emitted on loading a zone file,
inbound zone transfer (both AXFR and IXFR), handling a DDNS
update, or updating a cache DB. It’s especially helpful in the
case of zone transfer, since the secondary side doesn’t have
direct access to the offending zone data.
* It could also be used for max-types-per-name, but this change
doesn’t implement it yet as it’s much less likely to happen in
practice.
* Harden key management when key files have become unavailable.
* Prior to doing key management, BIND 9 will check if the key
files on disk match the expected keys. If key files for
previously observed keys have become unavailable, this will
prevent the internal key manager from running.
Removed Features:
* Move contributed DLZ modules into a separate repository. DLZ
modules should not be used except in testing. The DLZ modules
were not maintained, the DLZ interface itself is going to be
scheduled for removal, and the DLZ interface is blocking. Any
module that blocks the query to the database blocks the whole
server. The DLZ modules now live in
https://gitlab.isc.org/isc-projects/dlz-modules repository.
Bug Fixes:
For a complete list of bug fixes, see:
* Bind Release Notes
https://bind9.readthedocs.io/en/v9.18.33/notes.html
* The changelog in the doc rpm at
/usr/share/doc/packages/bind/arm/html/changelog.html
- kernel-default
-
- selftests/bpf: Test the update operations for htab of maps
(bsc#1235244 CVE-2024-56592).
- selftests/bpf: Move ENOTSUPP from bpf_util.h (bsc#1235244
CVE-2024-56592).
- bpf: Call free_htab_elem() after htab_unlock_bucket()
(bsc#1235244 CVE-2024-56592).
- selftests/bpf: Clean up open-coded gettid syscall invocations
(bsc#1235244 CVE-2024-56592).
- commit 1ed8f4f
- usb: chipidea: ci_hdrc_imx: decrement device's refcount in
.remove() and in the error path of .probe() (git-fixes).
- commit 243c2cb
- vsock: Keep the binding until socket destruction (git-fixes)
- commit 545191e
- vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] (CVE-2025-21666 bsc#1236680)
- commit 5667481
- vsock: reset socket state when de-assigning the transport (git-fixes)
- commit 70de10a
- vsock/virtio: cancel close work in the destructor (git-fixes)
- commit b47a8e2
- vsock/bpf: return early if transport is not assigned (CVE-2025-21670 bsc#1236685)
- commit 938e02d
- vsock/virtio: discard packets if the transport changes (CVE-2025-21669 bsc#1236683)
- commit 01b1ae3
- net/mlx5: Clear port select structure when fail to create (bsc#1236694 CVE-2025-21675)
- commit 97050c4
- mptcp: fix TCP options overflow. (bsc#1235914 CVE-2024-57882)
- commit bfacfe0
- mptcp: pm: Fix uaf in __timer_delete_sync (bsc#1231088 CVE-2024-46858)
- commit 2b80245
- kABI fix for net: defer final 'struct net' free in netns
dismantle (CVE-2024-56658 bsc#1235441)
- commit fd18f29
- net: defer final 'struct net' free in netns dismantle
(CVE-2024-56658 bsc#1235441).
- commit 5df7b43
- net: mana: Add get_link and get_link_ksettings in ethtool
(bsc#1236761).
- commit 037abed
- virtio-mem: check if the config changed before fake offlining memory
(git-fixes).
- commit 7c5b67f
- virtio-mem: keep retrying on offline_and_remove_memory() errors in Sub Block Mode (SBM)
(git-fixes).
- commit 50036f1
- virtio-mem: convert most offline_and_remove_memory() errors to -EBUSY
(git-fixes).
- commit cf4a9ad
- virtio-mem: remove unsafe unplug in Big Block Mode (BBM)
(git-fixes).
- commit 7506a2e
- media: ov08x40: Fix hblank out of range issue (git-fixes).
- commit 6e44a14
- media: firewire: firedtv-avc.c: replace BUG with proper,
error return (git-fixes).
- commit 658942c
- media: dvb: mb86a16: check the return value of mb86a16_read()
(git-fixes).
- commit fc29200
- tty: xilinx_uartps: split sysrq handling (git-fixes).
- commit 1d9d1fd
- mm/compaction: fix UBSAN shift-out-of-bounds warning (git fixes
(mm/compaction)).
- commit 6473a2a
- vfio/pci: Lock external INTx masking ops (bsc#1222803).
- commit 8c537c0
- gtp: Destroy device along with udp socket's netns dismantle
(CVE-2025-21678 bsc#1236698).
- gtp: Use for_each_netdev_rcu() in gtp_genl_dump_pdp()
(git-fixes).
- net: mana: Cleanup "mana" debugfs dir after cleanup of all
children (bsc#1236760).
- r8169: enable SG/TSO on selected chip versions per default
(bsc#1235874).
- net: mana: Enable debugfs files for MANA device (bsc#1236758).
- net: netvsc: Update default VMBus channels (bsc#1236757).
- commit 2caa23f
- Update
patches.suse/nvme-tcp-Fix-I-O-queue-cpu-spreading-for-multiple-co.patch
(git-fixes bsc#1224049).
- commit 6783feb
- xfs: Add error handling for xfs_reflink_cancel_cow_range
(git-fixes).
- commit 1aaaa62
- xfs: Propagate errors from xfs_reflink_cancel_cow_range in
xfs_dax_write_iomap_end (git-fixes).
- commit f8ad9a2
- net/mlx5e: Fix inversion dependency warning while enabling
IPsec tunnel (CVE-2025-21674 bsc#1236688).
- net: fec: handle page_pool_dev_alloc_pages error (CVE-2025-21676
bsc#1236696).
- eth: bnxt: always recalculate features after XDP clearing,
fix null-deref (CVE-2025-21682 bsc#1236703).
- commit a806d7c
- NFSv4.2: mark OFFLOAD_CANCEL MOVEABLE (git-fixes).
- commit 151b149
- NFSv4.2: fix COPY_NOTIFY xdr buf size calculation (git-fixes).
- commit b286575
- ubifs: skip dumping tnc tree when zroot is null (git-fixes).
- commit f58c1e4
- afs: Fix the fallback handling for the YFS.RemoveFile2 RPC call
(git-fixes).
- commit a1514a4
- afs: Fix cleanup of immediately failed async calls (git-fixes).
- commit addff98
- afs: Fix directory format encoding struct (git-fixes).
- commit 595632c
- afs: Fix EEXIST error returned from afs_rmdir() to be ENOTEMPTY
(git-fixes).
- commit 39c4f67
- gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag
(git-fixes).
- commit e9c67fd
- nilfs2: fix possible int overflows in nilfs_fiemap()
(git-fixes).
- commit 2d81bbb
- ipv4: ip_tunnel: Fix suspicious RCU usage warning in
ip_tunnel_find() (CVE-2024-50304 bsc#1233522).
- commit 0aac3e1
- arm64: dts: rockchip: increase gmac rx_delay on rk3399-puma (git-fixes)
- commit 6bedda5
- arm64: tegra: Fix Tegra234 PCIe interrupt-map (git-fixes)
- commit 5678238
- arm64: tegra: Disable Tegra234 sce-fabric node (git-fixes)
- commit 3ba529a
- arm64: tegra: Fix typo in Tegra234 dce-fabric compatible (git-fixes)
- commit fe1f6b4
- arm64: Filter out SVE hwcaps when FEAT_SVE isn't implemented (git-fixes)
- commit 79b2b46
- netfilter: nft_payload: sanitize offset and length before
calling skb_checksum() (CVE-2024-50251 bsc#1233248).
- commit d7e2f51
- net: fix crash when config small gso_max_size/gso_ipv4_max_size
(CVE-2024-50258 bsc#1233221 CVE-2024-50258 bsc#1233221).
- commit a93195b
- arm64/sme: Move storage of reg_smidr to __cpuinfo_store_cpu() (git-fixes)
- commit 43c09a7
- arm64: Kconfig: Make SME depend on BROKEN for now (git-fixes bsc#1236245)
Update arm64 default configuration file
- commit 1003b05
- arm64: dts: rockchip: Add sdmmc/sdio/emmc reset controls for RK3328 (git-fixes)
- commit cbbcd61
- net: inet6: do not leave a dangling sk pointer in inet6_create()
(CVE-2024-56600 bsc#1235217).
- commit d23e8d7
- printk: Defer legacy printing when holding printk_cpu_sync
(bsc#1236733).
- commit 8ea5df4
- printk: Add is_printk_legacy_deferred() (bsc#1236733).
- commit 15926fc
- nvme: fix bogus kzalloc() return check in
nvme_init_effects_log() (git-fixes).
- commit ab15bce
- scsi: storvsc: Ratelimit warning logs to prevent VM denial of
service (git-fixes).
- hyperv: Do not overlap the hvcall IO areas in get_vtl()
(git-fixes).
- commit 20e731b
- nvme: Add error path for xa_store in nvme_init_effects
(git-fixes).
- nvme: Add error check for xa_store in nvme_get_effects_log
(git-fixes).
- nvme-tcp: Fix I/O queue cpu spreading for multiple controllers
(git-fixes).
- nvmet: propagate npwg topology (git-fixes).
- commit f7cc3e5
- usbnet: ipheth: fix DPE OoB read (git-fixes).
- commit 9d2e9a7
- usbnet: ipheth: break up NCM header size computation
(git-fixes).
- commit 2cdc4a6
- usbnet: ipheth: refactor NCM datagram loop (git-fixes).
- commit aade1ad
- workqueue: Add rcu lock check at the end of work item execution
(bsc#1236732).
- commit 4c72d5a
- Move upstreamed sound patch into sorted section
- commit ca47985
- Input: atkbd - map F23 key to support default copilot shortcut
(stable-fixes).
- Input: xpad - add unofficial Xbox 360 wireless receiver clone
(stable-fixes).
- Input: xpad - add support for wooting two he (arm)
(stable-fixes).
- Input: xpad - improve name of 8BitDo controller 2dc8:3106
(stable-fixes).
- Input: xpad - add QH Electronics VID/PID (stable-fixes).
- Input: xpad - add support for Nacon Evol-X Xbox One Controller
(stable-fixes).
- Input: xpad - add support for Nacon Pro Compact (stable-fixes).
- hwmon: (drivetemp) Set scsi command timeout to 10s
(stable-fixes).
- drm/amd/display: Use HW lock mgr for PSR1 (stable-fixes).
- seccomp: Stub for !CONFIG_SECCOMP (stable-fixes).
- ASoC: samsung: Add missing depends on I2C (git-fixes).
- ASoC: samsung: Add missing selects for MFD_WM8994
(stable-fixes).
- ASoC: wm8994: Add depends on MFD core (stable-fixes).
- ata: libata-core: Set ATA_QCFLAG_RTF_FILLED in fill_result_tf()
(stable-fixes).
- commit c243755
- ASoC: acp: Support microphone from Lenovo Go S (stable-fixes).
- ALSA: usb-audio: Add delay quirk for iBasso DC07 Pro
(stable-fixes).
- commit 7bec8fa
- kconfig: fix file name in warnings when loading
KCONFIG_DEFCONFIG_LIST (git-fixes).
- genksyms: fix memory leak when the same symbol is read from
* .symref file (git-fixes).
- genksyms: fix memory leak when the same symbol is added from
source (git-fixes).
- ASoC: rockchip: i2s_tdm: Re-add the set_sysclk callback
(git-fixes).
- commit 472aca3
- kABI workaround for struct auto_pin_cfg_item change (git-fixes).
- commit 43b97fb
- ALSA: hda: Fix headset detection failure due to unstable sort
(git-fixes).
- commit 6dcca9b
- blacklist.conf: Not affected by CVE-2024-44932 and CVE-2024-44964
- Delete
patches.suse/idpf-fix-UAFs-when-destroying-the-queues.patch.
- Delete
patches.suse/idpf-fix-memory-leaks-and-crashes-while-performing-a.patch.
This fixes bsc#1236628
- commit 3ac3069
- kcsan: Turn report_filterlist_lock into a raw_spinlock
(CVE-2024-56610 bsc#1235390).
- commit d41073a
- io_uring/eventfd: ensure io_eventfd_signal() defers another
RCU period (CVE-2025-21655 bsc#1236163).
- commit 4487b43
- Refresh
patches.suse/io_uring-check-for-overflows-in-io_pin_pages.patch.
There was an error on my backport of this patch that caused an Oops as
soon as a pbuf is registered.
- commit 83010fb
- cpuidle: Avoid potential overflow in integer multiplication
(git-fixes).
- commit 0568366
- cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock
(git-fixes).
- commit ade7f79
- cpufreq: amd-pstate: remove global header file (git-fixes).
- commit be74a4f
- mm/rodata_test: use READ_ONCE() to read const variable
(git-fixes).
- commit 915b6ed
- cpufreq: intel_pstate: Use HWP to initialize ITMT if CPPC is
missing (git-fixes).
- commit 1e10ad3
- cpufreq: intel_pstate: fix pstate limits enforcement for
adjust_perf call back (git-fixes).
- commit dd83446
- cpufreq: ACPI: Fix max-frequency computation (git-fixes).
- commit 54e5cf5
- cpufreq: Don't unregister cpufreq cooling on CPU hotplug
(git-fixes).
- commit d893e3e
- rtc: zynqmp: Fix optional clock name property (git-fixes).
- rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read
(git-fixes).
- PM: hibernate: Add error handling for syscore_suspend()
(git-fixes).
- Bluetooth: L2CAP: accept zero as a special value for MTU
auto-selection (git-fixes).
- Bluetooth: btnxpuart: Fix glitches seen in dual A2DP streaming
(git-fixes).
- usbnet: ipheth: use static NDP16 location in URB (git-fixes).
- usbnet: ipheth: check that DPE points past NCM header
(git-fixes).
- usbnet: ipheth: fix possible overflow in DPE length check
(git-fixes).
- net: usb: rtl8150: enable basic endpoint checking (git-fixes).
- net: phy: c45-tjaxx: add delay between MDIO write and read in
soft_reset (git-fixes).
- net: rose: fix timer races against user threads (git-fixes).
- NFC: nci: Add bounds checking in nci_hci_create_pipe()
(git-fixes).
- docs: power: Fix footnote reference for Toshiba Satellite
P10-554 (git-fixes).
- gpio: mxc: remove dead code after switch to DT-only (git-fixes).
- pm:cpupower: Add missing powercap_set_enabled() stub function
(git-fixes).
- commit d7c0bf6
- io_uring: check for overflows in io_pin_pages (CVE-2024-53187
bsc#1234947).
- commit 5155778
- brd: defer automatic disk creation until module initialization
succeeds (CVE-2024-56693 bsc#1235418).
- commit b6cdeb6
- powerpc/pseries/eeh: Fix get PE state translation (bsc#1215199).
- commit b41af30
- ALSA: hda/realtek: Workaround for resume on Dell Venue 11 Pro
7130 (bsc#1235686).
- commit 63a2d06
- Correct typos in patch-mainline versions in previous patches
- commit 9e305bb
- dmaengine: ti: edma: fix OF node reference leaks in edma_driver
(git-fixes).
- regulator: core: Add missing newline character (git-fixes).
- commit a55a5c7
- Delete patches.suse/iommu-arm-smmu-Defer-probe-of-clients-after-smmu-dev.patch
Reverted upstream by 97cb1fa02726 iommu/arm-smmu: Retire probe deferral
workaround.
- commit 2dda00e
- virtio-blk: don't keep queue frozen during system suspend
(CVE-2024-57946 bsc#1236247).
- commit bc49326
- netfilter: x_tables: fix LED ID check in led_tg_check()
(CVE-2024-56650 bsc#1235430).
- commit e2ba4f9
- netfilter: nf_tables: validate family when identifying table
via handle (bsc#1233778 ZDI-24-1454).
- commit 8a5e7e8
- driver core: class: Fix wild pointer dereferences in API
class_dev_iter_next() (git-fixes).
- devcoredump: cleanup some comments (git-fixes).
- serial: sh-sci: Do not probe the serial port if its slot in
sci_ports[] is in use (git-fixes).
- serial: sh-sci: Drop __initdata macro for port_cfg (git-fixes).
- serial: 8250: Adjust the timeout for FIFO mode (git-fixes).
- commit 3ee6c35
- VFS: use system_unbound_wq for delayed_mntput (bsc#1234683).
- commit 8e0a712
- RDMA/mlx5: Fix implicit ODP use after free (git-fixes)
- commit 45ca433
- RDMA/mlx5: Fix a race for an ODP MR which leads to CQE with error (git-fixes)
- commit 2c0d67d
- RDMA/rxe: Fix the warning "__rxe_cleanup+0x12c/0x170 [rdma_rxe]" (git-fixes)
- commit d370cc3
- RDMA/mlx5: Fix indirect mkey ODP page count (git-fixes)
- commit fffca3b
- RDMA/bnxt_re: Fix to drop reference to the mmap entry in case of error (git-fixes)
- commit 95b5d71
- RDMA/srp: Fix error handling in srp_add_port (git-fixes)
- commit d17536e
- RDMA/rxe: Fix mismatched max_msg_sz (git-fixes)
- commit 0c1e11b
- rdma/cxgb4: Prevent potential integer overflow on 32bit (git-fixes)
- commit c001bb0
- RDMA/mlx4: Avoid false error about access to uninitialized gids array (git-fixes)
- commit 61636fb
- RDMA/bnxt_re: Fix to export port num to ib_query_qp (git-fixes)
- commit 14d9179
- rcu/tree: Defer setting of jiffies during stall reset (git-fixes)
- commit 97d4114
- rcu-tasks: Pull sampling of ->percpu_dequeue_lim out of loop (git-fixes)
- commit 46965f9
- srcu: Only accelerate on enqueue time (git-fixes)
- commit 61de5d1
- srcu: Fix srcu_struct node grpmask overflow on 64-bit systems (git-fixes)
- commit 2ff5969
- rcu: Eliminate rcu_gp_slow_unregister() false positive (git-fixes)
- commit 0aacfbc
- rcu: Dump memory object info if callback function is invalid (git-fixes)
- commit a054e16
- rcuscale: Move rcu_scale_writer() (git-fixes)
- commit f5a8f5c
- PCI: microchip: Set inbound address translation for coherent
or non-coherent mode (git-fixes).
- PCI: imx6: Deassert apps_reset in imx_pcie_deassert_core_reset()
(git-fixes).
- PCI: imx6: Skip controller_id generation logic for i.MX7D
(git-fixes).
- PCI: endpoint: pci-epf-test: Fix check for DMA MEMCPY test
(git-fixes).
- PCI: dwc: ep: Prevent changing BAR size/flags in
pci_epc_set_bar() (git-fixes).
- PCI: dwc: ep: Write BAR_MASK before iATU registers in
pci_epc_set_bar() (git-fixes).
- genirq: Make handle_enforce_irqctx() unconditionally available
(git-fixes).
- commit 9d69135
- ibmvnic: Free any outstanding tx skbs during scrq reset
(bsc#1226980).
- commit 82833f0
- drm/v3d: Assign job pointer to NULL before signaling the fence
(git-fixes).
- iio: light: as73211: fix channel handling in only-color
triggered buffer (git-fixes).
- intel_th: core: fix kernel-doc warnings (git-fixes).
- bus: mhi: host: Free mhi_buf vector inside
mhi_alloc_bhie_table() (git-fixes).
- iio: iio-mux: kzalloc instead of devm_kzalloc to ensure page
alignment (git-fixes).
- iio: adc: ad_sigma_delta: Handle CS assertion as intended in
ad_sd_read_reg_raw() (git-fixes).
- misc: fastrpc: Fix copy buffer page size (git-fixes).
- misc: fastrpc: Fix registered buffer page address (git-fixes).
- misc: fastrpc: Deregister device nodes properly in error
scenarios (git-fixes).
- VMCI: fix reference to ioctl-number.rst (git-fixes).
- drivers/card_reader/rtsx_usb: Restore interrupt based detection
(git-fixes).
- uio: uio_dmem_genirq: check the return value of devm_kasprintf()
(git-fixes).
- uio: Fix return value of poll (git-fixes).
- misc: misc_minor_alloc to use ida for all dynamic/misc dynamic
minors (git-fixes).
- Revert "usb: gadget: u_serial: Disable ep before setting port to
null to fix the crash caused by port being null" (stable-fixes).
- USB: serial: quatech2: fix null-ptr-deref in
qt2_process_read_urb() (git-fixes).
- usb: typec: tcpm: set SRC_SEND_CAPABILITIES timeout to
PD_T_SENDER_RESPONSE (git-fixes).
- usb: host: xhci-plat: Assign shared_hcd->rsrc_start (git-fixes).
- usb: dwc3-am62: Fix an OF node leak in phy_syscon_pll_refclk()
(git-fixes).
- usb: gadget: f_tcm: Don't prepare BOT write request twice
(git-fixes).
- usb: gadget: f_tcm: ep_autoconfig with fullspeed endpoint
(git-fixes).
- usb: gadget: f_tcm: Fix Get/SetInterface return value
(git-fixes).
- usb: gadget: f_tcm: Decrement command ref count on cleanup
(git-fixes).
- usb: gadget: f_tcm: Translate error to sense (git-fixes).
- usb: gadget: f_tcm: Don't free command immediately (git-fixes).
- power: ip5xxx_power: Fix return value on ADC read errors
(git-fixes).
- pps: add an error check in parport_attach (git-fixes).
- pps: remove usage of the deprecated ida_simple_xx() API
(stable-fixes).
- commit 15d6406
- Move upstreamed lpfc patches into sorted section
- commit c33f2a8
- Revert 0dd78566990 ("Disable ceph (jsc#PED-7242)")
Apparently, jsc#PED-7242 is only deprecate ceph for 15-SP6 and
disable for 15-SP7.
Revert the disabling.
- commit 4573861
- padata: add pd get/put refcnt helper (git-fixes).
- commit c209bf7
- padata: avoid UAF for reorder_work (git-fixes).
- padata: fix UAF in padata_reorder (git-fixes).
- commit 9cec1e0
- net: stmmac: dwmac-tegra: Read iommu stream id from device tree
(CVE-2025-21663 bsc#1236260).
- commit fc91755
- selftests/mm/cow: modify the incorrect checking parameters
(git-fixes).
- maple_tree: simplify split calculation (git-fixes).
- latencytop: use correct kernel-doc format for func params
(git-fixes).
- lib/inflate.c: remove dead code (git-fixes).
- commit 2970302
- remoteproc: core: Fix ida_free call while not allocated
(git-fixes).
- mtd: spinand: Remove write_enable_op() in markbad() (git-fixes).
- mtd: onenand: Fix uninitialized retlen in do_otp_read()
(git-fixes).
- PCI: rcar-ep: Fix incorrect variable used when calling
devm_request_mem_region() (git-fixes).
- PCI: dwc: Always stop link in the dw_pcie_suspend_noirq
(git-fixes).
- PCI: endpoint: pci-epf-test: Set dma_chan_rx pointer to NULL
on error (git-fixes).
- PCI: endpoint: Finish virtual EP removal in
pci_epf_remove_vepf() (git-fixes).
- PCI: endpoint: Destroy the EPC device in devm_pci_epc_destroy()
(git-fixes).
- PCI: Avoid putting some root ports into D3 on TUXEDO Sirius Gen1
(git-fixes).
- media: dvb-usb-v2: af9035: fix ISO C90 compilation error on
af9035_i2c_master_xfer (git-fixes).
- staging: media: imx: fix OF node leak in
imx_media_add_of_subdevs() (git-fixes).
- media: nxp: imx8-isi: fix v4l2-compliance test errors
(git-fixes).
- media: uvcvideo: Propagate buf->error to userspace (git-fixes).
- media: uvcvideo: Remove dangling pointers (git-fixes).
- media: uvcvideo: Remove redundant NULL assignment (git-fixes).
- media: uvcvideo: Only save async fh if success (git-fixes).
- media: uvcvideo: Support partial control reads (git-fixes).
- media: uvcvideo: Fix event flags in uvc_ctrl_send_events
(git-fixes).
- media: uvcvideo: Fix double free in error path (git-fixes).
- media: uvcvideo: Fix crash during unbind if gpio unit is in use
(git-fixes).
- staging: media: max96712: fix kernel oops when removing module
(git-fixes).
- media: camif-core: Add check for clk_enable() (git-fixes).
- media: mipi-csis: Add check for clk_enable() (git-fixes).
- media: ov5640: fix get_light_freq on auto (git-fixes).
- media: mc: fix endpoint iteration (git-fixes).
- media: i2c: ov9282: Correct the exposure offset (git-fixes).
- media: ccs: Fix cleanup order in ccs_probe() (git-fixes).
- media: imx296: Add standby delay during probe (git-fixes).
- media: i2c: imx412: Add missing newline to prints (git-fixes).
- media: ccs: Clean up parsed CCS static data on parse failure
(git-fixes).
- media: ccs: Fix CCS static data parsing for large block sizes
(git-fixes).
- media: marvell: Add check for clk_enable() (git-fixes).
- media: lmedm04: Handle errors for lme2510_int_read (git-fixes).
- media: rc: iguanair: handle timeouts (git-fixes).
- media: rkisp1: Fix unused value issue (git-fixes).
- media: imx-jpeg: Fix potential error pointer dereference in
detach_pm() (git-fixes).
- commit 059dbb0
- ALSA: hda/realtek: Enable Mute LED on HP Laptop 14s-fq1xxx
(stable-fixes).
- ALSA: usb-audio: Add delay quirk for USB Audio Device
(stable-fixes).
- ALSA: hda/realtek: Enable headset mic on Positivo C6400
(stable-fixes).
- commit 744cb45
- mailbox: tegra-hsp: Clear mailbox before using message
(git-fixes).
- soc: qcom: socinfo: Avoid out of bounds read of serial number
(git-fixes).
- soc: qcom: smem_state: fix missing of_node_put in error path
(git-fixes).
- soc: mediatek: mtk-devapc: Fix leaking IO map on error paths
(git-fixes).
- memory: tegra20-emc: fix an OF node reference bug in
tegra_emc_find_node_by_ram_code() (git-fixes).
- soc: atmel: fix device_node release in atmel_soc_device_init()
(git-fixes).
- fbdev: omapfb: Fix an OF node leak in
dss_of_port_get_parent_device() (git-fixes).
- ASoC: Intel: avs: Fix theoretical infinite loop (git-fixes).
- ASoC: sun4i-spdif: Add clock multiplier settings (git-fixes).
- ALSA: hda/realtek - Fixed headphone distorted sound on Acer
Aspire A115-31 laptop (git-fixes).
- crypto: iaa - Fix IAA disabling that occurs when sync_mode is
set to 'async' (git-fixes).
- crypto: ixp4xx - fix OF node reference leaks in
init_ixp_crypto() (git-fixes).
- crypto: qce - fix priority to be less than ARMv8 CE (git-fixes).
- crypto: qce - unregister previously registered algos in error
path (git-fixes).
- crypto: qce - fix goto jump in error path (git-fixes).
- crypto: caam - use JobR's space to access page 0 regs
(git-fixes).
- pinctrl: amd: Take suspend type into consideration which pins
are non-wake (git-fixes).
- pinctrl: samsung: fix fwnode refcount cleanup if
platform_get_irq_optional() fails (git-fixes).
- commit b034543
- Move upstreamed ppc patch into sorted section
- commit d058975
- Move upstreamed TPM patch into sorted section
- commit ccb7b48
- octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_ethtool.c (CVE-2024-56728 bsc#1235656)
- commit acc444a
- octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c (CVE-2024-56727 bsc#1235583)
- commit b6e61cf
- octeontx2-pf: handle otx2_mbox_get_rsp errors in cn10k.c (CVE-2024-56726 bsc#1235582)
- commit ac2994c
- octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dcbnl.c (CVE-2024-56725 bsc#1235578)
- commit 4f995f2
- octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_dmac_flt.c (CVE-2024-56707 bsc#1235545)
- commit 67e8754
- octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_common.c (CVE-2024-56679 bsc#1235498)
- commit becbeeb
- drm/amd/display: Fix out-of-bounds access in 'dcn21_link_encoder_create' (CVE-2024-56608 bsc#1235487)
- commit df4e9dd
- dm thin: make get_first_thin use rcu-safe list first function (CVE-2025-21664 bsc#1236262)
- commit 83d356e
- selinux: ignore unknown extended permissions (CVE-2024-57931 bsc#1236192)
- commit 4334198
- net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute (CVE-2025-21653 bsc#1236161)
- commit 9089d3b
- ipvlan: Fix use-after-free in ipvlan_get_iflink() (CVE-2025-21652 bsc#1236160)
- commit 8201e7e
- net/sctp: Prevent autoclose integer overflow in sctp_association_init() (CVE-2024-57938 bsc#1236182)
- commit 338cf1f
- topology: Keep the cpumask unchanged when printing cpumap (CVE-2024-57917 bsc#1236127)
- commit 1d17273
- mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() (CVE-2024-57884 bsc#1235948)
- commit abc82c3
- netrom: check buffer length before accessing it (CVE-2024-57802 bsc#1235941)
- commit 606eed5
- ionic: Fix netdev notifier unregister on failure (CVE-2024-56715 bsc#1235612)
- commit 28b55e0
- sched/fair: Fix value reported by hot tasks pulled in
/proc/schedstat -kabi (bsc#1235865).
- commit a0069bc
- wifi: ath12k: fix tx power, max reg power update to firmware
(git-fixes).
- wifi: mt76: mt7996: fix ldpc setting (git-fixes).
- wifi: mt76: mt7996: fix definition of tx descriptor (git-fixes).
- wifi: mt76: mt7996: fix incorrect indexing of MIB FW event
(git-fixes).
- wifi: mt76: mt7996: fix HE Phy capability (git-fixes).
- wifi: mt76: mt7996: fix the capability of reception of EHT MU
PPDU (git-fixes).
- wifi: mt76: mt7996: add max mpdu len capability (git-fixes).
- wifi: mt76: mt7996: fix register mapping (git-fixes).
- wifi: mt76: mt7915: fix register mapping (git-fixes).
- wifi: mt76: mt7915: firmware restart on devices with a second
pcie link (git-fixes).
- wifi: mt76: mt7996: fix rx filter setting for bfee functionality
(git-fixes).
- wifi: mt76: mt7915: fix overflows seen when writing limit
attributes (git-fixes).
- wifi: mt76: mt7996: fix overflows seen when writing limit
attributes (git-fixes).
- wifi: mt76: mt7915: add module param to select 5 GHz or 6 GHz
on MT7916 (git-fixes).
- wifi: mt76: mt7921: fix using incorrect group cipher after
disconnection (git-fixes).
- wifi: mt76: mt76u_vendor_request: Do not print error messages
when -EPROTO (git-fixes).
- commit f15e8b4
- tools: Sync if_xdp.h uapi tooling header (git-fixes).
- selftests/landlock: Fix error message (git-fixes).
- selftests: harness: fix printing of mismatch values in
__EXPECT() (git-fixes).
- spi: zynq-qspi: Add check for clk_enable() (git-fixes).
- wifi: mt76: mt7915: Fix mesh scan on MT7916 DBDC (git-fixes).
- wifi: mt76: mt7925: fix off by one in mt7925_load_clc()
(git-fixes).
- wifi: rtw89: mcc: consider time limits not divisible by 1024
(git-fixes).
- wifi: rtlwifi: rtl8821ae: Fix media status report (git-fixes).
- wifi: cfg80211: adjust allocation of colocated AP data
(git-fixes).
- wifi: mac80211: don't flush non-uploaded STAs (git-fixes).
- wifi: mac80211: Fix common size calculation for ML element
(git-fixes).
- wifi: mac80211: fix tid removal during mesh forwarding
(git-fixes).
- wifi: mac80211: prohibit deactivating all links (git-fixes).
- wifi: iwlwifi: fw: read STEP table from correct UEFI var
(git-fixes).
- wifi: wlcore: fix unbalanced pm_runtime calls (git-fixes).
- wifi: rtlwifi: pci: wait for firmware loading before releasing
memory (git-fixes).
- wifi: rtlwifi: fix memory leaks and invalid access at probe
error path (git-fixes).
- wifi: rtlwifi: destroy workqueue at rtl_deinit_core (git-fixes).
- wifi: rtlwifi: remove unused check_buddy_priv (git-fixes).
- wifi: rtlwifi: usb: fix workqueue leak when probe fails
(git-fixes).
- wifi: rtlwifi: fix init_sw_vars leak when probe fails
(git-fixes).
- wifi: rtlwifi: wait for firmware loading before releasing memory
(git-fixes).
- wifi: rtlwifi: rtl8192se: rise completion of firmware loading
as last step (git-fixes).
- wifi: rtlwifi: do not complete firmware loading needlessly
(git-fixes).
- wifi: rtlwifi: rtl8821ae: phy: restore removed code to fix
infinite loop (git-fixes).
- wifi: brcmfmac: add missing header include for brcmf_dbg
(git-fixes).
- wifi: ath11k: cleanup struct ath11k_mon_data (git-fixes).
- wifi: wcn36xx: fix channel survey memory allocation size
(git-fixes).
- wifi: ath11k: Fix unexpected return buffer manager error for
WCN6750/WCN6855 (git-fixes).
- selinux: Fix SCTP error inconsistency in selinux_socket_bind()
(git-fixes).
- commit 40f350b
- ktest.pl: Fix typo "accesing" (git-fixes).
- ktest.pl: Fix typo in comment (git-fixes).
- ktest.pl: Remove unused declarations in run_bisect_test function
(git-fixes).
- ktest.pl: Check kernelrelease return in get_version (git-fixes).
- landlock: Handle weird files (git-fixes).
- samples/landlock: Fix possible NULL dereference in parse_path()
(git-fixes).
- selftests: timers: clocksource-switch: Adapt progress to
kselftest framework (git-fixes).
- selftest: media_tests: fix trivial UAF typo (git-fixes).
- Input: davinci-keyscan - remove leftover header (git-fixes).
- HID: core: Fix assumption that Resolution Multipliers must be
in Logical Collections (git-fixes).
- HID: fix generic desktop D-Pad controls (git-fixes).
- HID: hid-thrustmaster: Fix warning in thrustmaster_probe by
adding endpoint check (git-fixes).
- HID: multitouch: fix support for Goodix PID 0x01e9 (git-fixes).
- Revert "HID: multitouch: Add support for lenovo Y9000P Touchpad"
(stable-fixes).
- ipmi: ssif_bmc: Fix new request loss when bmc ready for a
response (git-fixes).
- ipmi: ipmb: Add check devm_kasprintf() returned value
(git-fixes).
- pwm: stm32: Add check for clk_enable() (git-fixes).
- pwm: stm32-lp: Add check for clk_enable() (git-fixes).
- leds: netxbig: Fix an OF node reference leak in
netxbig_leds_get_of_pdata() (git-fixes).
- leds: lp8860: Write full EEPROM, not only half of it
(git-fixes).
- HID: hid-sensor-hub: don't use stale platform-data on remove
(git-fixes).
- regulator: of: Implement the unwind path of of_regulator_match()
(git-fixes).
- net/rose: prevent integer overflows in rose_setsockopt()
(git-fixes).
- drm/msm: don't clean up priv->kms prematurely (git-fixes).
- selftests/powerpc: Fix argument order to timer_sub()
(git-fixes).
- selftests/alsa: Fix circular dependency involving global-timer
(stable-fixes).
- ktest.pl: Avoid false positives with grub2 skip regex
(stable-fixes).
- ktest: force $buildonly = 1 for 'make_warnings_file' test type
(stable-fixes).
- commit 3e5bf1b
- drm/msm: Check return value of of_dma_configure() (git-fixes).
- drm/msm/dpu: link DSPP_2/_3 blocks on SM8550 (git-fixes).
- drm/msm/dpu: link DSPP_2/_3 blocks on SM8350 (git-fixes).
- drm/msm/dpu: link DSPP_2/_3 blocks on SM8250 (git-fixes).
- drm/msm/dpu: link DSPP_2/_3 blocks on SC8180X (git-fixes).
- drm/msm/dpu: link DSPP_2/_3 blocks on SM8150 (git-fixes).
- drm/msm/dp: set safe_to_exit_level before printing it
(git-fixes).
- drm/amdgpu: tear down ttm range manager for doorbell in
amdgpu_ttm_fini() (git-fixes).
- drm/etnaviv: Fix page property being used for non writecombine
buffers (git-fixes).
- Revert "drm/i915/dpt: Make DPT object unshrinkable"
(stable-fixes).
- drm/amdgpu: simplify return statement in amdgpu_ras_eeprom_init
(git-fixes).
- drm/amdgpu/vcn: reset fw_shared under SRIOV (git-fixes).
- drm/amdgpu: Fix potential NULL pointer dereference in
atomctrl_get_smc_sclk_range_table (git-fixes).
- drm/amd/pm: Fix an error handling path in
vega10_enable_se_edc_force_stall_config() (git-fixes).
- drm/bridge: it6505: Change definition of AUX_FIFO_MAX_SIZE
(git-fixes).
- drm/rockchip: vop2: Check linear format for Cluster windows
on rk3566/8 (git-fixes).
- drm/rcar-du: dsi: Fix PHY lock bit check (git-fixes).
- drm/rockchip: vop2: Fix the mixer alpha setup for layer 0
(git-fixes).
- drm/rockchip: vop2: Fix cluster windows alpha ctrl regsiters
offset (git-fixes).
- commit 2f1e321
- ACPI: fan: cleanup resources in the error path of .probe()
(git-fixes).
- cpupower: fix TSC MHz calculation (git-fixes).
- Bluetooth: L2CAP: handle NULL sock pointer in l2cap_sock_alloc
(git-fixes).
- Align git commit ID abbreviation guidelines and checks
(git-fixes).
- drm/tidss: Clear the interrupt status for interrupts being
disabled (git-fixes).
- drm/tidss: Fix issue in irq handling causing irq-flood issue
(git-fixes).
- drm/v3d: Stop active perfmon if it is being destroyed
(git-fixes).
- drm/rockchip: cdn-dp: Use drm_connector_helper_hpd_irq_event()
(git-fixes).
- commit 737a47e
- Input: bbnsm_pwrkey - add remove hook (git-fixes).
- drm/i915/fb: Relax clear color alignment to 64 bytes
(stable-fixes).
- drm/amdgpu: always sync the GFX pipe on ctx switch
(stable-fixes).
- ACPI: resource: acpi_dev_irq_override(): Check DMI match last
(stable-fixes).
- mac802154: check local interfaces before deleting sdata list
(stable-fixes).
- selftests: tc-testing: reduce rshift value (stable-fixes).
- kheaders: Ignore silly-rename files (stable-fixes).
- commit cbbd806
- Drop PCI patch that caused a regression
Deleted:
patches.suse/PCI-Use-preserve_config-in-place-of-pci_flags.patch
- commit 30fb9e7
- sched/fair: Fix value reported by hot tasks pulled in
/proc/schedstat (bsc#1235865).
- commit 9837653
- Update
patches.suse/ALSA-seq-oss-Fix-races-at-processing-SysEx-messages.patch
(stable-fixes CVE-2024-57893 bsc#1235920).
- Update
patches.suse/RDMA-bnxt_re-Fix-max-SGEs-for-the-Work-Request.patch
(git-fixes CVE-2024-57936 bsc#1236181).
- Update
patches.suse/RDMA-hns-Fix-accessing-invalid-dip_ctx-during-destro.patch
(git-fixes CVE-2024-57935 bsc#1236180).
- Update
patches.suse/RDMA-rtrs-Ensure-ib_sge-list-is-accessible.patch
(git-fixes CVE-2024-36476 bsc#1235902).
- Update
patches.suse/RDMA-uverbs-Prevent-integer-overflow-issue.patch
(git-fixes CVE-2024-57890 bsc#1235919).
- Update patches.suse/afs-Fix-the-maximum-cell-name-length.patch
(git-fixes CVE-2025-21646 bsc#1236168).
- Update
patches.suse/arm64-ptrace-fix-partial-SETREGSET-for-NT_ARM_TAGGED_ADDR_CTRL.patch
(git-fixes CVE-2024-57874 bsc#1235808).
- Update
patches.suse/cpufreq-CPPC-Fix-possible-null-ptr-deref-for-cppc_ge.patch
(git-fixes CVE-2024-53230 bsc#1235976).
- Update
patches.suse/cpufreq-CPPC-Fix-possible-null-ptr-deref-for-cpufreq.patch
(git-fixes CVE-2024-53231 bsc#1235977).
- Update
patches.suse/drm-adv7511-Fix-use-after-free-in-adv7533_attach_dsi.patch
(git-fixes CVE-2024-57887 bsc#1235952).
- Update
patches.suse/drm-amd-display-Add-check-for-granularity-in-dml-cei.patch
(stable-fixes CVE-2024-57922 bsc#1236080).
- Update
patches.suse/drm-amdkfd-Correct-the-migration-DMA-map-direction.patch
(stable-fixes CVE-2024-57897 bsc#1235969).
- Update
patches.suse/drm-dp_mst-Ensure-mst_primary-pointer-is-valid-in-dr.patch
(stable-fixes CVE-2024-57798 bsc#1235818).
- Update
patches.suse/drm-dp_mst-Fix-resetting-msg-rx-state-after-topology.patch
(git-fixes CVE-2024-57876 bsc#1235806).
- Update
patches.suse/drm-mediatek-Set-private-all_drm_private-i-drm-to-NU.patch
(git-fixes CVE-2024-57926 bsc#1236082).
- Update
patches.suse/exfat-fix-the-infinite-loop-in-exfat_readdir.patch
(git-fixes CVE-2024-57940 bsc#1236227).
- Update
patches.suse/hwmon-drivetemp-Fix-driver-producing-garbage-data-wh.patch
(git-fixes CVE-2025-21656 bsc#1236248).
- Update
patches.suse/iio-adc-at91-call-input_free_device-on-allocated-iio.patch
(git-fixes CVE-2024-57904 bsc#1236078).
- Update
patches.suse/iio-adc-rockchip_saradc-fix-information-leak-in-trig.patch
(git-fixes CVE-2024-57907 bsc#1236090).
- Update
patches.suse/iio-adc-ti-ads8688-fix-information-leak-in-triggered.patch
(git-fixes CVE-2024-57906 bsc#1236088).
- Update
patches.suse/iio-dummy-iio_simply_dummy_buffer-fix-information-le.patch
(git-fixes CVE-2024-57911 bsc#1236098).
- Update
patches.suse/iio-imu-kmx61-fix-information-leak-in-triggered-buff.patch
(git-fixes CVE-2024-57908 bsc#1236091).
- Update
patches.suse/iio-light-vcnl4035-fix-information-leak-in-triggered.patch
(git-fixes CVE-2024-57910 bsc#1236097).
- Update
patches.suse/iio-pressure-zpa2326-fix-information-leak-in-trigger.patch
(git-fixes CVE-2024-57912 bsc#1236101).
- Update
patches.suse/jffs2-Prevent-rtime-decompress-memory-corruption.patch
(git-fixes CVE-2024-57850 bsc#1235812).
- Update
patches.suse/misc-microchip-pci1xxxx-Resolve-kernel-panic-during-.patch
(git-fixes CVE-2024-57916 bsc#1236125).
- Update
patches.suse/net-wwan-t7xx-Fix-FSM-command-timeout-issue.patch
(git-fixes CVE-2024-39282 bsc#1235903).
- Update
patches.suse/netfilter-nf_tables-adapt-set-backend-to-use-G.patch
(bsc#1012628 CVE-2023-52923 bsc#1236104).
- Update patches.suse/nilfs2-prevent-use-of-deleted-inode.patch
(git-fixes CVE-2024-53690 bsc#1235842).
- Update
patches.suse/platform-x86-amd-pmc-Only-disable-IRQ1-wakeup-where-.patch
(git-fixes CVE-2025-21645 bsc#1236131).
- Update
patches.suse/powerpc-pseries-vas-Add-close-callback-in-vas_vm_ops.patch
(bsc#1234825 CVE-2024-56765 bsc#1235643).
- Update
patches.suse/s390-cpum_sf-Handle-CPU-hotplug-remove-during-sampling.patch
(git-fixes CVE-2024-57849 bsc#1235814).
- Update
patches.suse/usb-gadget-f_fs-Remove-WARN_ON-in-functionfs_bind.patch
(git-fixes CVE-2024-57913 bsc#1236102).
- Update
patches.suse/usb-gadget-u_serial-Disable-ep-before-setting-port-t.patch
(git-fixes CVE-2024-57915 bsc#1236120).
- Update
patches.suse/wifi-mac80211-fix-mbss-changed-flags-corruption-on-3.patch
(stable-fixes CVE-2024-57899 bsc#1235924).
- Update
patches.suse/workqueue-Do-not-warn-when-cancelling-WQ_MEM_RECLAIM-work-from-WQ_MEM_RECLAIM-worker.patch
(bsc#1235416 CVE-2024-57888 bsc#1235918).
- commit 56e243f
- net: inet: do not leave a dangling sk pointer in inet_create()
(CVE-2024-56601 bsc#1235230).
- commit 959586f
- usb: typec: fix pm usage counter imbalance in ucsi_ccg_sync_control() (bsc#1235001)
- commit 8b4d1ad
- usb: typec: fix potential array underflow in ucsi_ccg_sync_control() (CVE-2024-53203 bsc#1235001)
- commit 601cb11
- net: add more sanity checks to qdisc_pkt_len_init()
(CVE-2024-49948 bsc#1232161).
- commit 940829f
- bpf,perf: Fix invalid prog_array access in perf_event_detach_bpf_prog (CVE-2024-56665 bsc#1235489)
- commit b2f97f8
- gso: fix udp gso fraglist segmentation after pull from frag_list
(CVE-2024-49978 bsc#1232101).
- commit 8453570
- powerpc/powernv/pci: Remove last IODA1 defines (bsc#1220711
ltc#205755).
- powerpc/powernv/pci: Remove MVE code (bsc#1220711 ltc#205755).
- powerpc/powernv/pci: Remove ioda1 support (bsc#1220711
ltc#205755).
- commit 5733e6d
- powerpc/iommu: Move pSeries specific functions to
pseries/iommu.c (bsc#1220711 ltc#205755).
- powerpc/iommu: Only build sPAPR access functions on pSeries
(bsc#1220711 ltc#205755).
- commit 1165a9d
- ceph: improve error handling and short/overflow-read logic in
__ceph_sync_read() (bsc#1228592).
- commit b40380c
- doc/README.SUSE: Point to the updated version of LKMPG
- commit 624b259
- Input: bbnsm_pwrkey - fix missed key press after suspend
(git-fixes).
- commit 51a70b3
- x86/fpu: Ensure shadow stack is active before "getting"
registers (CVE-2025-21632 bsc#1236106).
- commit 6ea3a8f
- net: restrict SO_REUSEPORT to inet sockets (bsc#1235967 CVE-2024-57903)
- commit 0b70e79
- net: hns3: fix kernel crash when 1588 is sent on HIP08 devices (bsc#1236143 CVE-2025-21649)
- commit ab51b8f
- net/mlx5: Fix variable not being completed when function returns (bsc#1236198 CVE-2025-21662)
- commit 766ce3e
- net: hns3: fixed hclge_fetch_pf_reg accesses bar space out of
bounds issue (CVE-2025-21650 bsc#1236144).
- net: hns3: Support tlv in regs data for HNS3 VF driver
(CVE-2025-21650 bsc#1236144).
- commit d07cfee
- tracing: Prevent bad count for tracing_cpumask_write (CVE-2024-56763 bsc#1235638)
- commit b7a1a0d
- dccp: Fix memory leak in dccp_feat_change_recv (CVE-2024-56643 bsc#1235132)
- commit 13d2c8a
- iommu/arm-smmu: Defer probe of clients after smmu device bound (CVE-2024-56568 bsc#1235032)
- commit cd5e85b
- EDAC/igen6: Avoid segmentation fault on module unload (CVE-2024-56708 bsc#1235564)
- commit cbccd47
- net/smc: initialize close_work early to avoid warning (CVE-2024-56641 bsc#1235526)
- commit 075f0f7
- EDAC/{i10nm,skx,skx_common}: Support UV systems (bsc#1234693).
- commit 6767706
- net: hns3: don't auto enable misc vector (CVE-2025-21651
bsc#1236145).
- gve: guard XSK operations on the existence of queues
(CVE-2024-57933 bsc#1236178).
- gve: guard XDP xmit NDO on existence of xdp queues
(CVE-2024-57932 bsc#1236190).
- commit 4cf5801
- mm: memory-failure: remove unneeded PageHuge() check
(git-fixes).
- commit 7ff9700
- powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW
(bsc#1218470 ltc#204531).
- commit 7a7f1e1
- mm/memory-failure: use raw_spinlock_t in struct
memory_failure_cpu (git-fixes).
- commit 25daa9d
- mm/memory-failure: fix crash in split_huge_page_to_list from
soft_offline_page (git-fixes).
- commit 044809f
- memory-failure: use a folio in me_huge_page() (git-fixes).
- commit a51c830
- mm/memory-failure: cast index to loff_t before shifting it
(git-fixes).
- commit 4552d04
- mm/memory-failure: check the mapcount of the precise page
(git-fixes).
- commit 08d463b
- mm/memory-failure: pass the folio and the page to
collect_procs() (git-fixes).
- commit e29780e
- mm: convert DAX lock/unlock page to lock/unlock folio
(git-fixes).
- commit 4b2c66d
- mm: memory-failure: fix potential page refcnt leak in
memory_failure() (git-fixes).
- commit 2df790d
- mm: memory-failure: fix race window when trying to get hugetlb
folio (git-fixes).
- commit fdf1377
- mm: memory-failure: fetch compound head after extra page refcnt
is held (git-fixes).
- commit dea0e54
- mm: memory-failure: ensure moving HWPoison flag to the raw
error pages (git-fixes).
- commit 8250e5e
- mm/migrate: make migrate_pages_batch() stats consistent
(git-fixes).
Refreshed:
patches.suse/mm-migrate-fix-deadlock-in-migrate_pages_batch-on-la.patch
- commit 69ecdc4
- KVM: x86: Play nice with protected guests in
complete_hypercall_exit() (CVE-2024-55881 bsc#1235745).
- commit 4bd067f
- netfilter: ipset: Hold module reference while requesting a module (CVE-2024-56637 bsc#1235523)
- commit 53ff17c
- btrfs: fix use-after-free when COWing tree bock and tracing
is enabled (bsc#1235645 CVE-2024-56759).
- btrfs: flush delalloc workers queue before stopping cleaner
kthread during unmount (bsc#1235965 CVE-2024-57896).
- btrfs: rename and export __btrfs_cow_block() (bsc#1235645
CVE-2024-56759).
- btrfs: use round_down() to align block offset at
btrfs_cow_block() (bsc#1235645 CVE-2024-56759).
- btrfs: remove noinline attribute from btrfs_cow_block()
(bsc#1235645 CVE-2024-56759).
- commit 503809f
- geneve: do not assume mac header is set in geneve_xmit_skb() (CVE-2024-56636 bsc#1235520)
- commit 3073d9c
- net: avoid potential UAF in default_operstate() (CVE-2024-56635 bsc#1235519)
- commit 37cf286
- dm array: fix releasing a faulty array block twice in
dm_array_cursor_end (bsc#1236096, CVE-2024-57929).
- commit 38c0041
- net: lapb: increase LAPB_HEADER_LEN (CVE-2024-56659 bsc#1235439)
- commit e4681a0
- net: enetc: Do not configure preemptible TCs if SIs do not support (CVE-2024-56649 bsc#1235449)
- commit 4181889
- smb: Initialize cfid->tcon before performing network ops (CVE-2024-56729 bsc#1235503)
- commit fd558fd
- mm/migrate: fix kernel BUG at mm/compaction.c:2761! (git-fixes).
Refreshed: patches.suse/mm-migrate-fix-deadlock-in-migrate_pages_batch-on-la.patch
- commit 7d17ae8
- series.conf: temporarily disable upstream patch
patches.suse/ocfs2-fix-UBSAN-warning-in-ocfs2_verify_volume.patch
(bsc#1236138)
- commit 9179570
- mm/migrate: putback split folios when numa hint migration fails
(git-fixes).
- commit 0acef71
- vmscan,migrate: fix page count imbalance on node stats when
demoting pages (git-fixes).
- commit 4d259d3
- memory tiering: count PGPROMOTE_SUCCESS when mem tiering is
enabled (git-fixes).
- commit 86638ef
- mm/migrate: fix deadlock in migrate_pages_batch() on large
folios (git-fixes).
- commit a0d118b
- mm/migrate: split source folio if it is on deferred split list
(git-fixes).
- commit 0fa5f5f
- mm/migrate: correct nr_failed in migrate_pages_sync()
(git-fixes).
- commit 3743659
- mm,page_owner: don't remove __GFP_NOLOCKDEP in
add_stack_record_to_list (git-fixes).
- commit 26a8c23
- mm/page_owner: remove free_ts from page_owner output
(git-fixes).
- commit dfa6a27
- stackdepot: respect __GFP_NOLOCKDEP allocation flag (git-fixes).
- commit a04bd5d
- stackdepot: rename pool_index to pool_index_plus_1 (git-fixes).
- commit ff2e445
- lib/stackdepot: print disabled message only if truly disabled
(git-fixes).
- commit cfe7741
- RDMA/bnxt_re: Fix max SGEs for the Work Request (git-fixes)
- commit 7879380
- RDMA/bnxt_re: Fix MSN table size for variable wqe mode (git-fixes)
- commit fe21e4e
- RDMA/bnxt_re: Add send queue size check for variable wqe (git-fixes)
- commit 3178b0e
- RDMA/bnxt_re: Fix the max WQEs used in Static WQE mode (git-fixes)
- commit eeedd44
- RDMA/bnxt_re: Fix the max WQE size for static WQE support (git-fixes)
- commit a1e1198
- mm/memory_hotplug: use pfn math in place of direct struct page
manipulation (git-fixes).
- commit 120d675
- mm/memory_hotplug: add missing mem_hotplug_lock (git-fixes).
- commit 86cb612
- mm/memory_hotplug: fix error handling in add_memory_resource()
(git-fixes).
- commit 3ebdf6a
- mm/memory_hotplug: prevent accessing by index=-1 (git-fixes).
- commit c68beb1
- RDMA/bnxt_re: Add support for Variable WQE in Genp7 adapters (git-fixes)
Refresh patches:
- patches.suse/RDMA-bnxt_re-Disable-use-of-reserved-wqes.patch
- patches.suse/RDMA-bnxt_re-Fix-the-max-CQ-WQEs-for-older-adapters.patch
- commit c3e9f58
- RDMA/bnxt_re: Allow MSN table capability check (git-fixes)
Refresh patches:
- patches.suse/RDMA-bnxt_re-Fix-the-GID-table-length.patch
- patches.suse/RDMA-bnxt_re-Remove-always-true-dattr-validity-check.patch
- commit 1ac774c
- RDMA/hns: Remove unused parameters and variables (git-fixes)
Refresh patches.suse/RDMA-hns-Fix-mapping-error-of-zero-hop-WQE-buffer.patch
- commit ad435f0
- RDMA/hns: Refactor mtr find (git-fixes)
Refresh patches.suse/RDMA-hns-Use-macro-instead-of-magic-number.patch
- commit de53bbe
- bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
(CVE-2024-53091 bsc#1233638).
- commit 313e9b6
- ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv
(bsc#1235964 CVE-2024-57892).
- ocfs2: correct return value of ocfs2_local_free_info()
(bsc#1235964 CVE-2024-57892).
- commit d27bf4b
- Revert "mtd: spi-nor: core: replace dummy buswidth from addr
to data" (git-fixes).
- hwmon: (tmp513) Fix division of negative numbers (git-fixes).
- gpio: xilinx: Convert gpio_lock to raw spinlock (git-fixes).
- i2c: rcar: fix NACK handling when being a target (git-fixes).
- i2c: mux: demux-pinctrl: check initial mux selection, too
(git-fixes).
- i2c: core: fix reference leak in i2c_register_adapter()
(git-fixes).
- USB: serial: option: add Neoway N723-EA support (stable-fixes).
- USB: serial: option: add MeiG Smart SRM815 (stable-fixes).
- USB: serial: cp210x: add Phoenix Contact UPS Device
(stable-fixes).
- usb-storage: Add max sectors quirk for Nokia 208 (stable-fixes).
- ACPI: resource: Add TongFang GM5HG0A to
irq1_edge_low_force_override[] (stable-fixes).
- ACPI: resource: Add Asus Vivobook X1504VAP to
irq1_level_low_skip_override[] (stable-fixes).
- drm/amd/display: Add check for granularity in dml ceil/floor
helpers (stable-fixes).
- drm/amd/display: increase MAX_SURFACES to the value supported
by hw (stable-fixes).
- ASoC: mediatek: disable buffer pre-allocation (stable-fixes).
- ASoC: rt722: add delay time to wait for the calibration
procedure (stable-fixes).
- commit 356d535
- KVM: arm64: Get rid of userspace_irqchip_in_use (CVE-2024-53195
bsc#1234957).
- commit 9fc6672
- cacheinfo: Allocate memory during CPU hotplug if not done from the primary CPU (bsc#1235429 CVE-2024-56617).
- commit 9e688fc
- s390/entry: Mark IRQ entries to fix stack depot warnings
(CVE-2024-57838 bsc#1235798).
- commit 17604ac
- KVM: arm64: Don't retire aborted MMIO instruction
(CVE-2024-53196 bsc#1234906).
- commit 8dbc3ed
- xen: Fix the issue of resource not being properly released in
xenbus_dev_probe() (CVE-2024-53198 bsc#1234923).
- commit aeb4569
- Refresh
patches.suse/x86-xen-don-t-do-PV-iret-hypercall-through-hypercall.patch.
- commit 745fddd
- x86/static-call: Remove early_boot_irqs_disabled check to fix
Xen PVH dom0 (git-fixes).
- commit cbe946f
- drm/v3d: Ensure job pointer is set to NULL after job completion
(git-fixes).
- drm/vmwgfx: Add new keep_resv BO param (git-fixes).
- selftests: mptcp: avoid spurious errors on disconnect
(git-fixes).
- commit 5e7e8a8
- ftrace: Fix regression with module command in stack_trace_filter
(CVE-2024-56569 bsc#1235031).
- commit fe237c2
- Move upstreamed DRM patch into sorted section
- commit 9ec91cd
- scsi: mpi3mr: Fix corrupt config pages PHY state is switched
in sysfs (CVE-2024-57804 bsc#1235779).
- block: fix uaf for flush rq while iterating tags (CVE-2024-53170
bsc#1234888).
- scsi: qedi: Fix a possible memory leak in
qedi_alloc_and_init_sb() (CVE-2024-56747 bsc#1234934).
- scsi: bfa: Fix use-after-free in bfad_im_module_exit()
(CVE-2024-53227 bsc#1235011).
- scsi: hisi_sas: Create all dump files during debugfs
initialization (CVE-2024-56588 bsc#1235123).
- commit 2865882
- RDMA/siw: Remove direct link to net_device (bsc#1235946 CVE-2024-57857)
- commit c33e2ed
- RDMA/rxe: Remove the direct link to net_device (bsc#1235906 CVE-2024-57795)
- commit 03de29b
- net/mlx5e: Skip restore TC rules for vport rep without loaded
flag (CVE-2024-57801 bsc#1235940).
- commit 2c1c8f0
- tpm: Map the ACPI provided event log (bsc#1233260 bsc#1233259
bsc#1232421).
- commit dfc801e
- Drop downstream TPM fix patch (bsc#1233260 bsc#1233259 bsc#1232421)
Deleted (to be replaced with the newer upstream fix):
patches.suse/tpm-eventlog-Limit-memory-allocations-for-event-logs.patch
- commit 39b3b52
- ALSA: hda/realtek: Add support for Galaxy Book2 Pro (NP950XEE)
(stable-fixes).
- Refresh
patches.suse/ALSA-hda-realtek-Add-support-for-Samsung-Galaxy-Book.patch.
- commit 231fb10
- ALSA: hda/realtek: Add support for Ayaneo System using CS35L41
HDA (stable-fixes).
- ALSA: hda/realtek - Add support for ASUS Zen AIO 27
Z272SD_A272SD audio (stable-fixes).
- commit 4039f17
- bpf: fix recursive lock when verdict program return SK_PASS (CVE-2024-56694 bsc#1235412)
- commit 19cb085
- bpf: fix OOB devmap writes when deleting elements (CVE-2024-56615 bsc#1235426)
- commit 2f8d474
- xsk: fix OOB map writes when deleting elements (CVE-2024-56614 bsc#1235424)
- commit 5188b69
- mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM (CVE-2024-56611 bsc#1235391)
- commit 2731a92
- netdevsim: prevent bad user input in
nsim_dev_health_break_write() (bsc#1235587 CVE-2024-56716).
- commit 28d54d6
- bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
(bsc#1235555 CVE-2024-56675).
- commit 403c5dd
- xsk: Free skb when TX metadata options are invalid (bsc#1235000
CVE-2024-53236).
- commit 7d68164
- ipc: fix memleak if msg_init_ns failed in create_ipc_ns
(bsc#1234893 CVE-2024-53175).
- commit 5f77971
- i3c: mipi-i3c-hci: Mask ring interrupts before ring stop request (CVE-2024-45828 bsc#1235705)
- commit 6a03a5a
- ceph: give up on paths longer than PATH_MAX (CVE-2024-53685 bsc#1235720)
- commit cd5b8ed
- btrfs: add a sanity check for btrfs root in btrfs_search_slot()
(CVE-2024-56774 bsc#1235653).
- commit cd76b1a
- bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again (CVE-2024-48881 bsc#1235727)
- commit 5c5ddcb
- net/smc: check return value of sock_recvmsg when draining clc
data (CVE-2024-57791 bsc#1235759).
- commit a343ecd
- scsi: qedf: Fix a possible memory leak in qedf_alloc_and_init_sb() (CVE-2024-56748 bsc#1235627)
- commit 75f84ca
- scsi: ufs: core: sysfs: Prevent div by zero (CVE-2024-56622 bsc#1235251)
- commit 8bc4baa
- cpufreq: intel_pstate: Check turbo_is_disabled() in
store_no_turbo() (bsc#1234619).
- commit f5b59a5
- cpufreq: intel_pstate: Fix unchecked HWP MSR access
(bsc#1234619).
- commit df6b669
- cpufreq: intel_pstate: Update the maximum CPU frequency
consistently (bsc#1234619).
- commit 110e6ef
- cpufreq: intel_pstate: Replace three global.turbo_disabled
checks (bsc#1234619).
- commit 0ad4ebe
- cpufreq: intel_pstate: Read global.no_turbo under READ_ONCE()
(bsc#1234619).
- Refresh
patches.suse/cpufreq-intel_pstate-Ramp-up-frequency-faster-when-u.patch.
- Refresh
patches.suse/cpufreq-intel_pstate-Temporarily-boost-P-state-when-.patch.
- commit 1c8960e
- cpufreq: intel_pstate: Rearrange show_no_turbo() and
store_no_turbo() (bsc#1234619).
- commit 9383d66
- scsi: ufs: qcom: Only free platform MSIs when ESI is enabled (CVE-2024-56620 bsc#1235227)
- commit 00c6f8f
- cpufreq: intel_pstate: Do not update global.turbo_disabled
after initialization (bsc#1234619).
- Refresh
patches.suse/cpufreq-intel_pstate-Ramp-up-frequency-faster-when-u.patch.
- commit 536c9fc
- cpufreq: intel_pstate: Refine computation of P-state for given
frequency (bsc#1234619).
- commit 8135bb3
- cpufreq: intel_pstate: Revise global turbo disable check
(bsc#1234619).
- commit 4089ec6
- Drop uvcvideo fix due to regression (bsc#1235894)
- Delete
patches.suse/media-uvcvideo-Require-entities-to-have-a-non-zero-u.patch.
- blacklist.conf update
- commit 90c0ac7
- virt: tdx-guest: Just leak decrypted memory on unrecoverable
errors (CVE-2024-57793 bsc#1235768).
- commit 0fbd2e1
- cpufreq: intel_pstate: Fold intel_pstate_max_within_limits()
into caller (bsc#1234619).
- commit 430dfdb
- cpufreq: intel_pstate: Use __ro_after_init for three variables
(bsc#1234619).
- commit e421ce1
- cpufreq: intel_pstate: Get rid of unnecessary READ_ONCE()
annotations (bsc#1234619).
- commit 682d75a
- cpufreq: intel_pstate: Wait for canceled delayed work to
complete (bsc#1234619).
- commit a725954
- cpufreq: intel_pstate: Simplify spinlock locking (bsc#1234619).
- commit 6583c13
- cpufreq: intel_pstate: Drop redundant locking from
intel_pstate_driver_cleanup() (bsc#1234619).
- commit e58d8d7
- Revert 'arm64: Kconfig: Make SME depend on BROKEN for now'
This reverts commit 2ccfee6be929dd4ea49ef59a7ae686473aae40b6
CONFIG_ARM64_SME is enabled by default so some customers may
rely on SME. We need further analysis to evaluate to what
extent we are impacted and in case we'll disable SME support
later.
- commit f83551c
- PCI: imx6: Fix suspend/resume support on i.MX6QDL
(CVE-2024-57809 bsc#1235793).
- commit 11fd956
- net: tun: fix tun_napi_alloc_frags() (CVE-2024-56372
bsc#1235753).
- net: renesas: rswitch: avoid use-after-put for a device tree
node (CVE-2024-55639 bsc#1235737).
- commit 0d5db72
- mm: prevent derefencing NULL ptr in pfn_section_valid()
(git-fixes).
- commit 6f62e94
- mm, kmsan: fix infinite recursion due to RCU critical section
(git-fixes).
- commit 509127e
- mm/sparsemem: fix race in accessing memory_section->usage
(bsc#1221326 CVE-2023-52489).
- commit 13000fd
- scsi: hisi_sas: Add cond_resched() for no forced preemption model (CVE-2024-56589 bsc#1235241)
- commit a1ef870
- arm64: Kconfig: Make SME depend on BROKEN for now (git-fixes).
- commit 2ccfee6
- arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL
(git-fixes).
- commit 834d2d0
- arm64: dts: rockchip: add hevc power domain clock to rk3328
(git-fixes).
- commit 7aa2931
- Update
patches.suse/ALSA-6fire-Release-resources-at-card-release.patch
(git-fixes CVE-2024-53239 bsc#1235054).
- Update
patches.suse/ALSA-caiaq-Use-snd_card_free_when_closed-at-disconne.patch
(git-fixes CVE-2024-56531 bsc#1235057).
- Update
patches.suse/ALSA-us122l-Use-snd_card_free_when_closed-at-disconn.patch
(git-fixes CVE-2024-56532 bsc#1235059).
- Update
patches.suse/ALSA-usb-audio-Fix-potential-out-of-bound-accesses-f.patch
(git-fixes CVE-2024-53197 bsc#1235464).
- Update
patches.suse/ALSA-usx2y-Use-snd_card_free_when_closed-at-disconne.patch
(git-fixes CVE-2024-56533 bsc#1235053).
- Update
patches.suse/Bluetooth-hci_core-Fix-not-checking-skb-length-on-hc.patch
(stable-fixes CVE-2024-56590 bsc#1235038).
- Update
patches.suse/Bluetooth-hci_event-Fix-using-rcu_read_-un-lock-whil.patch
(git-fixes CVE-2024-56654 bsc#1235532).
- Update
patches.suse/HID-wacom-fix-when-get-product-name-maybe-null-point.patch
(git-fixes CVE-2024-56629 bsc#1235473).
- Update
patches.suse/NFSv3-only-use-NFS-timeout-for-MOUNT-when-protocols-.patch
(bsc#1231016 CVE-2024-50106 bsc#1232882).
- Update patches.suse/PCI-Fix-reset_method_store-memory-leak.patch
(git-fixes CVE-2024-56745 bsc#1235563).
- Update
patches.suse/PCI-Fix-use-after-free-of-slot-bus-on-hot-remove.patch
(stable-fixes CVE-2024-53194 bsc#1235459).
- Update
patches.suse/PCI-MSI-Handle-lack-of-irqdomain-gracefully.patch
(git-fixes CVE-2024-56760 bsc#1235616).
- Update
patches.suse/RDMA-hns-Fix-cpu-stuck-caused-by-printings-during-re.patch
(git-fixes CVE-2024-56722 bsc#1235570).
- Update
patches.suse/acpi-nfit-vmalloc-out-of-bounds-Read-in-acpi_nfit_ct.patch
(git-fixes CVE-2024-56662 bsc#1235533).
- Update
patches.suse/af_packet-avoid-erroring-out-after-sock_init_data-in.patch
(CVE-2024-56606 bsc#123541 bsc#1235417).
- Update
patches.suse/apparmor-test-Fix-memory-leak-for-aa_unpack_strdup.patch
(git-fixes CVE-2024-56741 bsc#1235502).
- Update
patches.suse/blk-cgroup-Fix-UAF-in-blkcg_unpin_online.patch
(bsc#1234726 CVE-2024-56672 bsc#1235534).
- Update
patches.suse/can-dev-can_set_termination-allow-sleeping-GPIOs.patch
(git-fixes CVE-2024-56625 bsc#1235223).
- Update
patches.suse/can-hi311x-hi3110_can_ist-fix-potential-use-after-fr.patch
(git-fixes CVE-2024-56651 bsc#1235528).
- Update
patches.suse/crypto-bcm-add-error-check-in-the-ahash_hmac_init-fu.patch
(git-fixes CVE-2024-56681 bsc#1235557).
- Update
patches.suse/crypto-pcrypt-Call-crypto-layer-directly-when-padata.patch
(git-fixes CVE-2024-56690 bsc#1235428).
- Update
patches.suse/dlm-fix-possible-lkb_resource-null-dereference.patch
(git-fixes CVE-2024-47809 bsc#1235714).
- Update
patches.suse/dma-debug-fix-a-possible-deadlock-on-radix_lock.patch
(stable-fixes CVE-2024-47143 bsc#1235710).
- Update
patches.suse/dmaengine-at_xdmac-avoid-null_prt_deref-in-at_xdmac_.patch
(git-fixes CVE-2024-56767 bsc#1235160).
- Update
patches.suse/drivers-soc-xilinx-add-the-missing-kfree-in-xlnx_add.patch
(git-fixes CVE-2024-56546 bsc#1235070).
- Update patches.suse/drm-amdgpu-don-t-access-invalid-sched.patch
(git-fixes CVE-2024-46896 bsc#1235707).
- Update
patches.suse/drm-amdgpu-set-the-right-AMDGPU-sg-segment-limitatio.patch
(stable-fixes CVE-2024-56594 bsc#1235413).
- Update
patches.suse/drm-dp_mst-Fix-MST-sideband-message-body-length-chec.patch
(stable-fixes CVE-2024-56616 bsc#1235427).
- Update
patches.suse/drm-modes-Avoid-divide-by-zero-harder-in-drm_mode_vr.patch
(stable-fixes CVE-2024-56369 bsc#1235750).
- Update
patches.suse/drm-sti-avoid-potential-dereference-of-error-pointer-831214f.patch
(git-fixes CVE-2024-56776 bsc#1235647).
- Update
patches.suse/drm-sti-avoid-potential-dereference-of-error-pointer-e965e77.patch
(git-fixes CVE-2024-56777 bsc#1235641).
- Update
patches.suse/drm-sti-avoid-potential-dereference-of-error-pointer.patch
(git-fixes CVE-2024-56778 bsc#1235635).
- Update
patches.suse/drm-vc4-hdmi-Avoid-hang-with-debug-registers-when-su.patch
(git-fixes CVE-2024-56683 bsc#1235497).
- Update
patches.suse/drm-zynqmp_kms-Unplug-DRM-device-before-removal.patch
(git-fixes CVE-2024-56538 bsc#1235051).
- Update
patches.suse/efi-libstub-Free-correct-pointer-on-failure.patch
(git-fixes CVE-2024-56573 bsc#1235042).
- Update
patches.suse/fbdev-sh7760fb-Fix-a-possible-memory-leak-in-sh7760f.patch
(git-fixes CVE-2024-56746 bsc#1235622).
- Update
patches.suse/gpio-grgpio-Add-NULL-check-in-grgpio_probe.patch
(git-fixes CVE-2024-56634 bsc#1235486).
- Update
patches.suse/hfsplus-don-t-query-the-device-logical-block-size-multiple-times.patch
(git-fixes CVE-2024-56548 bsc#1235073).
- Update
patches.suse/igb-Fix-potential-invalid-memory-access-in-igb_init_.patch
(git-fixes CVE-2024-52332 bsc#1235700).
- Update
patches.suse/iio-adc-ad7923-Fix-buffer-overflow-for-tx_buf-and-ri.patch
(git-fixes CVE-2024-56557 bsc#1235122).
- Update
patches.suse/io_uring-check-if-iowq-is-killed-before-queuing.patch
(git-fixes CVE-2024-56709 bsc#1235552).
- Update
patches.suse/io_uring-tctx-work-around-xa_store-allocation-error-.patch
(git-fixes CVE-2024-56584 bsc#1235117).
- Update
patches.suse/jfs-add-a-check-to-prevent-array-index-out-of-bounds-in-dbAdjTree.patch
(git-fixes CVE-2024-56595 bsc#1235410).
- Update
patches.suse/jfs-array-index-out-of-bounds-fix-in-dtReadFirst.patch
(git-fixes CVE-2024-56598 bsc#1235220).
- Update
patches.suse/jfs-fix-array-index-out-of-bounds-in-jfs_readdir.patch
(git-fixes CVE-2024-56596 bsc#1235458).
- Update patches.suse/jfs-fix-shift-out-of-bounds-in-dbSplit.patch
(git-fixes CVE-2024-56597 bsc#1235222).
- Update
patches.suse/leds-class-Protect-brightness_show-with-led_cdev-led.patch
(stable-fixes CVE-2024-56587 bsc#1235125).
- Update
patches.suse/media-atomisp-Add-check-for-rgby_data-memory-allocat.patch
(git-fixes CVE-2024-56705 bsc#1235568).
- Update
patches.suse/media-dvb-frontends-dib3000mb-fix-uninit-value-in-di.patch
(git-fixes CVE-2024-56769 bsc#1235155).
- Update
patches.suse/media-imx-jpeg-Ensure-power-suppliers-be-suspended-b.patch
(git-fixes CVE-2024-56575 bsc#1235039).
- Update
patches.suse/media-imx-jpeg-Set-video-drvdata-before-register-vid.patch
(git-fixes CVE-2024-56578 bsc#1235115).
- Update
patches.suse/media-mtk-jpeg-Fix-null-ptr-deref-during-unload-modu.patch
(git-fixes CVE-2024-56577 bsc#1235112).
- Update
patches.suse/media-platform-allegro-dvt-Fix-possible-memory-leak-.patch
(git-fixes CVE-2024-56572 bsc#1235043).
- Update
patches.suse/media-ts2020-fix-null-ptr-deref-in-ts2020_probe.patch
(git-fixes CVE-2024-56574 bsc#1235040).
- Update
patches.suse/media-uvcvideo-Require-entities-to-have-a-non-zero-u.patch
(git-fixes CVE-2024-56571 bsc#1235037).
- Update
patches.suse/media-wl128x-Fix-atomicity-violation-in-fmc_send_cmd.patch
(git-fixes CVE-2024-56700 bsc#1235500).
- Update
patches.suse/mfd-intel_soc_pmic_bxtwc-Use-IRQ-domain-for-PMIC-dev.patch
(git-fixes CVE-2024-56723 bsc#1235571).
- Update
patches.suse/mfd-intel_soc_pmic_bxtwc-Use-IRQ-domain-for-TMU-devi.patch
(git-fixes CVE-2024-56724 bsc#1235577).
- Update
patches.suse/mfd-intel_soc_pmic_bxtwc-Use-IRQ-domain-for-USB-Type.patch
(git-fixes CVE-2024-56691 bsc#1235425).
- Update
patches.suse/msft-hv-3095-Drivers-hv-util-Avoid-accessing-a-ringbuffer-not-ini.patch
(git-fixes CVE-2024-55916 bsc#1235747).
- Update
patches.suse/mtd-rawnand-fix-double-free-in-atmel_pmecc_create_us.patch
(git-fixes CVE-2024-56766 bsc#1235219).
- Update
patches.suse/net-ipv6-release-expired-exception-dst-cached-in-soc.patch
(bsc#1216813 CVE-2024-56644 bsc#1235133).
- Update
patches.suse/nfsd-fix-nfs4_openowner-leak-when-concurrent-nfsd4_open-occur.patch
(git-fixes CVE-2024-56779 bsc#1235632).
- Update
patches.suse/nfsd-make-sure-exp-active-before-svc_export_show.patch
(git-fixes CVE-2024-56558 bsc#1235100).
- Update
patches.suse/nilfs2-fix-potential-out-of-bounds-memory-access-in-nilfs_find_entry.patch
(git-fixes CVE-2024-56619 bsc#1235224).
- Update
patches.suse/nvme-apple-fix-device-reference-counting.patch
(git-fixes CVE-2024-43913 bsc#1229833).
- Update
patches.suse/nvme-rdma-unquiesce-admin_q-before-destroy-it.patch
(git-fixes CVE-2024-49569 bsc#1235730).
- Update
patches.suse/nvme-tcp-fix-the-memleak-while-create-new-ctrl-faile.patch
(git-fixes CVE-2024-56632 bsc#1235483).
- Update
patches.suse/ocfs2-free-inode-when-ocfs2_get_init_inode-fails.patch
(git-fixes CVE-2024-56630 bsc#1235479).
- Update
patches.suse/pinmux-Use-sequential-access-to-access-desc-pinmux-d.patch
(stable-fixes CVE-2024-47141 bsc#1235708).
- Update
patches.suse/power-supply-gpio-charger-Fix-set-charge-current-lim.patch
(git-fixes CVE-2024-57792 bsc#1235764).
- Update
patches.suse/powerpc-fadump-Move-fadump_cma_init-to-setup_arch-af.patch
(bsc#1215199 CVE-2024-56677 bsc#1235494).
- Update
patches.suse/powerpc-mm-fault-Fix-kfence-page-fault-reporting.patch
(bsc#1194869 CVE-2024-56678 bsc#1235495).
- Update
patches.suse/powerpc-pseries-Fix-dtl_access_lock-to-be-a-rw_semap.patch
(bsc#1194869 CVE-2024-56701 bsc#1235496).
- Update
patches.suse/quota-flush-quota_release_work-upon-quota-writeback.patch
(bsc#1234195 CVE-2024-56780 bsc#1235650).
- Update
patches.suse/rtc-check-if-__rtc_read_time-was-successful-in-rtc_t.patch
(git-fixes CVE-2024-56739 bsc#1235611).
- Update
patches.suse/scsi-qla2xxx-Fix-use-after-free-on-unload.patch
(bsc#1235406 CVE-2024-56623 bsc#1235466).
- Update
patches.suse/smb-client-fix-TCP-timers-deadlock-after-rmmod.patch
(CVE-2024-53095 bsc#1233642 CVE-2024-54680 bsc#1235723).
- Update
patches.suse/soc-imx8m-Probe-the-SoC-driver-as-platform-driver.patch
(stable-fixes CVE-2024-56787 bsc#1235663).
- Update
patches.suse/spi-mpc52xx-Add-cancel_work_sync-before-module-remov.patch
(git-fixes CVE-2024-50051 bsc#1235739).
- Update
patches.suse/sunrpc-clear-XPRT_SOCK_UPD_TIMEOUT-when-reset-transport.patch
(git-fixes CVE-2024-56688 bsc#1235538).
- Update
patches.suse/sunrpc-fix-one-UAF-issue-caused-by-sunrpc-kernel-tcp.patch
(git-fixes CVE-2024-53168 bsc#1234887).
- Update patches.suse/tipc-fix-NULL-deref-in-cleanup_bearer.patch
(CVE-2024-56642 bsc#1235433 CVE-2024-56661 bsc#1234931).
- Update patches.suse/unicode-Fix-utf8_load-error-path.patch
(git-fixes CVE-2024-53233 bsc#1235046).
- Update
patches.suse/usb-dwc3-gadget-Fix-looping-of-queued-SG-entries.patch
(git-fixes CVE-2024-56698 bsc#1235491).
- Update
patches.suse/usb-gadget-u_serial-Fix-the-issue-that-gs_start_io-c.patch
(git-fixes CVE-2024-56670 bsc#1235488).
- Update
patches.suse/usb-musb-Fix-hardware-lockup-on-first-Rx-endpoint-re.patch
(git-fixes CVE-2024-56687 bsc#1235537).
- Update
patches.suse/wifi-ath12k-Skip-Rx-TID-cleanup-for-self-peer.patch
(git-fixes CVE-2024-56543 bsc#1235065).
- Update
patches.suse/wifi-ath12k-fix-atomic-calls-in-ath12k_mac_op_set_bi.patch
(stable-fixes CVE-2024-56607 bsc#1235423).
- Update
patches.suse/wifi-brcmfmac-Fix-oops-due-to-NULL-pointer-dereferen.patch
(stable-fixes CVE-2024-56593 bsc#1235252).
- Update
patches.suse/wifi-nl80211-fix-NL80211_ATTR_MLO_LINK_ID-off-by-one.patch
(git-fixes CVE-2024-56663 bsc#1235454).
- Update
patches.suse/wifi-rtw88-use-ieee80211_purge_tx_queue-to-purge-TX-.patch
(stable-fixes CVE-2024-56609 bsc#1235389).
- Update
patches.suse/wifi-rtw89-check-return-value-of-ieee80211_probereq_.patch
(stable-fixes CVE-2024-48873 bsc#1235716).
- commit 8258b9d
- Move upstreamed NFS patch into sorted section
- commit b16f043
- net: dsa: improve shutdown sequence (CVE-2024-49998 bsc#1232087).
- commit 4c71ee1
- smb: client: fix OOBs when building SMB2_IOCTL request
(bsc#1233055, CVE-2024-50151).
- commit 6434503
- KVM: SVM: Allow guest writes to set MSR_AMD64_DE_CFG bits
(bsc#1234635).
- commit e5c720c
- KVM: s390: Reject KVM_SET_GSI_ROUTING on ucontrol VMs (git-fixes
bsc#1235776).
- KVM: s390: Reject setting flic pfault attributes on ucontrol
VMs (git-fixes bsc#1235777).
- KVM: s390: vsie: fix virtual/physical address in unpin_scb()
(git-fixes bsc#1235778).
- iommu/s390: Implement blocking domain (CVE-2024-53232
bsc#1235050).
- commit aa0d65c
- mm/swapfile: skip HugeTLB pages for unuse_vma (CVE-2024-50199
bsc#1233112).
- commit 57bc3bb
- exfat: fix the infinite loop in __exfat_free_cluster()
(git-fixes).
- commit f091e41
- exfat: fix the infinite loop in exfat_readdir() (git-fixes).
- commit 3298782
- dlm: fix possible lkb_resource null dereference (git-fixes).
- commit f2b8780
- Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
(CVE-2024-49951 bsc#1232158).
- commit 8b8b4db
- afs: Fix the maximum cell name length (git-fixes).
- commit 77a0ae0
- drm/amd/display: Fix handling of plane refcount (bsc#1235657 CVE-2024-56775)
- commit b028260
- misc: microchip: pci1xxxx: Resolve return code mismatch during
GPIO set config (git-fixes).
- misc: microchip: pci1xxxx: Resolve kernel panic during GPIO
IRQ handling (git-fixes).
- commit 5eb3001
- iio: inkern: call iio_device_put() only on mapped devices
(git-fixes).
- iio: adc: at91: call input_free_device() on allocated iio_dev
(git-fixes).
- iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep()
(git-fixes).
- iio: pressure: zpa2326: fix information leak in triggered buffer
(git-fixes).
- iio: adc: rockchip_saradc: fix information leak in triggered
buffer (git-fixes).
- iio: imu: kmx61: fix information leak in triggered buffer
(git-fixes).
- iio: light: vcnl4035: fix information leak in triggered buffer
(git-fixes).
- iio: adc: ti-ads8688: fix information leak in triggered buffer
(git-fixes).
- iio: dummy: iio_simply_dummy_buffer: fix information leak in
triggered buffer (git-fixes).
- iio: gyro: fxas21002c: Fix missing data update in trigger
handler (git-fixes).
- iio: test : check null return of kunit_kmalloc in
iio_rescale_test_scale (git-fixes).
- iio: adc: ad7124: Disable all channels at probe time
(git-fixes).
- staging: iio: ad9832: Correct phase range check (git-fixes).
- staging: iio: ad9834: Correct phase range check (git-fixes).
- usb: gadget: f_fs: Remove WARN_ON in functionfs_bind
(git-fixes).
- USB: core: Disable LPM only for non-suspended ports (git-fixes).
- usb: fix reference leak in usb_new_device() (git-fixes).
- usb: gadget: u_serial: Disable ep before setting port to null
to fix the crash caused by port being null (git-fixes).
- usb: gadget: configfs: Ignore trailing LF for user strings to
cdev (git-fixes).
- USB: usblp: return error when setting unsupported protocol
(git-fixes).
- usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints
(git-fixes).
- usb: typec: tcpm/tcpci_maxim: fix error code in
max_contaminant_read_resistance_kohm() (git-fixes).
- usb: dwc3-am62: Disable autosuspend during remove (git-fixes).
- usb: dwc3: gadget: fix writing NYET threshold (git-fixes).
- commit 04c952e
- tty: serial: 8250: Fix another runtime PM usage counter
underflow (git-fixes).
- commit 1e248c9
- hwmon: (drivetemp) Fix driver producing garbage data when SCSI
errors occur (git-fixes).
- commit b04cc0b
- thermal: of: fix OF node leak in of_thermal_zone_find()
(git-fixes).
- drm/mediatek: Add return value check when reading DPCD
(git-fixes).
- drm/mediatek: mtk_dsi: Add registers to pdata to fix
MT8186/MT8188 (git-fixes).
- drm/mediatek: Fix mode valid issue for dp (git-fixes).
- drm/mediatek: Fix YCbCr422 color format issue for DP
(git-fixes).
- drm/mediatek: stop selecting foreign drivers (git-fixes).
- drm/mediatek: Add support for 180-degree rotation in the
display driver (git-fixes).
- drm/mediatek: Set private->all_drm_private[i]->drm to NULL if
mtk_drm_bind returns err (git-fixes).
- drm/amdkfd: fixed page fault when enable MES shader debugger
(git-fixes).
- platform/x86/amd/pmc: Only disable IRQ1 wakeup where i8042
actually enabled it (git-fixes).
- commit 4e3d452
- Update patches.suse/tipc-fix-NULL-deref-in-cleanup_bearer.patch
(CVE-2024-56642 bsc#1235433).
- commit 6f4f559
- Disable ceph (jsc#PED-7242)
- commit 0dd7856
- bpf, sockmap: Fix race between element replace and close()
(CVE-2024-56664 bsc#1235249).
- commit 81511fb
- platform/x86/intel/tpmi: Add defines to get version information
(bsc#1225897).
- commit 00f1af2
- s390x config: IOMMU_DEFAULT_DMA_LAZY=y (bsc#1235646)
- commit 4e210b3
- tipc: fix NULL deref in cleanup_bearer() (bsc#1235433).
- commit e9be640
- platform/x86/intel-uncore-freq: Ignore minor version change
(bsc#1225897).
- commit 33349ec
- udmabuf: fix memory leak on last export_udmabuf() error path
(CVE-2024-56712 bsc#1235565).
- commit bbc81b4
- modpost: fix the missed iteration for the max bit in do_input()
(git-fixes).
- net: wwan: iosm: Properly check for valid exec stage in
ipc_mmio_init() (git-fixes).
- net: wwan: t7xx: Fix FSM command timeout issue (git-fixes).
- thunderbolt: Add support for Intel Panther Lake-M/P
(stable-fixes).
- sound: usb: format: don't warn that raw DSD is unsupported
(stable-fixes).
- sound: usb: enable DSD output for ddHiFi TC44C (stable-fixes).
- net: usb: qmi_wwan: add Telit FE910C04 compositions
(stable-fixes).
- wifi: mac80211: wake the queues in case of failure in resume
(stable-fixes).
- wifi: mac80211: fix mbss changed flags corruption on 32 bit
systems (stable-fixes).
- watchdog: rzg2l_wdt: Power on the watchdog domain in the
restart handler (stable-fixes).
- wifi: ath12k: fix atomic calls in
ath12k_mac_op_set_bitrate_mask() (stable-fixes).
- wifi: rtw88: use ieee80211_purge_tx_queue() to purge TX skb
(stable-fixes).
- wifi: mac80211: export ieee80211_purge_tx_queue() for drivers
(stable-fixes).
- wifi: mac80211: Add non-atomic station iterator (stable-fixes).
- watchdog: rzg2l_wdt: Rely on the reset driver for doing proper
reset (stable-fixes).
- watchdog: rzg2l_wdt: Remove reset de-assert from probe
(stable-fixes).
- media: uvcvideo: Force UVC version to 1.0a for 0408:4035
(stable-fixes).
- thunderbolt: Add support for Intel Lunar Lake (stable-fixes).
- usb: chipidea: add CI_HDRC_FORCE_VBUS_ACTIVE_ALWAYS flag
(stable-fixes).
- commit c96ed05
- Bluetooth: btnxpuart: Fix driver sending truncated data
(git-fixes).
- Bluetooth: MGMT: Fix Add Device to responding before completing
(git-fixes).
- Bluetooth: hci_sync: Fix not setting Random Address when
required (git-fixes).
- ieee802154: ca8210: Add missing check for kfifo_alloc() in
ca8210_probe() (git-fixes).
- irqchip/gic: Correct declaration of *percpu_base pointer in
union gic_base (stable-fixes).
- drm/amdkfd: Correct the migration DMA map direction
(stable-fixes).
- ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model
(stable-fixes).
- ACPI/IORT: Add PMCG platform information for HiSilicon HIP09A
(stable-fixes).
- drm/amd/display: Fix incorrect DSC recompute trigger
(stable-fixes).
- i2c: i801: Add support for Intel Panther Lake (stable-fixes).
- Bluetooth: btusb: Add new VID/PID 0489/e111 for MT7925
(stable-fixes).
- Bluetooth: btusb: mediatek: add callback function in
btusb_disconnect (stable-fixes).
- docs: media: update location of the media patches
(stable-fixes).
- cleanup: Adjust scoped_guard() macros to avoid potential warning
(stable-fixes).
- cleanup: Remove address space of returned pointer (git-fixes).
- crypto: ecdsa - Avoid signed integer overflow on signature
decoding (stable-fixes).
- irqchip/gic-v3: Force propagation of the active state with a
read-back (stable-fixes).
- ACPI/IORT: Add PMCG platform information for HiSilicon HIP10/11
(stable-fixes).
- i2c: i801: Add support for Intel Arrow Lake-H (stable-fixes).
- crypto: ecdsa - Use ecc_digits_from_bytes to convert signature
(stable-fixes).
- drm/amd/display: Fix DSC-re-computing (stable-fixes).
- Bluetooth: btusb: add callback function in btusb suspend/resume
(stable-fixes).
- crypto: ecc - Prevent ecc_digits_from_bytes from reading too
many bytes (git-fixes).
- Bluetooth: btusb: Add USB HW IDs for MT7921/MT7922/MT7925
(stable-fixes).
- crypto: ecdsa - Rename keylen to bufsize where necessary
(stable-fixes).
- crypto: ecdsa - Convert byte arrays with key coordinates to
digits (stable-fixes).
- ALSA: ump: Use guard() for locking (stable-fixes).
- Bluetooth: btusb: Add new VID/PID 13d3/3602 for MT7925
(stable-fixes).
- cleanup: Add conditional guard support (stable-fixes).
- i2c: xgene-slimpro: Migrate to use generic PCC shmem related
macros (stable-fixes).
- ACPI: PCC: Add PCC shared memory region command and status
bitfields (stable-fixes).
- mailbox: pcc: Support shared interrupt for multiple subspaces
(stable-fixes).
- mailbox: pcc: Add support for platform notification handling
(stable-fixes).
- Bluetooth: Add support ITTIM PE50-M75C (stable-fixes).
- commit 964672e
- scsi: sg: Fix slab-use-after-free read in sg_release()
(CVE-2024-56631 bsc#1235480).
- commit cb70e79
- Fix CVE reference for patches.suse/af_packet-avoid-erroring-out-after-sock_init_data-in.patch (CVE-2024-56606)
- commit f8ce5de
- 9p/xen: fix release of IRQ (CVE-2024-56704 bsc#1235584).
- commit f0916d2
- net: ieee802154: do not leave a dangling sk pointer in
ieee802154_create() (CVE-2024-56602 bsc#1235521).
- commit 2d367ac
- net: hsr: avoid potential out-of-bound access in
fill_frame_info() (CVE-2024-56648 bsc#1235451).
- commit 79ce319
- net/mlx5: DR, prevent potential error pointer dereference (CVE-2024-56660 bsc#1235437)
- commit 0e2235c
- bnxt_en: Fix GSO type for HW GRO packets on 5750X chips (git-fixes)
- commit 8448fe4
- bnxt_en: Fix aggregation ID mask to prevent oops on 5760X chips (CVE-2024-56656 bsc#1235444)
- commit a44ef4d
- af_packet: avoid erroring out after sock_init_data() in packet_create() (CVE-2024-5660 bsc#123541)
- commit c21a9e5
- smb: client: fix NULL ptr deref in crypto_aead_setkey() (CVE-2024-53185 bsc#1234901)
- commit 77b5b00
- net: af_can: do not leave a dangling sk pointer in can_create() (CVE-2024-56603 bsc#1235415)
- commit 53bb420
- btrfs: fix use-after-free waiting for encoded read endios
(bsc#1235445).
- btrfs: fix use-after-free in btrfs_encoded_read_endio()
(bsc#1235445).
- commit ae44992
- ovl: Filter invalid inodes with missing lookup function
(bsc#1235035 CVE-2024-56570).
- commit 0cddc7c
- ubi: fastmap: Fix duplicate slab cache names while attaching (CVE-2024-53172 bsc#1234898)
- commit f996297
- net: sched: fix ordering of qlen adjustment (CVE-2024-53164 bsc#1234863)
- commit ac3c374
- tipc: Fix use-after-free of kernel socket in cleanup_bearer()
(CVE-2024-56642 bsc#1235433).
- commit 644f840
- sctp: properly validate chunk size in sctp_sf_ootb() (CVE-2024-50299 bsc#1233488)
- commit 9038d7f
- crypto-policies
-
- krb5: disallow aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96
kerberos encryption types from RFC3961 in FIPS mode, as its key
derivation function is not certified; (jsc#PED-12018);
- Update AD-SUPPORT and add AD-SUPPORT-LEGACY subpolicies; (jsc#PED-12018);
The AD-SUPPORT subpolicy will enable the aes256-cts-hmac-sha1-96
and aes128-cts-hmac-sha1-96 encryption types necessary for AD.
The Kerberos libraries will tell OpenSSL provider to bypass FIPS
restrictions when loading the KRB5KDF module.
The AD-SUPPORT-LEGACY will allow the use of RC4 encryption types
in environments where either accounts or trusted domains objects
were not yet migrated to AES.
- Add patch 0008-policies-modules-update-AD-SUPPORT-add-AD-SUP.patch
- curl
-
- Security fix: [bsc#1236590, CVE-2025-0725]
* content_encoding: drop support for zlib before 1.2.0.4
* content_encoding: put the decomp buffers into the writer structs
* Add curl-CVE-2025-0725.patch
- Security fix: [bsc#1236588, CVE-2025-0167]
* netrc: 'default' with no credentials is not a match
* Add curl-CVE-2025-0167.patch
- dracut
-
- Update to version 059+suse.552.g232957b4:
Fixes related to getting live image size (bsc#1235912):
* fix(livenet): split `imgsize` calculation to avoid misleading error message
* fix(livenet): check also `content-length` from live image header
* fix(livenet): propagate error code
Fixes for booting from iSCSI offload with bnx2i (bsc#1228086):
* fix(iscsi): attempt iSCSI login before all interfaces are up
* fix(iscsi): don't require network setup for bnx2i
Other:
* fix(dracut): rework timeout for devices added via --mount and --add-device (bsc#1231792)
- findutils
-
- do not crash when file system loop was encountered [bsc#1231472]
- added patches
fix https://git.savannah.gnu.org/cgit/findutils.git/commit/?id=e5d6eb919b9
+ findutils-avoid-crash-system-loop.patch
- modified patches
% findutils-xautofs.patch (p1)
- glibc
-
- assert-message-allocation.patch: Fix underallocation of abort_msg_s
struct (CVE-2025-0395, bsc#1236282, BZ #32582))
- google-osconfig-agent
-
- Update to version 20250115.01 (bsc#1236406, bsc#1236407)
* Bump cloud.google.com/go/osconfig from 1.14.2 to 1.14.3 (#772)
- from version 20250115.00
* Bump cloud.google.com/go/auth from 0.10.2 to 0.14.0 (#767)
* Bump go.opentelemetry.io/otel from 1.32.0 to 1.33.0 (#771)
* Bump google.golang.org/protobuf from 1.35.1 to 1.36.2 (#763)
- from version 20250114.00
* Bump golang.org/x/time from 0.8.0 to 0.9.0 (#770)
- from version 20250113.01
* Bump cloud.google.com/go/auth/oauth2adapt from 0.2.5 to 0.2.7 (#766)
- from version 20250113.00
* Bump golang.org/x/net from 0.31.0 to 0.34.0 (#769)
- from version 20250110.00
* Bump golang.org/x/crypto from 0.29.0 to 0.31.0 in the go_modules group (#760)
* Bump cloud.google.com/go/longrunning from 0.6.2 to 0.6.3 (#744)
- from version 20241218.00
* Scanners fixes (#720)
* Bump cloud.google.com/go/storage from 1.46.0 to 1.47.0 (#736)
* Bump go.opentelemetry.io/contrib/detectors/gcp from 1.29.0 to 1.32.0 (#730)
* Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#738)
* Bump golang.org/x/net from 0.30.0 to 0.31.0 (#731)
- from version 20241118.01
* Bump github.com/googleapis/gax-go/v2 from 2.13.0 to 2.14.0 (#737)
- from version 20241118.00
* move example to appropriate directory (#740)
- from version 20241115.00
* Replace sles-15-sp3-sap old deprecated image in e2e tests (#739)
* Bump golang.org/x/time from 0.7.0 to 0.8.0 (#734)
- from version 20241114.03
* Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp (#735)
- from version 20241114.02
* Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#729)
- from version 20241114.01
* Remove SLES-15-SP2-SAP from e2e tests and add the new SLES-15-SP6 (#733)
* Bump golang.org/x/crypto from 0.28.0 to 0.29.0 (#728)
* Bump go.opentelemetry.io/otel/sdk/metric from 1.30.0 to 1.32.0 (#727)
- from version 20241114.00
* Add example to run exec script from the gcs bucket (#732)
* Bump cel.dev/expr from 0.16.1 to 0.18.0 (#723)
- from version 20241112.00
* Bump golang.org/x/oauth2 from 0.23.0 to 0.24.0 (#722)
* Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric (#721)
* Bump google.golang.org/grpc from 1.67.1 to 1.68.0 (#725)
* Bump github.com/golang/glog from 1.2.2 to 1.2.3 (#715)
* Bump google.golang.org/api from 0.203.0 to 0.205.0 (#716)
- from version 20241107.01
* Bump github.com/envoyproxy/go-control-plane from 0.13.0 to 0.13.1 (#717)
* Bump github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping (#718)
* Bump cloud.google.com/go/auth from 0.10.0 to 0.10.1 (#719)
- from version 20241107.00
* Bump cloud.google.com/go/logging from 1.11.0 to 1.12.0 (#709)
* Bump cloud.google.com/go/iam from 1.2.1 to 1.2.2 (#710)
* Bump cloud.google.com/go/storage from 1.43.0 to 1.46.0 (#713)
* Bump cloud.google.com/go/osconfig from 1.14.1 to 1.14.2 (#708)
* Bump cloud.google.com/go/auth/oauth2adapt from 0.2.4 to 0.2.5 (#712)
- from version 20241106.00
* Update OWNERS (#714)
- from version 20241029.01
* remove toolchain override (#706)
* Bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp (#701)
- from version 20241029.00
* Bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc (#702)
- from version 20241028.00
* Bump cloud.google.com/go/longrunning from 0.6.0 to 0.6.2 (#705)
- from version 20241017.00
* Add a new CloudBuild trigger config-file for auto updating the
presubmit test container image on every new commit (#704)
- from version 20241004.00
* Add new packagebuild presubmit that will use cloud-build (#694)
- from version 20240927.00
* Third batch of dependencies upgrade (#690)
- Bump the golang compiler version to 1.22.4 (bsc#1225974, CVE-2024-24790)
- grub2
-
- Security fixes for 2024
* 0001-misc-Implement-grub_strlcpy.patch
- Fix CVE-2024-45781 (bsc#1233617)
* 0002-fs-ufs-Fix-a-heap-OOB-write.patch
- Fix CVE-2024-56737 (bsc#1234958)
- Fix CVE-2024-45782 (bsc#1233615)
* 0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch
- Fix CVE-2024-45780 (bsc#1233614)
* 0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2024-45783 (bsc#1233616)
* 0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch
* 0006-kern-file-Ensure-file-data-is-set.patch
* 0007-kern-file-Implement-filesystem-reference-counting.patch
- Fix CVE-2025-0624 (bsc#1236316)
* 0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch
- Fix CVE-2024-45774 (bsc#1233609)
* 0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch
- Fix CVE-2024-45775 (bsc#1233610)
* 0010-commands-extcmd-Missing-check-for-failed-allocation.patch
- Fix CVE-2025-0622 (bsc#1236317)
* 0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch
- Fix CVE-2025-0622 (bsc#1236317)
* 0012-normal-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2025-0622 (bsc#1236317)
* 0013-gettext-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2024-45776 (bsc#1233612)
* 0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch
- Fix CVE-2024-45777 (bsc#1233613)
* 0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2025-0690 (bsc#1237012)
* 0016-commands-read-Fix-an-integer-overflow-when-supplying.patch
- Fix CVE-2025-1118 (bsc#1237013)
* 0017-commands-minicmd-Block-the-dump-command-in-lockdown-.patch
- Fix CVE-2024-45778 (bsc#1233606)
- Fix CVE-2024-45779 (bsc#1233608)
* 0018-fs-bfs-Disable-under-lockdown.patch
- Fix CVE-2025-0677 (bsc#1237002)
- Fix CVE-2025-0684 (bsc#1237008)
- Fix CVE-2025-0685 (bsc#1237009)
- Fix CVE-2025-0686 (bsc#1237010)
- Fix CVE-2025-0689 (bsc#1237011)
* 0019-fs-Disable-many-filesystems-under-lockdown.patch
- Fix CVE-2025-1125 (bsc#1237014)
- Fix CVE-2025-0678 (bsc#1237006)
* 0020-fs-Prevent-overflows-when-allocating-memory-for-arra.patch
- Bump upstream SBAT generation to 5
- Fix CVE-2024-49504 (bsc#1229163) (bsc#1229164)
- Restrict CLI access if the encrypted root device is automatically unlocked by
the TPM. LUKS password authentication is required for access to be granted
* 0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
* 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
- Obsolete, as CLI access is now locked and granted access no longer requires
the previous restrictions
* 0002-Restrict-file-access-on-cryptodisk-print.patch
* 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
- Rediff
* 0004-Key-revocation-on-out-of-bound-file-access.patch
- kdump
-
- upgrade to version kdump-2.0.6+git20.gf8ecc01:
* fix KDUMP_AUTO_RESIZE (bsc#1236921)
- upgrade to version kdump-2.0.6+git20.gf8ecc01:
* dracut: fix filtering ro keys in kdump_bond_config (bsc#1233137)
- krb5
-
- Prevent overflow when calculating ulog block size. An authenticated
attacker can cause kadmind to write beyond the end of the mapped
region for the iprop log file, likely causing a process crash;
(CVE-2025-24528); (bsc#1236619).
- Add patch 0013-Prevent-overflow-when-calculating-ulog-block-size.patch
- Add crypto-policies support; (jsc#PED-12018)
* The default krb5.conf has been updated to include config
snippets in the krb5.conf.d directory, where crypto-policies
drops its.
- Allow to use KRB5KDF in FIPS mode; (jsc#PED-12018); Add patch
0012-Allow-KRB5KDF-in-FIPS-mode.patch
* This key derivation function is used by AES256-CTS-HMAC-SHA1-96
and AES128-CTS-HMAC-SHA1-96 encryption types, used by Active
directory. If these encryption types are allowed or not in
FIPS mode is enforced now by the FIPS:AD-SUPPORT subpolicy.
- openssl-3
-
- Security fix: [bsc#1236136, CVE-2024-13176]
* Fix timing side-channel in ECDSA signature computation
* Add openssl-CVE-2024-13176.patch
- python3
-
- Add CVE-2025-0938-sq-brackets-domain-names.patch which
disallows square brackets ([ and ]) in domain names for parsed
URLs (bsc#1236705, CVE-2025-0938, gh#python/cpython#105704)
- systemd
-
- Add 1020-core-create-the-credential-directory-even-if-it-s-em.patch (bsc#1229228)
- Rename 5012-Revert-macro-terminate-the-temporary-VA_ARGS_FOREACH.patch into
1021-Revert-macro-terminate-the-temporary-VA_ARGS_FOREACH.patch
Commit dc571cccd75db7be49b2aada64baf92e3a498c39 was backported and included in
v254.9 bumping the version requirement on gcc from 4.7 to 8. Unfortunately
this breakage won't be fixed by upstream therefore there's no longer a need to
keep the patch that reverts the offending commit in quarantine.
- Import commit 127e162c9cc0beb5058a718b3a9a1fec6942a927 (merge of v254.23)
eab1d9753b stdio-bridge: fix polled fds
f028f2298e hwdb: comment out the entry for Logitech MX Keys for Mac
e808cbdd6d test: answer 2nd mdadm --create question for compat with new version
bf01f3d692 core/unit-serialize: fix serialization of markers
f043ab6f34 locale-setup: do not load locale from environemnt when /etc/locale.conf is unchanged
71efbe69b6 core: fix assert when AddDependencyUnitFiles is called with invalid parameter
- Fix systemd-network recommending libidn2-devel (boo#1234765)
- Import commit 127e162c9cc0beb5058a718b3a9a1fec6942a927
679c57667d tpm2-util: Also retry unsealing after policy_pcr returns PCR_CHANGED (boo#1233752 bsc#1234313)
- Import commit eb5a78f50e64a39a2a509fd5141e68ff216a4273 (merge of v254.22)
For a complete list of changes, visit:
https://github.com/openSUSE/systemd/compare/600986ba4d9c562390d99513416f49a5be5559f3...eb5a78f50e64a39a2a509fd5141e68ff216a4273
- libtasn1
-
- Security fix: [bsc#1236878, CVE-2024-12133]
* Potential DoS in handling of numerous SEQUENCE OF or SET OF elements
* Add libtasn1-CVE-2024-12133.patch
- libxml2
-
- security update
- added patches
fix CVE-2022-49043 [bsc#1236460], use-after-free in xmlXIncludeAddNode
+ libxml2-CVE-2022-49043.patch
- libzypp
-
- Create '.keep_packages' in the package cache dir to enforce
keeping downloaded packages of all repos cahed there (bsc#1232458)
- version 17.35.19 (35)
- Fix missing UID checks in repomanager workflow (fixes #603)
- version 17.35.18 (35)
- Move cmake config files to LIB_INSTALL_DIR/cmake/Zypp (fixes #28)
- Fix 'zypper ps' when running in incus container (bsc#1229106)
Should apply to lxc and lxd containers as well.
- Re-enable 'rpm --runposttrans' usage for chrooted systems
(bsc#1216091)
- version 17.35.17 (35)
- openssh
-
- Fix a MitM attack against OpenSSH's VerifyHostKeyDNS-enabled
client and a DoS attack against OpenSSH's client and server
(bsc#1237040, CVE-2025-26465, bsc#1237041, CVE-2025-26466):
* fix-CVE-2025-26465-and-CVE-2025-26466.patch
- permissions
-
- Update to version 20240826:
* permissions: reintroduce nscd socket, which acts as a whitelisting for glibc (bsc#1236960)
- Update to version 20240826:
* permissions: remove legacy and nonsensical entries
* permissions: remove traceroute entry
* permissions: remove outdated sudo directories
* permissions: remove legacy RPM directory entries
* permissions: remove some static /var/spool/* dirs
* permissions: remove unnecessary static dirs and devices (bsc#1235873)
- _service: switch to "manual"
- python-instance-billing-flavor-check
-
- Version 0.1.2 (bsc#1234444)
+ Improve detection of IPv4 and IPv6 network setup and use appropriate
IP version for access the update servers
+ Improve reliability of flavor detection. Try an update server multiple
times to get an answer, if we hit timeouts return the value flavor
value from a cahce file.
- Version 0.1.1 (bsc#1235991, bsc#1235992)
+ Add time stamp to log
- From version 0.1.0
+ Doc improvements clarifying exit staus codes
- rsync
-
- Bump protocol version to 32 - make it easier to show server is patched.
* Add rsync-protocol-version-32.patch
- supportutils-plugin-ha-sap
-
- Update to version 0.0.7+git.1737125956.a7079fc:
* Call saphana-check.sh if the script is available in
/usr/lib/saphana-checks (SUSE package) or in
/opt/sap/saphana-checks (SAP package)
(jsc#PED-11748, jsc#PED-11747)
* to support 'trento checks' on supportutils content
collect additional information:
/usr/sap/hostctrl/exe/saphostctrl -function Ping
corosync-cmapctl -b
su - <SIDADM> -c disp+work
su - <SIDADM> -c 'sapcontrol -nr <NR> -function GetVersionInfo'
ls -lA --time-style=long-iso /etc/polkit-1/rules.d/[0-9][0-9]-SAP[A-Z][A-Z0-9][A-Z0-9]-[0-9][0-9].rules
content of files in /etc/products.d/
(jsc#PED-12000, jsc#PED-12001)
* collect Netweaver version by
'sapcontrol -nr <NR> -function GetVersionInfo'
* collect 'operation_mode' setting by
'python getParameter.py --key=global.ini/system_replication/operation_mode --sapcontrol=1'
* some shellcheck cleanup
* adaption to the new used supportconfig.rc
- change requirements
remove the long deprecated supportconfig-plugin-resource and
supportconfig-plugin-tag and add instead 'Requires: supportutils'
(bsc#1235145)
- wget
-
- If wget for an http URL is redirected to a different site (hostname
parts of URLs differ), then any "Authenticate" and "Cookie" header
entries are discarded.
[bsc#1185551, wget-do-not-propagate-credentials.patch,
bsc#1230795, CVE-2021-31879]
- yast2-cluster
-
- Fix: fix a typo for sctp in cluster.firewalld.xml (bsc#1236903)
- Version 4.6.4
- Update HA related ports (bsc#1219773)
- Version 4.6.3
- Branch package for SP6 (bsc#1208913)
- 4.6.2
- yast2-iscsi-client
-
- Try to load the iscsi_ibft module in ARM arch as it should be
available for getting the iBFT configuration (bsc#1233802).
- 4.6.6
- yast2-sap-ha
-
- yast-sap-ha does not support SAPHanaSR-angi (bsc#1232807)
- Adapt to new SAPHanaSR-angi
[#458] [doc] Issue in "Constraints for SAPHanaSR-angi"
https://github.com/SUSE/suse-best-practices/issues/458
- 4.6.4
- zypper
-
- lr: show the repositories keep-packages flag (bsc#1232458)
It is shown in the details view or by using -k,--keep-packages.
In addition libyzpp supports to enforce keeping downloaded
packages of all repos within a package cache by creating a
'.keep_packages' file there.
- version 1.14.81
- Try to refresh update repos first to have updated GPG keys on
the fly (bsc#1234752)
An update repo may contain a prolonged GPG key for the GA repo.
Refreshing the update repo first updates a trusted key on the fly
and avoids a 'key has expired' warning being issued when
refreshing the GA repo.
- Refresh: restore legacy behavior and suppress Exception
reporting as non-root (bsc#1235636)
- version 1.14.80