- aaa_base
-
- Add patch git-47-04210f8df15da0ba4d741cfe1693af06f5978a1d.patch
* respect /etc/update-alternatives/java when setting JAVA_HOME
(bsc#1215434,bsc#1107342)
- apache2-mod_wsgi
-
- Use %posttrans instead of %post while adding the wsgi keyword.
(bsc#1216411)
* In systems where the former apache2-mod_wsgi-python3 is
installed, the removal of the obsoleted apache2-mod_wsgi-python3
and the installation of the new apache2-mod_wsgi did not
preserve the keyword wsgi in the APACHE_MODULES variable.
- apache2
-
- Security update:
* Fix CVE-2023-31122 [bsc#1216424] mod_macro buffer over-read
* Added apache2-CVE-2023-31122.patch
- Fix for bsc#1214357: apply the standard httpd content type handling
to responses from the backend.
* Added apache2-bsc1214357-mod_proxy_http2_apply-standard-content-type.patch
- Fix for SG#65054, bsc#1207399:
Terminate threads before child exit.
* apache2-core-mpm-add-hook-child_stopped-that-gets-called-whe.patch
* apache2-core-prefork-run-new-hook-child_stopped-only-on-clea.patch
* apache2-mod_watchdog-add-assertions-to-cleanup-code.patch
* apache2-mod_watchdog-do-not-call-a-watchdog-instance-for.patch
* apache2-mod_watchdog-replace-the-new-volatile-with-atomic-ac.patch
* apache2-mod_watchdog-use-hook-child_stopping-to-signal-watch.patch
* apache2-mod_watchdog-use-the-child_stopping-and-child_stoppe.patch
* apache2-mpm-winnt-add-running-the-child_stopping-hook.patch
- apparmor
-
- update zgrep profile to allow egrep helper use (bsc#1214458)
- zgrep-profile-sync-with-master.diff
- bind
-
- Update to release 9.16.44
Security Fixes:
* Previously, sending a specially crafted message over the
control channel could cause the packet-parsing code to run out
of available stack memory, causing named to terminate
unexpectedly. This has been fixed. (CVE-2023-3341)
[bsc#1215472]
- binutils
-
- Update to version 2.41 [PED-5778]:
* The MIPS port now supports the Sony Interactive Entertainment Allegrex
processor, used with the PlayStation Portable, which implements the MIPS
II ISA along with a single-precision FPU and a few implementation-specific
integer instructions.
* Objdump's --private option can now be used on PE format files to display the
fields in the file header and section headers.
* New versioned release of libsframe: libsframe.so.1. This release introduces
versioned symbols with version node name LIBSFRAME_1.0. This release also
updates the ABI in an incompatible way: this includes removal of
sframe_get_funcdesc_with_addr API, change in the behavior of
sframe_fre_get_ra_offset and sframe_fre_get_fp_offset APIs.
* SFrame Version 2 is now the default (and only) format version supported by
gas, ld, readelf and objdump.
* Add command-line option, --strip-section-headers, to objcopy and strip to
remove ELF section header from ELF file.
* The RISC-V port now supports the following new standard extensions:
- Zicond (conditional zero instructions)
- Zfa (additional floating-point instructions)
- Zvbb, Zvbc, Zvkg, Zvkned, Zvknh[ab], Zvksed, Zvksh, Zvkn, Zvknc, Zvkng,
Zvks, Zvksc, Zvkg, Zvkt (vector crypto instructions)
* The RISC-V port now supports the following vendor-defined extensions:
- XVentanaCondOps
* Add support for Intel FRED, LKGS and AMX-COMPLEX instructions.
* A new .insn directive is recognized by x86 gas.
* Add SME2 support to the AArch64 port.
* The linker now accepts a command line option of --remap-inputs
<PATTERN>=<FILE> to relace any input file that matches <PATTERN> with
<FILE>. In addition the option --remap-inputs-file=<FILE> can be used to
specify a file containing any number of these remapping directives.
* The linker command line option --print-map-locals can be used to include
local symbols in a linker map. (ELF targets only).
* For most ELF based targets, if the --enable-linker-version option is used
then the version of the linker will be inserted as a string into the .comment
section.
* The linker script syntax has a new command for output sections: ASCIZ "string"
This will insert a zero-terminated string at the current location.
* Add command-line option, -z nosectionheader, to omit ELF section
header.
- Removed obsolete patches: binutils-2.40-branch.diff.gz,
riscv-dynamic-tls-reloc-pie.patch, riscv-pr22263-1.patch,
extensa-gcc-4_3-fix.diff .
- Add binutils-2.41-branch.diff.gz .
- Add binutils-old-makeinfo.diff for SLE-12 and older.
- Rebased aarch64-common-pagesize.patch and binutils-revert-rela.diff .
- Contains fixes for these non-CVEs (not security bugs per upstreams
SECURITY.md):
* bsc#1209642 aka CVE-2023-1579 aka PR29988
* bsc#1210297 aka CVE-2023-1972 aka PR30285
* bsc#1210733 aka CVE-2023-2222 aka PR29936
* bsc#1213458 aka CVE-2021-32256 aka PR105039 (gcc)
* bsc#1214565 aka CVE-2020-19726 aka PR26240
* bsc#1214567 aka CVE-2022-35206 aka PR29290
* bsc#1214579 aka CVE-2022-35205 aka PR29289
* bsc#1214580 aka CVE-2022-44840 aka PR29732
* bsc#1214604 aka CVE-2022-45703 aka PR29799
* bsc#1214611 aka CVE-2022-48065 aka PR29925
* bsc#1214619 aka CVE-2022-48064 aka PR29922
* bsc#1214620 aka CVE-2022-48063 aka PR29924
* bsc#1214623 aka CVE-2022-47696 aka PR29677
* bsc#1214624 aka CVE-2022-47695 aka PR29846
* bsc#1214625 aka CVE-2022-47673 aka PR29876
- cloud-regionsrv-client
-
- Update to version 10.1.3 (bsc#1214801)
+ Add a warning if we detect a Python package cert bundle for certifi
This will help with debugging and point to potential issues when
using SUSE images in AWS, Azure, and GCE
- cobbler
-
- Buildiso: copy grub into ESP using mtools to allow execution in containers
- Add mtools as dependency for Cobbler
- Fix EFI PXE boot regression (bsc#1214124)
- Fix isolinux.cfg generation in "cobbler buildiso" (bsc#1207330)
- containerd
-
- Update to containerd v1.7.7. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.7>
- Add patch to fix build on SLE-12:
+ 0001-BUILD-SLE12-revert-btrfs-depend-on-kernel-UAPI-inste.patch
- Update to containerd v1.7.6 for Docker v24.0.6-ce. Upstream release notes:
<https://github.com/containerd/containerd/releases/tag/v1.7.6> bsc#1215323
- Add `Provides: cri-runtime` to use containerd as container runtime in Factory
Kubernetes packages
- crypto-policies
-
- Make the supported versions change in the update-crypto-policies(8)
man page persistent [bsc#1209998].
* Add patch crypto-policies-supported.patch
* Rebase patches:
- crypto-policies-asciidoc.patch
- crypto-policies-no-build-manpages.patch
- FIPS: Adapt the fips-mode-setup script to use the pbl command
from the perl-Bootloader package to replace grubby. Add a note
for transactional systems. Ship the man 8 pages for
fips-mode-setup and fips-finish-install [jsc#PED-5041].
* Rebase crypto-policies-FIPS.patch
- FIPS: Enable to set the kernel FIPS mode with fips-mode-setup
and fips-finish-install commands, add also the man pages.
* Adapt the fips-mode-setup script for SLE [jsc#PED-5041]
* Rebase crypto-policies-FIPS.patch
* Simplify the man pages creation:
- Rebase crypto-policies-no-build-manpages.patch
- Add crypto-policies-asciidoc.patch
- curl
-
- Security fixes:
* [bsc#1215888, CVE-2023-38545] SOCKS5 heap buffer overflow
* [bsc#1215889, CVE-2023-38546] Cookie injection with none file
* Add curl-CVE-2023-38545.patch curl-CVE-2023-38546.patch
- Security fix: [bsc#1215026, CVE-2023-38039]
* http: return error when receiving too large header
* Add curl-CVE-2023-38039.patch
- glibc
-
- dl-map-segment-align-munmap.patch: elf: Align argument of __munmap to
page size (bsc#1215891, BZ #28676)
- gai-merge-continue-actions.patch: Simplify allocations and fix merge and
continue actions (CVE-2023-4813, bsc#1215286, BZ #28931)
- gb18030-2022.patch: add GB18030-2022 charmap (jsc#PED-4908, BZ #30243)
- nscd-netlink-cache-invalidation.patch: nscd: Fix netlink cache
invalidation if epoll is used (bsc#1212910, BZ #29415)
- nss-files-hosts-v4mapped.patch: Restore lookup of IPv4 mapped addresses
in files database (bsc#1212819, BZ #25457)
- remove-excessive-p-align-check.patch: elf: Remove excessive p_align
check on PT_LOAD segments (bsc#1211829, BZ #28688)
- segment-align.patch: elf: Properly align PT_LOAD segments (bsc#1211829,
BZ #28676)
- ld-so-always-use-map-copy.patch: ld.so: Always use MAP_COPY to map the
first segment (BZ #30452)
- grub2
-
- Fix failure to identify recent ext4 filesystem (bsc#1216010)
* 0001-fs-ext2-Ignore-checksum-seed-incompat-feature.patch
* 0001-fs-ext2-Ignore-the-large_dir-incompat-feature.patch
- Add patch to fix reading files from btrfs with "implicit" holes
* 0001-fs-btrfs-Zero-file-data-not-backed-by-extents.patch
- Fix fadump not working with 1GB/2GB/4GB LMB[P10] (bsc#1216253)
* 0001-kern-ieee1275-init-ppc64-Restrict-high-memory-in-pre.patch
- Fix detection of encrypted disk's uuid in powerpc to cope with logical disks
when signed image installation is specified (bsc#1216075)
* 0003-grub-install-support-prep-environment-block.patch
- grub2.spec: Add support to unlocking multiple encrypted disks in signed
grub.elf image for logical disks
- Fix CVE-2023-4692 (bsc#1215935)
- Fix CVE-2023-4693 (bsc#1215936)
* 0001-fs-ntfs-Fix-an-OOB-write-when-parsing-the-ATTRIBUTE_.patch
* 0002-fs-ntfs-Fix-an-OOB-read-when-reading-data-from-the-r.patch
* 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch
* 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
* 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
* 0006-fs-ntfs-Make-code-more-readable.patch
- Bump upstream SBAT generation to 4
- Fix a boot delay regression in PowerPC PXE boot (bsc#1201300)
* 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
- java-11-openjdk
-
- Configure with --with-native-debug-symbols=internal to enable
generation of debuginfo packages
- Upgrade to upstrem tag jdk-11.0.21+9 (October 2023 CPU)
* Security fixes:
+ JDK-8242330: Arrays should be cloned in several JAAS Callback
classes
+ JDK-8284910: Buffer clean in PasswordCallback
+ JDK-8286503: Enhance security classes
+ JDK-8296581: Better system proxy support
+ JDK-8297856: Improve handling of Bidi characters
+ JDK-8309966, CVE-2023-22081, bsc#1216374: Enhanced TLS
connections
+ JDK-8305815: Update Libpng to 1.6.39
+ JDK-8306881: Update FreeType to 2.13.0
* Other fixes:
+ JDK-6176679: Application freezes when copying an animated gif
image to the system clipboard
+ JDK-8023980: JCE doesn't provide any class to handle RSA
private key in PKCS#1
+ JDK-8155246: Throw error if default java.security file is
missing
+ JDK-8158880: test/java/time/tck/java/time/format/
/TCKDateTimeFormatterBuilder.java fail with zh_CN locale
+ JDK-8168261: Use server cipher suites preference by default
+ JDK-8181383: com/sun/jdi/OptionTest.java fails intermittently
with bind failed: Address already in use
+ JDK-8201516: DebugNonSafepoints generates incorrect
information
+ JDK-8209398: sun/security/pkcs11/KeyStore/SecretKeysBasic.sh
failed with "PKCS11Exception: CKR_ATTRIBUTE_SENSITIVE"
+ JDK-8211343: nsk_jvmti_parseoptions should handle multiple
suboptions
+ JDK-8212045: Add back the tests that were removed from
HashesTest.java and AddExportsTest.java
+ JDK-8216059: nsk_jvmti_parseoptions still has dependency on
tilde separator
+ JDK-8217237: HttpClient does not deal well with multi-valued
WWW-Authenticate challenge headers
+ JDK-8217395: Update langtools shell tests to use ${EXE_SUFFIX}
+ JDK-8217612: (CL)HSDB cannot show some JVM flags
+ JDK-8217850: CompressedClassSpaceSizeInJmapHeap fails after
JDK-8217612
+ JDK-8218471: generate-unsafe-access-tests.sh does not
correctly invoke build.tools.spp.Spp
+ JDK-8219628: [TESTBUG] javadoc/doclet/InheritDocForUserTags
fails with -othervm
+ JDK-8220410: sun/security/tools/jarsigner/warnings/
/NoTimestampTest.java failed with missing expected output
+ JDK-8221372: Test vmTestbase/nsk/jvmti/GetThreadState/
/thrstat001/TestDescription.java times out
+ JDK-8222323: ChildAlwaysOnTopTest.java fails with
"RuntimeException: Failed to unset alwaysOnTop"
+ JDK-8223573: Replace wildcard address with loopback or local
host in tests - part 4
+ JDK-8223714: HTTPSetAuthenticatorTest could be made more
resilient
+ JDK-8223783: sun/net/www/http/HttpClient/MultiThreadTest.java
sometimes detect threads+1 connections
+ JDK-8223856: Replace wildcard address with loopback or local
host in tests - part 8
+ JDK-8224617: (fs) java/nio/file/FileStore/Basic.java found
filesystem twice
+ JDK-8224729: Cleanups in sun/security/provider/certpath/ldap/
/LDAPCertStoreImpl.java
+ JDK-8224768: Test ActalisCA.java fails
+ JDK-8225012: sanity/client/SwingSet/src/ToolTipDemoTest.java
fails on Windows
+ JDK-8226221: Update PKCS11 tests to use NSS 3.46 libs
+ JDK-8228341: SignTwice.java fails intermittently on Windows
+ JDK-8228403: SignTwice.java failed with
java.io.FileNotFoundException: File name too long
+ JDK-8229147: Linux os::create_thread() overcounts guardpage
size with newer glibc (>=2.27)
+ JDK-8229333: java/io/File/SetLastModified.java timed out
+ JDK-8229338: clean up
test/jdk/java/util/RandomAccess/Basic.java
+ JDK-8229348: java/net/DatagramSocket/
/UnreferencedDatagramSockets.java fails intermittently
+ JDK-8229481: sun/net/www/protocol/https/
/ChunkedOutputStream.java failed with a SSLException
+ JDK-8229912: [TESTBUG] java/net/Socks/SocksIPv6Test fails
without IPv6
+ JDK-8230132: java/net/NetworkInterface/
/NetworkInterfaceRetrievalTests.java to skip Teredo Tunneling
Pseudo-Interface
+ JDK-8231037: java/net/InetAddress/ptr/Lookup.java fails
intermittently due to reverse lookup failed
+ JDK-8231357: sun/security/pkcs11/Cipher/TestKATForGCM.java
fails on SLES11 using mozilla-nss-3.14
+ JDK-8231516: network QuickAckTest.java failed due to
"SocketException: maximum number of DatagramSockets reached"
+ JDK-8232101: (sctp) Add minimal sanity tests for SCTP
+ JDK-8232195: Enable BigInteger tests: DivisionOverflow,
SymmetricRangeTests and StringConstructorOverflow
+ JDK-8232840: java/math/BigInteger/largeMemory/
/SymmetricRangeTests.java fails due to "OutOfMemoryError:
Requested array size exceeds VM limit"
+ JDK-8232922: Add java/math/BigInteger/largeMemory/
/SymmetricRangeTests.java to ProblemList-Xcomp
+ JDK-8234808: jdb quoted option parsing broken
+ JDK-8236045: [TESTBUG] MismatchedWhiteBox test fails with
missing WhiteBox$WhiteBoxPermission.class
+ JDK-8237183: Bug ID missing for test in patch which fixed
JDK-8230665
+ JDK-8238157: security/infra/java/security/cert/
/CertPathValidator/certification/AmazonCA.java test failures
because of revocation date
+ JDK-8239007: java/math/BigInteger/largeMemory/ tests should
be disabled on 32-bit platforms
+ JDK-8239264: Clearup the legacy ObjectIdentifier constructor
from int array
+ JDK-8239333: Mark test AmazonCA.java with intermittent key
+ JDK-8239537: cgroup MetricsTester testMemorySubsystem fails
sometimes when testing memory.kmem.tcp.usage_in_bytes
+ JDK-8240193: loadLibrary("osxsecurity") should not be removed
+ JDK-8241097: java/math/BigInteger/largeMemory/
/SymmetricRangeTests.java requires -XX:+CompactStrings
+ JDK-8242151: Improve OID mapping and reuse among JDK security
providers for aliases registration
+ JDK-8242897: KeyFactory.generatePublic( x509Spec ) failed
with java.security.InvalidKeyException
+ JDK-8243210: ClhsdbScanOops fails with NullPointerException
in FileMapHeader.inCopiedVtableSpace
+ JDK-8244078: ProcessTools executeTestJvm and
createJavaProcessBuilder have inconsistent handling of
test.*.opts
+ JDK-8247895: SHA1PRNGReseed.java is calling setSeed(0)
+ JDK-8247968: test/jdk/javax/crypto/SecretKeyFactory/
/security.properties has wrong header
+ JDK-8248001: javadoc generates invalid HTML pages whose
ftp:// links are broken
+ JDK-8249699: java/io/ByteArrayOutputStream/MaxCapacity.java
should use @requires instead of @ignore
+ JDK-8251517: [TESTBUG] com/sun/net/httpserver/bugs/
/B6393710.java does not scale socket timeout
+ JDK-8252530: Fix inconsistencies in hotspot whitebox
+ JDK-8254350: CompletableFuture.get may swallow
InterruptedException
+ JDK-8255348: NPE in PKIXCertPathValidator event logging code
+ JDK-8257993: vmTestbase/nsk/jvmti/RedefineClasses/
/StressRedefine/TestDescription.java crash intermittently
+ JDK-8259796: timed CompletableFuture.get may swallow
InterruptedException
+ JDK-8260274: Cipher.init(int, key) does not use highest
priority provider for random bytes
+ JDK-8260878: com/sun/jdi/JdbOptions.java fails without jfr
+ JDK-8260934: java/lang/StringBuilder/HugeCapacity.java fails
without Compact Strings
+ JDK-8263970: Manual test javax/swing/JTextField/
/JapaneseReadingAttributes/JapaneseReadingAttributes.java
failed
+ JDK-8265980: Fix systemDictionary and loaderConstraints
printing
+ JDK-8268457: XML Transformer outputs Unicode supplementary
character incorrectly to HTML
+ JDK-8268464: Remove dependancy of TestHttpsServer,
HttpTransaction, HttpCallback from
open/test/jdk/sun/net/www/protocol/https/ tests
+ JDK-8269091: javax/sound/sampled/Clip/SetPositionHang.java
failed with ArrayIndexOutOfBoundsException: Array index out of
range: -4
+ JDK-8270331: [TESTBUG] Error: Not a test or directory
containing tests: java/awt/print/PrinterJob/InitToBlack.java
+ JDK-8271838: AmazonCA.java interop test fails
+ JDK-8273807: Zero: Drop incorrect test block from
compiler/startup/NumCompilerThreadsCheck.java
+ JDK-8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from
KDC
+ JDK-8274606: Fix jaxp/javax/xml/jaxp/unittest/transform/
/SurrogateTest.java test
+ JDK-8275234: java/awt/GraphicsDevice/DisplayModes/
/CycleDMImage.java is entered twice in ProblemList
+ JDK-8275303: sun/java2d/pipe/InterpolationQualityTest.java
fails with D3D basic render driver
+ JDK-8276651: java/lang/ProcessHandle tests fail with
"RuntimeException: Input/output error" in
java.lang.ProcessHandleImpl$Info.info0
+ JDK-8277353: java/security/MessageDigest/
/ThreadSafetyTest.java test times out
+ JDK-8279536: jdk/nio/zipfs/ZipFSOutputStreamTest.java timed
out
+ JDK-8283756: (zipfs) ZipFSOutputStreamTest.testOutputStream
should only check inflated bytes
+ JDK-8284524: Create an automated test for JDK-4422362
+ JDK-8284767: Create an automated test for JDK-4422535
+ JDK-8284772: GHA: Use GCC Major Version Dependencies Only
+ JDK-8285635: javax/swing/JRootPane/DefaultButtonTest.java
failed with Default Button not pressed for L&F:
com.sun.java.swing.plaf.motif.MotifLookAndFeel
+ JDK-8286172: Create an automated test for JDK-4516019
+ JDK-8286481: Exception printed to stdout on Windows when
storing transparent image in clipboard
+ JDK-8286620: Create regression test for verifying setMargin()
of JRadioButton
+ JDK-8289508: Improve test coverage for XPath Axes: ancestor,
ancestor-or-self, preceding, and preceding-sibling
+ JDK-8289748: C2 compiled code crashes with SIGFPE with
- XX:+StressLCM and -XX:+StressGCM
+ JDK-8291444: GHA builds/tests won't run manually if disabled
from automatic running
+ JDK-8291830: jvmti/RedefineClasses/StressRedefine failed:
assert(!is_null(v)) failed: narrow klass value can never be
zero
+ JDK-8292033: Move jdk.X509Certificate event logic to JCA layer
+ JDK-8292297: Fix up loading of override java.security
properties file
+ JDK-8292443: Weak CAS VarHandle/Unsafe tests should test
always-failing cases
+ JDK-8293180: JQuery UI license file not updated
+ JDK-8293562: KeepAliveCache Blocks Threads while Closing
Connections
+ JDK-8293657: sun/management/jmxremote/bootstrap/
/RmiBootstrapTest.java#id1 failed with "SSLHandshakeException:
Remote host terminated the handshake"
+ JDK-8293858: Change PKCS7 code to use default SecureRandom
impl instead of SHA1PRNG
+ JDK-8295737: macOS: Print content cut off when width > height
with portrait orientation
+ JDK-8295894: Remove SECOM certificate that is expiring in
September 2023
+ JDK-8296084: javax/swing/JSpinner/4788637/bug4788637.java
fails intermittently on a VM
+ JDK-8297437: javadoc cannot link to old docs (with old style
anchors)
+ JDK-8297523: Various GetPrimitiveArrayCritical miss result -
NULL check
+ JDK-8297587: Upgrade JLine to 3.22.0
+ JDK-8297681: Unnecessary color conversion during
4BYTE_ABGR_PRE to INT_ARGB_PRE blit
+ JDK-8297730: C2: Arraycopy intrinsic throws incorrect
exception
+ JDK-8297887: Update Siphash
+ JDK-8297923: java.awt.ScrollPane broken after multiple scroll
up/down
+ JDK-8297955: LDAP CertStore should use LdapName and not
String for DNs
+ JDK-8298921: Create a regression test for JDK-8139581
+ JDK-8298974: Add ftcolor.c to imported freetype sources
+ JDK-8299424: containers/docker/TestMemoryWithCgroupV1.java
fails on SLES12 ppc64le when testing Memory and Swap Limit
+ JDK-8299658: C1 compilation crashes in
LinearScan::resolve_exception_edge
+ JDK-8299713: Test javax/swing/JTableHeader/6889007/
/bug6889007.java failed: Wrong type of cursor
+ JDK-8300098: java/util/concurrent/ConcurrentHashMap/
/ConcurrentAssociateTest.java fails with internal timeout when
executed with TieredCompilation1/3
+ JDK-8300659: Refactor TestMemoryAwareness to use WhiteBox api
for host values
+ JDK-8300751: [17u] Remove duplicate entry in javac.properties
+ JDK-8301269: Update Commons BCEL to Version 6.7.0
+ JDK-8301491: C2: java.lang.StringUTF16::indexOfChar intrinsic
called with negative character argument
+ JDK-8301700: Increase the default TLS Diffie-Hellman group
size from 1024-bit to 2048-bit
+ JDK-8301959: Compile command in
compiler.loopopts.TestRemoveEmptyCountedLoop does not work
+ JDK-8302161: Upgrade jQuery UI to version 1.13.2
+ JDK-8302182: Update Public Suffix List to 88467c9
+ JDK-8303511: C2: assert(get_ctrl(n) == cle_out) during
unrolling
+ JDK-8303809: Dispose context in SPNEGO NegotiatorImpl
+ JDK-8304054: Linux: NullPointerException from
FontConfiguration.getVersion in case no fonts are installed
+ JDK-8304498: JShell does not switch to raw mode when there is
no /bin/test
+ JDK-8304867: Explicitly disable dtrace for ppc builds
+ JDK-8305074: ProblemList
javax/net/ssl/DTLS/RespondToRetransmit.java
+ JDK-8305421: Work around JDK-8305420 in CDSJDITest.java
+ JDK-8305763: Parsing a URI with an underscore goes through a
silent exception, negatively impacting performance
+ JDK-8305766: ProblemList runtime/CompressedOops/
/CompressedClassPointers.java
+ JDK-8305950: Have -XshowSettings option display tzdata version
+ JDK-8306133: Open source few AWT Drag & Drop related tests
+ JDK-8306137: Open source several AWT ScrollPane related tests
+ JDK-8306484: Open source several AWT Choice jtreg tests
+ JDK-8306636: Disable compiler/c2/Test6905845.java with
- XX:TieredStopAtLevel=3
+ JDK-8306638: Open source some AWT tests related to
datatransfer and Toolkit
+ JDK-8306682: Open source a few more AWT Choice tests
+ JDK-8306718: Optimize and opensource some old AWT tests
+ JDK-8306954: Open source five Focus related tests
+ JDK-8306955: Open source several JComboBox jtreg tests
+ JDK-8307078: Opensource and clean up five more AWT Focus
related tests
+ JDK-8307080: Open source some more JComboBox jtreg tests
+ JDK-8307128: Open source some drag and drop tests 4
+ JDK-8307133: Open source some JTable jtreg tests
+ JDK-8307135: java/awt/dnd/NotReallySerializableTest/
/NotReallySerializableTest.java failed
+ JDK-8307301: Update HarfBuzz to 7.2.0
+ JDK-8307569: Build with gcc8 is broken after JDK-8307301
+ JDK-8307572: AArch64: Vector registers are clobbered by some
macroassemblers
+ JDK-8307603: [AIX] Broken build after JDK-8307301
+ JDK-8307604: gcc12 based Alpine build broken build after
JDK-8307301
+ JDK-8307799: Newly added java/awt/dnd/MozillaDnDTest.java has
invalid jtreg `@requires` clause
+ JDK-8308156: VerifyCACerts.java misses blank in error output
+ JDK-8309088: security/infra/java/security/cert/
/CertPathValidator/certification/AmazonCA.java fails
+ JDK-8309108: Bump update version for OpenJDK: jdk-11.0.21
+ JDK-8309138: Fix container tests for jdks with symlinked conf
dir
+ JDK-8310054: ScrollPane insets are incorrect
+ JDK-8310176: JDK 11 G1 crash during full GC with
+UseStringDeduplication
+ JDK-8310620: [11u] Problemlist failing aot tests on macos x64
+ JDK-8311033: [macos] PrinterJob does not take into account
Sides attribute
+ JDK-8311689: Wrong visible amount in Adjustable of ScrollPane
+ JDK-8312138: jcmd VM.metaspace vslist has no newline
character before the Class: label.
+ JDK-8312555: Ideographic characters aren't stretched by
AffineTransform.scale(2, 1)
+ JDK-8313159: [11u] Fix test SSLEngineKeyLimit.java after
Merge error
+ JDK-8313765: Invalid CEN header (invalid zip64 extra data
field size)
+ JDK-8313796: AsyncGetCallTrace crash on unreadable
interpreter method pointer
+ JDK-8313803: [11u] Exclude jdk/jfr/event/sampling/
/TestStackFrameLineNumbers.java
+ JDK-8313878: Exclude two compiler/rtm/locking tests on ppc64le
+ JDK-8314086: [11u] A typo in the fix for JDK-8312462 is
causing test failure in ChildAlwaysOnTopTest.java
+ JDK-8314950: CMS may miss NMT tag after mark stack expansion
+ JDK-8314960: Add Certigna Root CA - 2
+ JDK-8315135: Memory leak in the native implementation of
Pack200.Unpacker.unpack()
+ JDK-8315529: [11u] Exclude some failing Z-GC tests
+ JDK-8317040: Exclude cleaner test failing on older releases
+ JDK-8317644: [11u] Remove designator
DEFAULT_PROMOTED_VERSION_PRE=ea for release 11.0.21
- Modified patches:
* adlc-parser.patch
+ extend to initialize all the members to NULL
* fips.patch
* nss-security-provider.patch
* reproducible-javadoc-timestamp.patch
+ rediff
- Compiler flags to realign stack on ix86 (bsc#1214790)
- Added patch:
* reproducible-properties.patch
+ use SOURCE_DATE_EPOCH for timestamp in the generated
properties files
- kernel-default
-
- netfilter: nf_tables: skip bound chain on rule flush
(bsc#1215095 CVE-2023-3777).
- commit afb7c25
- Update
patches.suse/0001-x86-sev-Disable-MMIO-emulation-from-user-mode.patch
(bsc#1212649 CVE-2023-46813).
- Update
patches.suse/0002-x86-sev-Check-IOBM-for-IOIO-exceptions-from-user-spa.patch
(bsc#1212649 CVE-2023-46813).
- Update
patches.suse/0003-x86-sev-Check-for-user-space-IOIO-pointing-to-kernel.patch
(bsc#1212649 CVE-2023-46813).
- commit dd6a315
- quota: Fix slow quotaoff (bsc#1216621).
- commit 988e5f4
- x86/sev: Check for user-space IOIO pointing to kernel space
(bsc#1212649).
- commit 816f817
- x86/sev: Check IOBM for IOIO exceptions from user-space
(bsc#1212649).
- commit 2b69036
- x86/sev: Disable MMIO emulation from user mode (bsc#1212649).
- commit 5dae47e
- phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
(git-fixes).
- phy: mapphone-mdm6600: Fix runtime PM for remove (git-fixes).
- phy: mapphone-mdm6600: Fix runtime disable on probe (git-fixes).
- gpio: vf610: set value before the direction to avoid a glitch
(git-fixes).
- platform/surface: platform_profile: Propagate error if profile
registration fails (git-fixes).
- platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c
events (git-fixes).
- platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from
0x20 to 0x2e (git-fixes).
- USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
(git-fixes).
- USB: serial: option: add entry for Sierra EM9191 with new
firmware (git-fixes).
- USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
(git-fixes).
- mmc: core: Capture correct oemid-bits for eMMC cards
(git-fixes).
- Bluetooth: hci_sock: Correctly bounds check and pad
HCI_MON_NEW_INDEX name (git-fixes).
- Bluetooth: avoid memcmp() out of bounds warning (git-fixes).
- Bluetooth: hci_sock: fix slab oob read in create_monitor_event
(git-fixes).
- Bluetooth: hci_event: Fix coding style (git-fixes).
- Bluetooth: Reject connection with the device which has same
BD_ADDR (git-fixes).
- Bluetooth: vhci: Fix race when opening vhci device (git-fixes).
- platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
(git-fixes).
- drm: panel-orientation-quirks: Add quirk for One Mix 2S
(git-fixes).
- HID: multitouch: Add required quirk for Synaptics 0xcd7e device
(git-fixes).
- HID: holtek: fix slab-out-of-bounds Write in
holtek_kbd_input_event (git-fixes).
- wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
- wifi: mac80211: allow transmitting EAPOL frames with tainted
key (git-fixes).
- wifi: cfg80211: Fix 6GHz scan configuration (git-fixes).
- wifi: iwlwifi: Ensure ack flag is properly cleared (git-fixes).
- wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
(git-fixes).
- Bluetooth: Avoid redundant authentication (git-fixes).
- Bluetooth: btusb: add shutdown function for QCA6174 (git-fixes).
- i2c: mux: Avoid potential false error message in
i2c_mux_add_adapter (git-fixes).
- gpio: timberdale: Fix potential deadlock on &tgpio->lock
(git-fixes).
- commit b480af6
- nvme-fc: Prevent null pointer dereference in
nvme_fc_io_getuuid() (bsc#1214842).
- commit 3b513db
- ubi: Refuse attaching if mtd's erasesize is 0 (CVE-2023-31085
bsc#1210778).
- commit 86e05f1
- Update
patches.suse/USB-ene_usb6250-Allocate-enough-memory-for-full-obje.patch
(bsc#1216051 CVE-2023-45862).
Retroactively recognized as a security issue
- commit 716929e
- KVM: s390: fix gisa destroy operation might lead to cpu stalls
(git-fixes bsc#1216512).
- commit 3976fa9
- s390/pci: fix iommu bitmap allocation (git-fixes bsc#1216511).
- commit 2bb6835
- s390/cio: fix a memleak in css_alloc_subchannel (git-fixes
bsc#1216510).
- commit d475feb
- ACPI: irq: Fix incorrect return value in acpi_register_gsi()
(git-fixes).
- Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
(git-fixes).
- mtd: rawnand: qcom: Unmap the right resource upon probe failure
(git-fixes).
- mtd: rawnand: pl353: Ensure program page operations are
successful (git-fixes).
- mtd: rawnand: arasan: Ensure program page operations are
successful (git-fixes).
- mtd: spinand: micron: correct bitmask for ecc status
(git-fixes).
- mtd: physmap-core: Restore map_rom fallback (git-fixes).
- mtd: rawnand: marvell: Ensure program page operations are
successful (git-fixes).
- mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw
(git-fixes).
- mmc: core: sdio: hold retuning if sdio in 1-bit mode
(git-fixes).
- ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe
errors (git-fixes).
- ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
(git-fixes).
- ASoC: codecs: wcd938x: fix unbind tear down order (git-fixes).
- ASoC: codecs: wcd938x: drop bogus bind error handling
(git-fixes).
- ASoC: pxa: fix a memory leak in probe() (git-fixes).
- drm/i915: Retry gtt fault when out of fence registers
(git-fixes).
- commit 766bf5d
- net/sched: fix netdevice reference leaks in
attach_default_qdiscs() (git-fixes).
- commit 31c27cf
- net: sched: add barrier to fix packet stuck problem for lockless
qdisc (bsc#1216345).
- commit 508758e
- net: sched: fixed barrier to prevent skbuff sticking in qdisc
backlog (bsc#1216345).
- commit 839637c
- Fix metadata references
- commit 42e4c9a
- net: rfkill: gpio: prevent value glitch during probe
(git-fixes).
- net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
(git-fixes).
- gve: Do not fully free QPL pages on prefill errors (git-fixes).
- Bluetooth: hci_event: Fix using memcmp when comparing keys
(git-fixes).
- Bluetooth: Fix a refcnt underflow problem for hci_conn
(git-fixes).
- Bluetooth: hci_event: Ignore NULL link key (git-fixes).
- nfc: nci: fix possible NULL pointer dereference in
send_acknowledge() (git-fixes).
- thunderbolt: Check that lane 1 is in CL0 before enabling lane
bonding (git-fixes).
- thunderbolt: Workaround an IOMMU fault on certain systems with
Intel Maple Ridge (git-fixes).
- Input: powermate - fix use-after-free in
powermate_config_complete (git-fixes).
- Input: xpad - add PXN V900 support (git-fixes).
- Input: goodix - ensure int GPIO is in input for gpio_count ==
1 && gpio_int_idx == 0 case (git-fixes).
- ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA
(git-fixes).
- drm/amdgpu: add missing NULL check (git-fixes).
- drm/amd/display: Don't set dpms_off for seamless boot
(git-fixes).
- pinctrl: avoid unsafe code pattern in find_pinctrl()
(git-fixes).
- HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
(git-fixes).
- ALSA: usb-audio: Fix microphone sound on Opencomm2 Headset
(git-fixes).
- commit e8f9edc
- sched/rt: Fix live lock between select_fallback_rq() and RT push
(git fixes (sched)).
- sched/rt: Fix sysctl_sched_rr_timeslice intial value (git fixes
(sched)).
- commit a2350c1
- blacklist.conf: Applies only to RCU tiny configurations
- commit 1d1726b
- blacklist.conf: Cosmetic change for !SMP configurations
- commit c9d6cc0
- blacklist.conf: KABI hazard, only backport in response to a customer bug to justify the complexity
- commit 96bc817
- sched/deadline,rt: Remove unused parameter from
pick_next_[rt|dl]_entity() (git fixes (sched)).
- Refresh
patches.suse/sched-rt-pick_next_rt_entity-check-list_entry.patch.
- commit d7f894e
- regmap: fix NULL deref on lookup (git-fixes).
- usb: typec: altmodes/displayport: Signal hpd low when exiting
mode (git-fixes).
- usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
(git-fixes).
- usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
(git-fixes).
- usb: dwc3: Soft reset phy on probe for host (git-fixes).
- usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap
call (git-fixes).
- usb: musb: Get the musb_qh poniter after musb_giveback
(git-fixes).
- usb: musb: Modify the "HWVers" register address (git-fixes).
- usb: cdnsp: Fixes issue with dequeuing not queued requests
(git-fixes).
- iio: pressure: ms5611: ms5611_prom_is_valid false negative bug
(git-fixes).
- iio: pressure: dps310: Adjust Timeout Settings (git-fixes).
- iio: pressure: bmp280: Fix NULL pointer exception (git-fixes).
- counter: microchip-tcb-capture: Fix the use of internal GCLK
logic (git-fixes).
- Input: psmouse - fix fast_reconnect function for PS/2 mode
(git-fixes).
- dmaengine: stm32-mdma: abort resume if no ongoing transfer
(git-fixes).
- dmaengine: mediatek: Fix deadlock caused by synchronize_irq()
(git-fixes).
- dmaengine: idxd: use spin_lock_irqsave before
wait_event_lock_irq (git-fixes).
- drm/msm/dpu: change _dpu_plane_calc_bw() to use u64 to avoid
overflow (git-fixes).
- drm/msm/dsi: fix irq_of_parse_and_map() error checking
(git-fixes).
- drm/msm/dsi: skip the wait for video mode done if not applicable
(git-fixes).
- drm/msm/dp: do not reinitialize phy unless retry during link
training (git-fixes).
- drm/vmwgfx: fix typo of sizeof argument (git-fixes).
- nfc: nci: assert requested protocol is valid (git-fixes).
- ieee802154: ca8210: Fix a potential UAF in ca8210_probe
(git-fixes).
- pinctrl: renesas: rzn1: Enable missing PINMUX (git-fixes).
- ALSA: hda/realtek: Change model for Intel RVP board (git-fixes).
- commit 7f63276
- netfilter: nf_tables: unbind non-anonymous set if rule
construction fails (git-fixes).
- commit b7f718b
- KVM: SVM: Don't kill SEV guest if SMAP erratum triggers in
usermode (git-fixes).
- commit 5316d19
- KVM: x86/mmu: Reconstruct shadow page root if the guest PDPTEs
is changed (git-fixes).
- commit 1d58a92
- vringh: don't use vringh_kiov_advance() in vringh_iov_xfer()
(git-fixes).
- commit d4a31a2
- 9p: virtio: make sure 'offs' is initialized in zc_request
(git-fixes).
- commit 66e7266
- Update config files: unset CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B
for Arm
Configuration option CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y is used
only in the armv7hl + arm64 configurations and appears to be a relic
from the update procedure in commit 98da1c5f42d ("SLE15-SP4: Update the
base kernel version to 5.14.").
Unset it because the option is intended for debugging, not really useful
for production and makes the text size of vmlinux unnecessarily bigger
by ~10%
- commit 4229357
- xen-netback: use default TX queue size for vifs (git-fixes).
- commit 84805af
- netfilter: nf_tables: skip immediate deactivate in
_PREPARE_ERROR (CVE-2023-39193 bsc#1215860).
- commit 6c937af
- kabi: workaround for enum nft_trans_phase (bsc#1215104).
- commit 0a3d3d4
- netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with
bound set/chain (git-fixes).
- commit 2e62a61
- Update metadata
- commit e780ccd
- net: usb: dm9601: fix uninitialized variable use in
dm9601_mdio_read (git-fixes).
- commit 236df4a
- crypto: qat - fix crypto capability detection for 4xxx
(PED-6401).
- crypto: qat - Remove unused function declarations (PED-6401).
- crypto: qat - use kfree_sensitive instead of memset/kfree()
(PED-6401).
- crypto: qat - replace the if statement with min() (PED-6401).
- crypto: qat - add heartbeat counters check (PED-6401).
- crypto: qat - add heartbeat feature (PED-6401).
- crypto: qat - add measure clock frequency (PED-6401).
- crypto: qat - drop obsolete heartbeat interface (PED-6401).
- crypto: qat - add internal timer for qat 4xxx (PED-6401).
- crypto: qat - add fw_counters debugfs file (PED-6401).
- crypto: qat - change value of default idle filter (PED-6401).
- crypto: qat - do not export adf_init_admin_pm() (PED-6401).
- crypto: qat - expose pm_idle_enabled through sysfs (PED-6401).
- crypto: qat - extend configuration for 4xxx (PED-6401).
- crypto: qat - refactor fw config logic for 4xxx (PED-6401).
- crypto: qat - make fw images name constant (PED-6401).
- crypto: qat - move returns to default case (PED-6401).
- crypto: qat - unmap buffers before free for RSA (PED-6401).
- crypto: qat - unmap buffer before free for DH (PED-6401).
- crypto: qat - update slice mask for 4xxx devices (PED-6401).
- crypto: qat - set deprecated capabilities as reserved
(PED-6401).
- crypto: qat - add missing function declaration in adf_dbgfs.h
(PED-6401).
- crypto: qat - move dbgfs init to separate file (PED-6401).
- crypto: qat - drop redundant adf_enable_aer() (PED-6401).
- crypto: qat - fix apply custom thread-service mapping for dc
service (PED-6401).
- crypto: qat - add support for 402xx devices (PED-6401).
- crypto: qat - make state machine functions static (PED-6401).
- crypto: qat - refactor device restart logic (PED-6401).
- crypto: qat - replace state machine calls (PED-6401).
- crypto: qat - fix concurrency issue when device state changes
(PED-6401).
- crypto: qat - delay sysfs initialization (PED-6401).
- crypto: qat - Include algapi.h for low-level Crypto API
(PED-6401).
- crypto: qat - drop log level of msg in get_instance_node()
(PED-6401).
- Documentation: qat: change kernel version (PED-6401).
- crypto: qat - add qat_zlib_deflate (PED-6401).
- crypto: qat - extend buffer list logic interface (PED-6401).
- crypto: qat - fix spelling mistakes from 'bufer' to 'buffer'
(PED-6401).
- crypto: qat - remove ADF_STATUS_PF_RUNNING flag from probe
(PED-6401).
- Documentation: qat: rewrite description (PED-6401).
- commit 3c119b1
- cgroup: Remove duplicates in cgroup v1 tasks file (bsc#1211307).
- commit 555c311
- vmbus_testing: fix wrong python syntax for integer value
comparison (git-fixes).
- Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present
CPUs (git-fixes).
- Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc()
fails (git-fixes).
- commit a15e7ae
- nvmet-tcp: Fix a possible UAF in queue intialization setup
(bsc#1215768 CVE-2023-5178).
- commit b965ee1
- bpf: Fix incorrect verifier pruning due to missing register
precision taints (bsc#1215518 CVE-2023-2163).
- bpf: propagate precision in ALU/ALU64 operations (git-fixes).
- commit 71da1d6
- net: mana: Fix oversized sge0 for GSO packets (bsc#1215986).
- net: mana: Fix TX CQE error handling (bsc#1215986).
- commit 3666b58
- xen/events: replace evtchn_rwlock with RCU (bsc#1215745,
xsa-441, cve-2023-34324).
- commit 291fb99
- netfilter: nfnetlink_osf: avoid OOB read (bsc#1216046
CVE-2023-39189).
- commit 77dc791
- blacklist.conf: the codebase changed too much to backport the patch
- commit 11474a7
- kabi: blkcg_policy_data fix KABI (bsc#1216062).
- commit cf25442
- blk-cgroup: support to track if policy is online (bsc#1216062).
- commit 45c3300
- mm, memcg: reconsider kmem.limit_in_bytes deprecation
(bsc#1208788 bsc#1213705).
- commit bdf774a
- Revert "Delete patches.suse/memcg-drop-kmem-limit_in_bytes.patch."
This reverts commit 52c1db3eb4e2acbdd91aaaefddc26b7207cd4c90.
It'll be fixed differently in a following commit.
Restore the commit with upstream commit already for proper sorting.
- commit 8474b47
- blk-cgroup: Fix NULL deref caused by blkg_policy_data being
installed before init (bsc#1216062).
- commit c2395af
- blacklist.conf: Add 82b90b6c5b38 cgroup:namespace: Remove unused cgroup_namespaces_init()
- commit 6f5ac45
- HID: sony: remove duplicate NULL check before calling
usb_free_urb() (git-fixes).
- commit 7cd0962
- i2c: mux: gpio: Replace custom acpi_get_local_address()
(git-fixes).
- commit ef5fd69
- gpio: aspeed: fix the GPIO number passed to
pinctrl_gpio_set_config() (git-fixes).
- gpio: pxa: disable pinctrl calls for MMP_GPIO (git-fixes).
- platform/x86: think-lmi: Fix reference leak (git-fixes).
- HID: intel-ish-hid: ipc: Disable and reenable ACPI GPE bit
(git-fixes).
- HID: sony: Fix a potential memory leak in sony_probe()
(git-fixes).
- wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling
(git-fixes).
- wifi: mwifiex: Fix oob check condition in
mwifiex_process_rx_packet (git-fixes).
- wifi: iwlwifi: mvm: Fix a memory corruption issue (git-fixes).
- wifi: iwlwifi: dbg_ini: fix structure packing (git-fixes).
- wifi: mwifiex: Fix tlv_buf_left calculation (git-fixes).
- net: nfc: llcp: Add lock when modifying device list (git-fixes).
- net: usb: smsc75xx: Fix uninit-value access in
__smsc75xx_read_reg (git-fixes).
- leds: Drop BUG_ON check for LED_COLOR_ID_MULTI (git-fixes).
- regmap: rbtree: Fix wrong register marked as in-cache when
creating new node (git-fixes).
- nilfs2: fix potential use after free in
nilfs_gccache_submit_read_data() (git-fixes).
- Revert "tty: n_gsm: fix UAF in gsm_cleanup_mux" (git-fixes).
- serial: 8250_port: Check IRQ data before use (git-fixes).
- firmware: arm_ffa: Don't set the memory region attributes for
MEM_LEND (git-fixes).
- soc: imx8m: Enable OCOTP clock for imx8mm before reading
registers (git-fixes).
- firmware: imx-dsp: Fix an error handling path in
imx_dsp_setup_channels() (git-fixes).
- bus: ti-sysc: Fix missing AM35xx SoC matching (git-fixes).
- bus: ti-sysc: Use fsleep() instead of usleep_range() in
sysc_reset() (git-fixes).
- i2c: npcm7xx: Fix callback completion ordering (git-fixes).
- ata: libata-core: Do not register PM operations for SAS ports
(git-fixes).
- ata: libata-core: Fix port and device removal (git-fixes).
- ata: libata-core: Fix ata_port_request_pm() locking (git-fixes).
- ata: libata-sata: increase PMP SRST timeout to 10s (git-fixes).
- ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED
OPERATION CODES (git-fixes).
- gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
(git-fixes).
- clk: tegra: fix error return case for recalc_rate (git-fixes).
- power: supply: ucs1002: fix error code in ucs1002_get_property()
(git-fixes).
- gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
(git-fixes).
- i2c: mux: gpio: Add missing fwnode_handle_put() (git-fixes).
- i2c: mux: demux-pinctrl: check the return value of
devm_kstrdup() (git-fixes).
- i2c: i801: unregister tco_pdev in i801_probe() error path
(git-fixes).
- ASoC: imx-rpmsg: Set ignore_pmdown_time for dai_link
(git-fixes).
- ASoC: fsl: imx-pcm-rpmsg: Add SNDRV_PCM_INFO_BATCH flag
(git-fixes).
- ALSA: hda: Disable power save for solving pop issue on Lenovo
ThinkCentre M70q (git-fixes).
- spi: stm32: add a delay before SPI disable (git-fixes).
- spi: nxp-fspi: reset the FLSHxCR1 registers (git-fixes).
- drm/amdgpu: Handle null atom context in VBIOS info ioctl
(git-fixes).
- drm/amd/display: Don't check registers, if using AUX BL control
(git-fixes).
- spi: sun6i: fix race between DMA RX transfer completion and
RX FIFO drain (git-fixes).
- spi: sun6i: reduce DMA RX transfer width to single byte
(git-fixes).
- watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not
already running (git-fixes).
- watchdog: iTCO_wdt: No need to stop the timer in probe
(git-fixes).
- commit 22d41cc
- net: usb: smsc75xx: Fix uninit-value access in
__smsc75xx_read_reg (git-fixes).
- commit 38bd5fc
- r8152: check budget for r8152_poll() (git-fixes).
- commit b4330ba
- RDMA/core: Require admin capabilities to set system parameters (git-fixes)
- commit 165e98e
- RDMA/cma: Initialize ib_sa_multicast structure to 0 when join (git-fixes)
- commit ad12009
- RDMA/mlx5: Fix NULL string error (git-fixes)
- commit 5556b81
- IB/mlx4: Fix the size of a buffer in add_port_entries() (git-fixes)
- commit 8c4cdf4
- RDMA/cma: Fix truncation compilation warning in make_cma_ports (git-fixes)
- commit a7c580d
- RDMA/uverbs: Fix typo of sizeof argument (git-fixes)
- commit 7e80897
- RDMA/cxgb4: Check skb value for failure to allocate (git-fixes)
- commit 6e18278
- RDMA/siw: Fix connection failure handling (git-fixes)
- commit 107f7c6
- RDMA/srp: Do not call scsi_done() from srp_abort() (git-fixes)
- commit ecb5c5e
- ring-buffer: Do not attempt to read past "commit" (git-fixes).
- commit ee556e0
- ring-buffer: Avoid softlockup in ring_buffer_resize()
(git-fixes).
- commit bd7050f
- tracing: Make trace_marker{,_raw} stream-like (git-fixes).
- commit fda0bf6
- ring-buffer: Update "shortest_full" in polling (git-fixes).
- commit aad1d04
- ring-buffer: Fix bytes info in per_cpu buffer stats (git-fixes).
- commit 296da6c
- tracing: Have event inject files inc the trace array ref count
(git-fixes).
- commit 817c093
- tracing: Have option files inc the trace array ref count
(git-fixes).
- commit 921a48a
- tracing: Have current_trace inc the trace array ref count
(git-fixes).
- commit 586ee6a
- tracing: Have tracing_max_latency inc the trace array ref count
(git-fixes).
- commit 322c826
- tracing: Increase trace array ref count on enable and filter
files (git-fixes).
- commit fa9da0d
- kprobes: Prohibit probing on CFI preamble symbol (git-fixes).
- commit de7b87f
- iommu/amd: Add map/unmap_pages() iommu_domain_ops callback
support (bsc#1212423).
- iommu/amd/io-pgtable: Implement unmap_pages io_pgtable_ops
callback (bsc#1212423).
- iommu/amd/io-pgtable: Implement map_pages io_pgtable_ops
callback (bsc#1212423).
- commit b7a7693
- Update
patches.suse/ipv6-sr-fix-out-of-bounds-read-when-setting-HMAC-dat.patch
(bsc#1211592 CVE-2023-2860).
- commit 6e15654
- KVM: x86: work around QEMU issue with synthetic CPUID leaves (git-fixes).
- commit 7ac0d16
- KVM: x86: Fix clang -Wimplicit-fallthrough in do_host_cpuid() (git-fixes).
- commit 14aa242
- s390: add z16 elf platform (git-fixes LTC#203789 bsc#1215956
LTC#203788 bsc#1215957).
- commit a4355b3
- sched/cpuset: Bring back cpuset_mutex (bsc#1215955).
- cgroup/cpuset: Change references of cpuset_mutex to cpuset_rwsem
(bsc#1215955).
- commit 59f5010
- blacklist.conf: Add c0f78fd5edcf cgroup/cpuset: Iterate only if DEADLINE tasks are present
... and its prereqs
- commit a4ba12c
- blacklist.conf: Add 98dfdd9ee939 sched/psi: Select KERNFS as needed
- commit d326b7e
- x86/cpu: Enable STIBP on AMD if Automatic IBRS is enabled (bsc#1213772).
- commit 48235ff
- KVM: x86: Propagate the AMD Automatic IBRS feature to the guest (bsc#1213772).
- commit 237820b
- x86/cpu: Support AMD Automatic IBRS (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 8ed20a4
- scsi: zfcp: Fix a double put in zfcp_port_enqueue() (git-fixes
bsc#1215941).
- commit a62865f
- x86/cpu, kvm: Add the SMM_CTL MSR not present feature (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit aed5f36
- x86/cpu, kvm: Add the Null Selector Clears Base feature (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 8f2a48f
- x86/cpu, kvm: Move X86_FEATURE_LFENCE_RDTSC to its native leaf (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 553f579
- x86/cpu, kvm: Add the NO_NESTED_DATA_BP feature (bsc#1213772).
- Refresh patches.suse/x86-srso-add-ibpb_brtype-support.patch.
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit 80fb630
- KVM: x86: Move open-coded CPUID leaf 0x80000021 EAX bit propagation code (bsc#1213772).
- Refresh patches.suse/x86-srso-add-srso_no-support.patch.
- commit f21e4e4
- KVM: x86: synthesize CPUID leaf 0x80000021h if useful (bsc#1213772).
- Refresh
patches.suse/KVM-x86-Mask-off-reserved-bits-in-CPUID.80000001H.patch.
- Refresh
patches.suse/KVM-x86-Move-lookup-of-indexed-CPUID-leafs-to-helper.
- commit 3d1c8b5
- KVM: x86: add support for CPUID leaf 0x80000021 (bsc#1213772).
- Refresh
patches.suse/KVM-x86-Mask-off-reserved-bits-in-CPUID.80000001H.patch.
- commit 320f1ae
- net: xfrm: Fix xfrm_address_filter OOB read (CVE-2023-39194
bsc#1215861).
- commit 55308cb
- netfilter: xt_sctp: validate the flag_info count (CVE-2023-39193
bsc#1215860).
- commit 5ec24b7
- netfilter: xt_u32: validate user space input (CVE-2023-39192
bsc#1215858).
- commit 292c059
- ipv4: fix null-deref in ipv4_link_failure (CVE-2023-42754
bsc#1215467).
- commit ad87dd3
- KVM: s390: pv: fix external interruption loop not always
detected (git-fixes bsc#1215916).
- commit f1893aa
- btrfs: fix root ref counts in error handling in
btrfs_get_root_ref (bsc#1214351 CVE-2023-4389).
- commit 3731029
- KVM: s390: fix KVM_S390_GET_CMMA_BITS for GFNs in memslot holes
(git-fixes bsc#1215915).
- commit fe7fbfc
- KVM: s390/diag: fix racy access of physical cpu number in diag
9c handler (git-fixes bsc#1215911).
- commit 6454286
- fs/smb/client: Reset password pointer to NULL (bsc#1215899
CVE-2023-5345).
- commit 679511d
- blacklist.conf: kABi breakage (vmalloc)
- commit 10bad47
- KVM: s390: interrupt: use READ_ONCE() before cmpxchg()
(git-fixes bsc#1215896).
- commit 8726736
- KVM: s390: vsie: fix the length of APCB bitmap (git-fixes
bsc#1215895).
- commit 9ff1a1e
- KVM: s390: vsie: Fix the initialization of the epoch extension
(epdx) field (git-fixes bsc#1215894).
- commit 9c5bbd7
- netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro
for ip_set_hash_netportnet.c (CVE-2023-42753 bsc#1215150).
- commit 7a6be79
- tcp: Reduce chance of collisions in inet6_hashfn()
(CVE-2023-1206 bsc#1212703).
- commit e3ebd17
- blacklist.conf: workqueue: compiler warning on 32-bit systems with
Clang (bsc#1215877)
- commit b7e65aa
- blacklist.conf: workqueue: Code refactoring
- commit e204334
- blacklist.conf: printk: the changes look good but they do not fix
any serious problem
- commit c560ceb
- printk: ringbuffer: Fix truncating buffer size min_t cast
(bsc#1215875).
- commit e0d3999
- scsi: storvsc: Handle additional SRB status values (git-fixes).
- commit d1a5f2f
- scsi: qedf: Add synchronization between I/O completions and
abort (bsc#1210658).
- commit 96a8c32
- gve: fix frag_list chaining (bsc#1214479).
- gve: RX path for DQO-QPL (bsc#1214479).
- gve: Tx path for DQO-QPL (bsc#1214479).
- gve: Control path for DQO-QPL (bsc#1214479).
- gve: trivial spell fix Recive to Receive (bsc#1214479).
- gve: use vmalloc_array and vcalloc (bsc#1214479).
- gve: Unify duplicate GQ min pkt desc size constants
(bsc#1214479).
- gve: Add AF_XDP zero-copy support for GQI-QPL format
(bsc#1214479).
- gve: Add XDP REDIRECT support for GQI-QPL format (bsc#1214479).
- gve: Add XDP DROP and TX support for GQI-QPL format
(bsc#1214479).
- gve: Changes to add new TX queues (bsc#1214479).
- gve: XDP support GQI-QPL: helper function changes (bsc#1214479).
- gve: Fix gve interrupt names (bsc#1214479).
- commit 4dd2d8d
- net: sched: sch_qfq: Fix UAF in qfq_dequeue() (CVE-2023-4921
bsc#1215275).
- commit 9408063
- fs: no need to check source (bsc#1215752).
- commit 1a42abf
- Refresh
patches.suse/drm-msm-dpu-drop-enum-dpu_core_perf_data_bus_id.patch
(git-fixes)
Alt-commit
- commit f8178cd
- Refresh
patches.suse/drm-amd-display-check-attr-flag-before-set-cursor-de.patch
(git-fixes)
Alt-commit
- commit f507792
- Refresh
patches.suse/drm-amdgpu-Fix-vram-recover-doesn-t-work-after-whole.patch
(git-fixes)
Alt-commit
- commit 38e2a92
- Refresh
patches.suse/drm-amdgpu-add-a-missing-lock-for-AMDGPU_SCHED.patch
(git-fixes)
Alt-commit
- commit 2ecd3e8
- Refresh
patches.suse/drm-amd-display-fix-flickering-caused-by-S-G-mode.patch
(git-fixes)
Alt-commit
- commit 33e82b2
- Refresh
patches.suse/drm-nouveau-kms-nv50-fix-nv50_wndw_new_-prototype.patch
(git-fixes)
Alt-commit
- commit 4c21b50
- SUNRPC: Mark the cred for revalidation if the server rejects it
(git-fixes).
- NFS/pNFS: Report EINVAL errors from connect() to the server
(git-fixes).
- nfsd: fix change_info in NFSv4 RENAME replies (git-fixes).
- pNFS: Fix assignment of xprtdata.cred (git-fixes).
- NFSv4.2: fix handling of COPY ERR_OFFLOAD_NO_REQ (git-fixes).
- NFS: Guard against READDIR loop when entry names exceed
MAXNAMELEN (git-fixes).
- nfs/blocklayout: Use the passed in gfp flags (git-fixes).
- NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
(git-fixes).
- NFSD: da_addr_body field missing in some GETDEVICEINFO replies
(git-fixes).
- fs: lockd: avoid possible wrong NULL parameter (git-fixes).
- nfsd: Fix race to FREE_STATEID and cl_revoked (git-fixes).
- xprtrdma: Remap Receive buffers after a reconnect (git-fixes).
- NFSv4: fix out path in __nfs4_get_acl_uncached (git-fixes).
- NFSv4.2: fix error handling in nfs42_proc_getxattr (git-fixes).
- NFSv4: Fix dropped lock for racing OPEN and delegation return
(git-fixes).
- commit 087b1c4
- uapi: stddef.h: Fix __DECLARE_FLEX_ARRAY for C++ (git-fixes).
- commit 68da368
- usb: ehci: move new member has_ci_pec_bug into hole (git-fixes).
- commit bd8b5cf
- usb: ehci: add workaround for chipidea PORTSC.PEC bug
(git-fixes).
- commit a447793
- net: usb: qmi_wwan: add Quectel EM05GV2 (git-fixes).
- commit 613dba7
- kernel-binary: Move build-time definitions together
Move source list and build architecture to buildrequires to aid in
future reorganization of the spec template.
- commit 30e2cef
- net: mana: Add page pool for RX buffers (bsc#1214040).
- bnx2x: new flag for track HW resource allocation (bsc#1202845
bsc#1215322).
- commit 0f79d4d
- blacklist.conf: Ignore redundant patch
- commit 6d0ecfc
- powerpc/fadump: make is_kdump_kernel() return false when fadump
is active (bsc#1212639 ltc#202582).
- vmcore: remove dependency with is_kdump_kernel() for exporting
vmcore (bsc#1212639 ltc#202582).
- commit a5cc68e
- x86/srso: Fix srso_show_state() side effect (git-fixes).
- commit 619e525
- x86/srso: Fix SBPB enablement for spec_rstack_overflow=off (git-fixes).
- commit 5e42be0
- x86/srso: Don't probe microcode in a guest (git-fixes).
- commit 74b567d
- x86/srso: Set CPUID feature bits independently of bug or mitigation status (git-fixes).
- commit c6caed4
- platform/x86: intel_scu_ipc: Fail IPC send if still busy
(git-fixes).
- platform/x86: intel_scu_ipc: Don't override scu in
intel_scu_ipc_dev_simple_command() (git-fixes).
- platform/x86: intel_scu_ipc: Check status upon timeout in
ipc_wait_for_interrupt() (git-fixes).
- platform/x86: intel_scu_ipc: Check status after timeout in
busy_loop() (git-fixes).
- ASoC: imx-audmix: Fix return error with devm_clk_get()
(git-fixes).
- ASoC: tegra: Fix redundant PLLA and PLLA_OUT0 updates
(git-fixes).
- ASoC: soc-utils: Export snd_soc_dai_is_dummy() symbol
(git-fixes).
- ASoC: meson: spdifin: start hw on dai probe (git-fixes).
- ALSA: hda/realtek: Splitting the UX3402 into two separate models
(git-fixes).
- commit 5e7ab5c
- Update
patches.suse/net-sched-cbq-dont-intepret-cls-results-when-asked-t.patch.
(bsc#1207036 CVE-2023-23454)
Fold downstream fixup of caa4b35b4317d5147b3ab0fbdc9c075c7d2e9c12.
- commit 6635291
- scsi: lpfc: Prevent use-after-free during rmmod with mapped
NVMe rports (git-fixes).
- scsi: lpfc: Early return after marking final NLP_DROPPED flag
in dev_loss_tmo (git-fixes).
- scsi: lpfc: Fix the NULL vs IS_ERR() bug for
debugfs_create_file() (git-fixes).
- commit 39e6404
- scsi: qla2xxx: Fix NULL vs IS_ERR() bug for debugfs_create_dir()
(git-fixes).
- scsi: qla2xxx: Use raw_smp_processor_id() instead of
smp_processor_id() (git-fixes).
- commit 2981c3a
- fuse: nlookup missing decrement in fuse_direntplus_link
(bsc#1215581).
- commit 7cedbed
- Drop amdgpu patch causing spamming (bsc#1215523)
Deleted:
patches.suse/drm-amdgpu-install-stub-fence-into-potential-unused-.patch.
- commit 2cab595
- net: mana: Configure hwc timeout from hardware (bsc#1214037).
- commit cc9aa11
- USB: core: Change usb_get_device_descriptor() API (bsc#1213123
CVE-2023-37453 bsc#1215553 bsc#1215522 bsc#1215552).
Refresh patches.suse/USB-core-Fix-race-by-not-overwriting-udev-descriptor.patch (add missing hunk)
Refresh patches.suse/USB-core-Fix-oversight-in-SuperSpeed-initialization.patch (context)
- commit 6271d90
- virtio-net: set queues after driver_ok (git-fixes).
- commit a8caba5
- vhost: handle error while adding split ranges to iotlb
(git-fixes).
- commit 059dc93
- vhost: allow batching hint without size (git-fixes).
- commit 8c5d403
- kernel-binary: python3 is needed for build
At least scripts/bpf_helpers_doc.py requires python3 since Linux 4.18
Other simimlar scripts may exist.
- commit c882efa
- KVM: x86/mmu: Include mmu.h in spte.h (git-fixes).
- commit e049205
- KVM: x86: Fix KVM_CAP_SYNC_REGS's sync_regs() TOCTOU issues
(git-fixes).
- commit fced801
- blacklist.conf: add b439eb8ab57855, as prereq patch is missing
- commit 7f6a95d
- vhost_vdpa: fix the crash in unmap a large memory (git-fixes).
- commit 5c68686
- iommu/virtio: Detach domain on endpoint release (git-fixes).
- commit b648ef9
- vhost-scsi: unbreak any layout for response (git-fixes).
- commit 374c9ef
- drm/virtio: Use appropriate atomic state in
virtio_gpu_plane_cleanup_fb() (git-fixes).
- commit 491eae6
- drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling
(git-fixes).
- commit e8e33de
- virtio-net: fix race between set queues and probe (git-fixes).
- commit 1089568
- virtio_net: Fix probe failed when modprobe virtio_net
(git-fixes).
- commit 5915735
- virtio_net: add checking sq is full inside xdp xmit (git-fixes).
- commit 87c00dd
- virtio_net: separate the logic of checking whether sq is full
(git-fixes).
- commit 7064a0d
- virtio_net: reorder some funcs (git-fixes).
- commit 4f7fbb1
- nvme-auth: use chap->s2 to indicate bidirectional authentication
(bsc#1214543).
- commit 41ae88c
- module: Expose module_init_layout_section() (git-fixes)
- commit 54615cb
- arm64: tegra: Update AHUB clock parent and rate (git-fixes)
- commit d3da4d8
- arm64: module: Use module_init_layout_section() to spot init sections (git-fixes)
- commit f80791e
- arm64: sdei: abort running SDEI handlers during crash (git-fixes)
- commit ec53ad3
- virtio: acknowledge all features before access (git-fixes).
- commit 4e146ad
- hwrng: virtio - Fix race on data_avail and actual data
(git-fixes).
- commit 6d20bd3
- virtio-rng: make device ready before making request (git-fixes).
- commit c09ce65
- vhost: fix hung thread due to erroneous iotlb entries
(git-fixes).
- commit cc76cf8
- arm64/fpsimd: Only provide the length to cpufeature for xCR registers (git-fixes)
- commit 89467e1
- arm64: module-plts: inline linux/moduleloader.h (git-fixes)
- commit afca04d
- hwrng: virtio - always add a pending request (git-fixes).
- commit 912363c
- hwrng: virtio - don't waste entropy (git-fixes).
- commit 4771c4e
- hwrng: virtio - don't wait on cleanup (git-fixes).
- commit e9188eb
- af_unix: Fix null-ptr-deref in unix_stream_sendpage()
(CVE-2023-4622 bsc#1215117).
- commit a6ce336
- hwrng: virtio - add an internal buffer (git-fixes).
- commit 477109e
- net/sched: sch_hfsc: Ensure inner classes have fsc curve
(CVE-2023-4623 bsc#1215115).
- commit 72e753f
- virtio_ring: fix avail_wrap_counter in virtqueue_add_packed
(git-fixes).
- commit 60546dd
- net: do not allow gso_size to be set to GSO_BY_FRAGS
(git-fixes).
- commit b96a7ad
- virtio-mmio: don't break lifecycle of vm_dev (git-fixes).
- commit 45da2ea
- KVM: SEV: remove ghcb variable declarations (CVE-2023-4155
bsc#1214022).
- KVM: SEV: only access GHCB fields once (CVE-2023-4155
bsc#1214022).
- KVM: SEV: snapshot the GHCB before accessing it (CVE-2023-4155
bsc#1214022).
- commit f5b3d4d
- xen: remove a confusing comment on auto-translated guest I/O
(git-fixes).
- commit 80c5d27
- x86/PVH: avoid 32-bit build warning when obtaining VGA console
info (git-fixes).
- commit 8d6614d
- blacklist.conf: Append 'Revert "fbcon: Use kzalloc() in fbcon_prepare_logo()"'
- commit 501bd2e
- blacklist.conf: Append 'video/aperture: Only remove sysfb on the default vga pci device'
- commit bfaaaff
- blacklist.conf: Append 'parisc: Flush gatt writes and adjust gatt mask in parisc_agp_mask_memory()'
- commit 30a9db6
- blacklist.conf: Append 'parisc/agp: Annotate parisc agp init functions with __init'
- commit 9eb45cc
- ata: libata: disallow dev-initiated LPM transitions to
unsupported states (git-fixes).
- i2c: aspeed: Reset the i2c controller when timeout occurs
(git-fixes).
- selftests: tracing: Fix to unmount tracefs for recovering
environment (git-fixes).
- drm/amd/display: fix the white screen issue when >= 64GB DRAM
(git-fixes).
- drm: gm12u320: Fix the timeout usage for usb_bulk_msg()
(git-fixes).
- commit 1f4e814
- btrfs: don't hold CPU for too long when defragging a file
(bsc#1214988).
- commit 9b89645
- 9p/xen : Fix use after free bug in xen_9pfs_front_remove due
to race condition (bsc#1215206, CVE-2023-1859).
- commit f333aa7
- netfilter: nftables: exthdr: fix 4-byte stack OOB write
(CVE-2023-4881 bsc#1215221).
- commit 0de26c1
- sctp: leave the err path free in sctp_stream_init to
sctp_stream_free (CVE-2023-2177 bsc#1210643).
- commit 337b7d8
- platform/mellanox: mlxbf-pmc: Fix reading of unprogrammed events
(git-fixes).
- platform/mellanox: mlxbf-pmc: Fix potential buffer overflows
(git-fixes).
- platform/mellanox: mlxbf-tmfifo: Drop jumbo frames (git-fixes).
- platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more
descriptors (git-fixes).
- kselftest/runner.sh: Propagate SIGTERM to runner child
(git-fixes).
- commit 495d04f
- Delete patches.suse/genksyms-add-override-flag.diff.
Unncessary after KBUILD_OVERRIDE removed.
- commit 870adc7
- x86/sev: Make enc_dec_hypercall() accept a size instead of npages (bsc#1214635).
- commit 834e1c2
- jbd2: restore t_checkpoint_io_list to maintain kABI
(bsc#1214946).
- commit 1a1980a
- rpm/kernel-binary.spec.in: Drop use of KBUILD_OVERRIDE=1
Genksyms has functionality to specify an override for each type in
a symtypes reference file. This override is then used instead of an
actual type and allows to preserve modversions (CRCs) of symbols that
reference the type. It is kind of an alternative to doing kABI fix-ups
with '#ifndef __GENKSYMS__'. The functionality is hidden behind the
genksyms --preserve option which primarily tells the tool to strictly
verify modversions against a given reference file or fail.
Downstream patch patches.suse/genksyms-add-override-flag.diff which is
present in various kernel-source branches separates the override logic.
It allows it to be enabled with a new --override flag and used without
specifying the --preserve option. Setting KBUILD_OVERRIDE=1 in the spec
file is then a way how the build is told that --override should be
passed to all invocations of genksyms. This was needed for SUSE kernels
because their build doesn't use --preserve but instead resulting CRCs
are later checked by scripts/kabi.pl.
However, this override functionality was not utilized much in practice
and the only use currently to be found is in SLE11-SP1-LTSS. It means
that no one should miss this option and KBUILD_OVERRIDE=1 together with
patches.suse/genksyms-add-override-flag.diff can be removed.
Notes for maintainers merging this commit to their branches:
* Downstream patch patches.suse/genksyms-add-override-flag.diff can be
dropped after merging this commit.
* Branch SLE11-SP1-LTSS uses the mentioned override functionality and
this commit should not be merged to it, or needs to be reverted
afterwards.
- commit 4aa02b8
- drm/display: Don't assume dual mode adaptors support i2c
sub-addressing (bsc#1213808).
- commit 9c64306
- blacklist.conf: Add ef73dcaa3121 ("powerpc: xmon: remove unused variables")
- commit 78179fa
- powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
(bsc#1065729).
- powerpc/xics: Remove unnecessary endian conversion
(bsc#1065729).
- word-at-a-time: use the same return type for has_zero regardless
of endianness (bsc#1065729).
- commit bde8063
- mlx4: Delete custom device management logic (bsc#1187236).
- mlx4: Connect the infiniband part to the auxiliary bus
(bsc#1187236).
- mlx4: Connect the ethernet part to the auxiliary bus
(bsc#1187236).
- mlx4: Register mlx4 devices to an auxiliary virtual bus
(bsc#1187236).
- mlx4: Avoid resetting MLX4_INTFF_BONDING per driver
(bsc#1187236).
- mlx4: Move the bond work to the core driver (bsc#1187236).
- mlx4: Get rid of the mlx4_interface.activate callback
(bsc#1187236).
- mlx4: Replace the mlx4_interface.event callback with a notifier
(bsc#1187236).
- commit 0aba257
- mlx4: Use 'void *' as the event param of mlx4_dispatch_event()
(bsc#1187236).
- mlx4: Rename member mlx4_en_dev.nb to netdev_nb (bsc#1187236).
- mlx4: Get rid of the mlx4_interface.get_dev callback
(bsc#1187236).
- net/mlx4: Remove many unnecessary NULL values (bsc#1187236).
- kabi/severities: ignore mlx4 internal symbols
- tracing: Fix race issue between cpu buffer write and swap
(git-fixes).
- tracing: Remove extra space at the end of hwlat_detector/mode
(git-fixes).
- tracing: Remove unnecessary copying of tr->current_trace
(git-fixes).
- bpf: Clear the probe_addr for uprobe (git-fixes).
- commit 47e9584
- x86/fpu: Take task_struct* in copy_sigframe_from_user_to_xstate() (git-fixes).
- commit 74c2613
- x86/mm: Avoid incomplete Global INVLPG flushes (git-fixes).
- commit a8877f3
- x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register (git-fixes).
- commit 670fb4d
- x86/resctrl: Fix task CLOSID/RMID update race (git-fixes).
- commit 9871c87
- x86/reboot: Disable virtualization in an emergency if SVM is supported (git-fixes).
- commit 3949a2b
- x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) (git-fixes).
- commit 4534667
- x86/sgx: Reduce delay and interference of enclave release (git-fixes).
- commit ef6d157
- x86/rtc: Remove __init for runtime functions (git-fixes).
- commit 4511d93
- x86/mm: Do not shuffle CPU entry areas without KASLR (git-fixes).
- commit cb39678
- x86/mce: Retrieve poison range from hardware (git-fixes).
- commit c9f1ddb
- x86/ioremap: Fix page aligned size calculation in __ioremap_caller() (git-fixes).
- commit 96d9365
- x86/mem_encrypt: Unbreak the AMD_MEM_ENCRYPT=n build (git-fixes).
- commit 12a2933
- x86/resctl: fix scheduler confusion with 'current' (git-fixes).
- commit 0d855b9
- x86/purgatory: remove PGO flags (git-fixes).
- commit 9d8ada6
- x86/ioapic: Don't return 0 from arch_dynirq_lower_bound() (git-fixes).
- commit ea0772f
- x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL (git-fixes).
- commit c1031f1
- x86/head/64: Switch to KERNEL_CS as soon as new GDT is installed (git-fixes).
- commit bbfad26
- x86/cpu: Add model number for Intel Arrow Lake processor (git-fixes).
- commit bf6d064
- x86/cpu: Add Lunar Lake M (git-fixes).
- commit 7ecc64d
- x86/bugs: Reset speculation control settings on init (git-fixes).
- commit 2a6dd8e
- x86/boot/e820: Fix typo in e820.c comment (git-fixes).
- commit ac06968
- x86/alternative: Fix race in try_get_desc() (git-fixes).
- commit d841323
- uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix (git-fixes).
- commit 11f0960
- KVM: VMX: Fix header file dependency of asm/vmx.h (git-fixes).
- commit cae635f
- KVM: SVM: Remove a duplicate definition of VMCB_AVIC_APIC_BAR_MASK (git-fixes).
- commit 2a03ef8
- Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
(git-fixes).
- PCI: Free released resource after coalescing (git-fixes).
- ntb: Fix calculation ntb_transport_tx_free_entry() (git-fixes).
- ntb: Drop packets when qp link is down (git-fixes).
- ntb: Clean up tx tail index on link down (git-fixes).
- idr: fix param name in idr_alloc_cyclic() doc (git-fixes).
- commit a1c9c68
- ALSA: hda/cirrus: Fix broken audio on hardware with two CS42L42
codecs (git-fixes).
- arm64: csum: Fix OoB access in IP checksum code for negative
lengths (git-fixes).
- commit f43b75b
- patches.suse/ovl-remove-privs-in-ovl_copyfile.patch:(git-fixes).
- commit daa1815
- s390/qeth: Don't call dev_close/dev_open (DOWN/UP) (bsc#1214873
git-fixes).
- commit b0dc76c
- nvme-tcp: add recovery_delay to sysfs (bsc#1201284).
- nvme-tcp: delay error recovery until the next KATO interval
(bsc#1201284).
- nvme-tcp: make 'err_work' a delayed work (bsc#1201284).
- nvme-tcp: Do not terminate commands when in RESETTING
(bsc#1201284).
- commit 96ee377
- s390/zcrypt: don't leak memory if dev_set_name() fails
(git-fixes bsc#1215148).
- commit 62bce52
- drm/amd/display: prevent potential division by zero errors
(git-fixes).
- drm/i915: mark requests for GuC virtual engines to avoid
use-after-free (git-fixes).
- net: phy: micrel: Correct bit assignments for phy_device flags
(git-fixes).
- pwm: lpc32xx: Remove handling of PWM channels (git-fixes).
- i3c: master: svc: fix probe failure when no i3c device exist
(git-fixes).
- drm/i915/gvt: Drop unused helper intel_vgpu_reset_gtt()
(git-fixes).
- commit 3aa0807
- blacklist.conf: kABI
- commit fe6afec
- blacklist.conf: kABI
- commit b1fabe7
- blacklist.conf: kABI
- commit c50e08f
- Input: tca6416-keypad - fix interrupt enable disbalance
(git-fixes).
- commit de27518
- fs: do not update freeing inode i_io_list (bsc#1214813).
- fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE
(bsc#1214813).
- commit 2c1c38b
- watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
(git-fixes).
- backlight: gpio_backlight: Drop output GPIO direction check
for initial power state (git-fixes).
- USB: serial: option: add FOXCONN T99W368/T99W373 product
(git-fixes).
- USB: serial: option: add Quectel EM05G variant (0x030e)
(git-fixes).
- tcpm: Avoid soft reset when partner does not support get_status
(git-fixes).
- usb: typec: tcpci: clear the fault status bit (git-fixes).
- ARM: pxa: remove use of symbol_get() (git-fixes).
- Bluetooth: btsdio: fix use after free bug in btsdio_remove
due to race condition (git-fixes).
- usb: typec: tcpci: move tcpci.h to include/linux/usb/
(git-fixes).
- commit 72d5b0f
- blacklist.conf: add git-fix to ignore
this one removes unused kABI functions, but
just leave them in
- commit 8007015
- scsi: snic: Fix double free in snic_tgt_create() (git-fixes).
- commit 1ed2b1b
- blacklist.conf: 9011e49d54dc ("modules: only allow symbol_get of
EXPORT_SYMBOL_GPL modules") is not really fixing any existing bug.
- commit 550f5fc
- Move upstreamed pinctrl patch into sorted section
- commit 38f70f2
- Update References tag
patches.suse/Bluetooth-L2CAP-Fix-use-after-free-in-l2cap_sock_rea.patch
(git-fixes bsc#1214233 CVE-2023-40283).
- commit 731b49d
- ata: pata_falcon: fix IO base selection for Q40 (git-fixes).
- ata: sata_gemini: Add missing MODULE_DESCRIPTION (git-fixes).
- ata: pata_ftide010: Add missing MODULE_DESCRIPTION (git-fixes).
- kconfig: fix possible buffer overflow (git-fixes).
- commit 4a140a1
- powerpc/rtas: mandate RTAS syscall filtering (bsc#1023051).
- commit ac82be8
- Refresh sorted section
- commit a6fbcee
- netfilter: nf_tables: use correct lock to protect gc_list
(CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: GC transaction race with abort path
(CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: GC transaction race with netns dismantle
(CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: fix GC transaction races with netns and
netlink event exit path (CVE-2023-4563 bsc#1214727).
- netfilter: nf_tables: fix kdoc warnings after gc rework
(CVE-2023-4563 bsc#1214727).
- refresh
- patches.kabi/kabi-hide-changes-in-struct-nft_set.patch
- kabi: hide changes in struct nft_set (CVE-2023-4563
bsc#1214727).
- netfilter: nf_tables: GC transaction API to avoid race with
control plane (CVE-2023-4563 bsc#1214727).
- commit cfed41c
- quota: add new helper dquot_active() (bsc#1214998).
- commit 26cc2da
- quota: rename dquot_active() to inode_quota_active()
(bsc#1214997).
- commit c4d7e83
- quota: factor out dquot_write_dquot() (bsc#1214995).
- commit 40e5ccd
- libX11
-
- U_0001-CVE-2023-43785-out-of-bounds-memory-access-in-_XkbRe.patch
U_0002-CVE-2023-43786-stack-exhaustion-from-infinite-recurs.patch
U_0003-XPutImage-clip-images-to-maximum-height-width-allowe.patch
U_0004-XCreatePixmap-trigger-BadValue-error-for-out-of-rang.patch
U_0005-CVE-2023-43787-Integer-overflow-in-XCreateImage-lead.patch
* CVE-2023-43785 libX11: out-of-bounds memory access in
_XkbReadKeySyms() (boo#1215683)
* CVE-2023-43786 libX11: stack exhaustion from infinite recursion
in PutSubImage() (boo#1215684)
* CVE-2023-43787 libX11: integer overflow in XCreateImage()
leading to a heap overflow (boo#1215685)
- libapparmor
-
- update zgrep profile to allow egrep helper use (bsc#1214458)
- zgrep-profile-sync-with-master.diff
- libeconf
-
- Additional info for version 0.5.2:
* Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
function. (CVE-2023-30078, CVE-2023-32181, bsc#1211078)
* Fixed a stack-buffer-overflow vulnerability in "read_file"
function. (CVE-2023-30079, CVE-2023-22652, bsc#1211078)
- Update to version 0.5.2:
* Fixed build for aarch64 and gcc13.
* Making the output verbose when a test fails.
* Fixed a stack-buffer-overflow vulnerability in "econf_writeFile"
function.
* Fixed a stack-buffer-overflow vulnerability in "read_file"
function.
* Added new feature: econf_set_conf_dirs (const char **dir_postfix_list)
Sets a list of directory structures (with order) which describes
the directories in which the files have to be parsed.
E.G. with the given list: {"/conf.d/", ".d/", "/", NULL} files in following
directories will be parsed:
"<default_dirs>/<project_name>.<suffix>.d/"
"<default_dirs>/<project_name>/conf.d/"
"<default_dirs>/<project_name>.d/"
"<default_dirs>/<project_name>/"
The entry "<default_dirs>/<project_name>.<suffix>.d/" will be added
automatically.
* General code cleanup.
- Update to version 0.5.1:
* Reading files in /usr/_vendor_/_example_._suffix_.d/* regardless
there is a /etc/_example_._suffix_ file. (#175)
- Update to version 0.5.0:
* API calls econf_read*WithCallback supporting a general (void *)
argument for user defined data with which the callback function is
called.
* Tagged following functions deprecated:
econf_requireOwner, econf_requireGroup, econf_requirePermissions,
econf_followSymlinks, econf_reset_security_settings
Use one of the econf_read*WithCallback functions instead.
- Update to version 0.4.9:
* libeconf.h: added missing sys/types.h header (#171)
* new API calls: econf_readFileWithCallback,
econf_readDirsWithCallback, econf_readDirsHistoryWithCallback (#172)
* Checking NULL comment parameter in the parsing functions.
- Update to version 0.4.8+git20221114.7ff7704:
* Parsing files which are containing keys only (#170)
All delimiters are allowed now : "", " =", " ", "=". But the
user should use "" in order to be distinct.
* /usr/etc/shells.d/<file_name> will not be parsed if
/etc/shells.d/<file_name> is defined too.
* Lto build fixed (#168)
* New calls: econf_comment_tag, econf_delimiter_tag, econf_set_comment_tag,
econf_set_delimiter_tag
* Checking UID,GroupID, permissions,... of the parsed files (#165)
New calls: econf_requireOwner, econf_requireGroup, econf_requirePermissions,
econf_followSymlinks
* Ignoring Group without brackets; Do not hold brackets in the internal data structure. (#164)
* Error handling improved for nums and booleans (#163)
- nghttp2
-
- security update
- added patches
fix CVE-2023-44487 [bsc#1216123], HTTP/2 Rapid Reset Attack
+ nghttp2-CVE-2023-44487.patch
- Fixes memory leak that happens when PUSH_PROMISE or HEADERS frame cannot be
sent, and nghttp2_on_stream_close_callback fails with a fatal error.
[CVE-2023-35945 bsc#1215713]
+ nghttp2-CVE-2023-35945.patch
- openssl-1_1
-
- Displays "fips" in the version string (bsc#1215215)
* Add openssl-1_1-fips-bsc1215215_fips_in_version_string.patch
- pciutils
-
- Apply "lspci-Fixed-buffer-overflows-in-ls-tree.c.patch" to fix a
buffer overflow error that would cause lspci to crash on systems
with complex topologies. [bsc#1215265]
- Add "pciutils.keyring" so that the tarball's signature can be
verified at build time.
- Use "%license" tag instead of "%doc" to install the package's
license file.
- python3
-
- Add CVE-2023-40217-avoid-ssl-pre-close.patch fixing
gh#python/cpython#108310, backport from upstream patch
gh#python/cpython#108315
(bsc#1214692, CVE-2023-40217)
- ruby2.5
-
- update suse.patch to 531fb8b2cc
- fix quadratic behavior in the uri parser (boo#1209891
CVE-2023-28755)
- fix expensive regexp in the RFC2822 time parser (boo#1209967
CVE-2023-28756)
- backport date 2.0.3 (boo#1193035 CVE-2021-41817)
- merge CGI 0.1.0.2: (boo#1205726 CVE-2021-33621)
- When parsing cookies, only decode the values
- HTTP response splitting in CGI
- libtirpc
-
- update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports
- replaces: binddynport-honor-ip_local_reserved_ports.patch
* gss-api: expose gss major/minor error in authgss_refresh()
* rpcb_clnt.c: Eliminate double frees in delete_cache()
* rpcb_clnt.c: memory leak in destroy_addr
* portmapper: allow TCP-only portmapper
* getnetconfigent: avoid potential DoS issue by removing unnecessary sleep
* clnt_raw.c: fix a possible null pointer dereference
* bindresvport.c: fix a potential resource leakage
- update to 1.3.3 (bsc#1201680, CVE-2021-46828):
* Fix DoS vulnerability in libtirpc
- replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
* _rpc_dtablesize: use portable system call
* libtirpc: Fix use-after-free accessing the error number
* Fix potential memory leak of parms.r_addr
- replaces 0001-fix-parms.r_addr-memory-leak.patch
* rpcb_clnt.c add mechanism to try v2 protocol first
- preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
* Eliminate deadlocks in connects with an MT environment
* clnt_dg_freeres() uncleared set active state may deadlock
* thread safe clnt destruction
* SUNRPC: mutexed access blacklist_read state variable
* SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c
- drop 0001-Fix-DoS-vulnerability-in-libtirpc.patch (upstream)
- update to 1.3.2:
* Replace the final SunRPC licenses with BSD licenses
* blacklist: Add a few more well known ports
* libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS
- Update to libtirpc 1.3.1
* Remove AUTH_DES interfaces from auth_des.h
The unsupported AUTH_DES authentication has be
compiled out since commit d918e41d889 (Wed Oct 9 2019)
replaced by API routines that return errors.
* svc_dg: Free xp_netid during destroy
* Fix memory management issues of fd locks
* libtirpc: replace array with list for per-fd locks
* __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
* __rpc_dtbsize: rlim_cur instead of rlim_max
* pkg-config: use the correct replacements for libdir/includedir
Patches replaced by update:
binddynport-honor-ip_local_reserved_ports.patch (bsc#1199467)
0001-Fix-DoS-vulnerability-in-libtirpc.patch (bsc#1201680)
0001-fix-parms.r_addr-memory-leak.patch (bsc#1198752)
0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
(bsc#1196647), (bsc#1200800), (bsc#1198176)
* replaces /etc/netconfig-try-2-first by the environment variable
RPCB_V2FIRST
- zlib
-
- Fix CVE-2023-45853, integer overflow and resultant heap-based buffer
overflow in zipOpenNewFileInZip4_6, bsc#1216378
* CVE-2023-45853.patch
- zchunk
-
- Fix CVE-2023-46228, bsc#1216268
* Handle overflow errors in malformed zchunk files.
- Added patch:
* CVE-2023-46228.patch
- log4j
-
- Build also taglib, jmx-gui, bom, nosql and web modules, on
platforms where we have the dependencies
- shadow
-
- bsc#1214806 (CVE-2023-4641):
Fix potential password leak
- Add shadow-CVE-2023-4641.patch
- nvme-cli
-
- Update to version 2.0+48.gbd004e:
* json: fix seg. fault converting NULL to JSON string (bsc#1213762)
- postfix
-
- postfix: config.postfix causes too tight permission on main.cf
(bsc#1215372)
- CVE-2023-32182: postfix: config_postfix SUSE specific script
potentially bad /tmp file usage (bsc#1211196)
Use temp file created by mktemp
- postgresql14
-
- Update to 14.10:
* bsc#1216962, CVE-2023-5868: Fix handling of unknown-type
arguments in DISTINCT "any" aggregate functions. This error led
to a text-type value being interpreted as an unknown-type value
(that is, a zero-terminated string) at runtime. This could
result in disclosure of server memory following the text value.
* bsc#1216961, CVE-2023-5869: Detect integer overflow while
computing new array dimensions. When assigning new elements to
array subscripts that are outside the current array bounds, an
undetected integer overflow could occur in edge cases. Memory
stomps that are potentially exploitable for arbitrary code
execution are possible, and so is disclosure of server memory.
* bsc#1216960, CVE-2023-5870: Prevent the pg_signal_backend role
from signalling background workers and autovacuum processes.
The documentation says that pg_signal_backend cannot issue
signals to superuser-owned processes. It was able to signal
these background processes, though, because they advertise a
role OID of zero. Treat that as indicating superuser ownership.
The security implications of cancelling one of these process
types are fairly small so far as the core code goes (we'll just
start another one), but extensions might add background workers
that are more vulnerable.
Also ensure that the is_superuser parameter is set correctly in
such processes. No specific security consequences are known for
that oversight, but it might be significant for some extensions.
* Add support for LLVM 16 and 17
* https://www.postgresql.org/docs/14/release-14-10.html
- boo#1216734: Revert the last change and make the devel package
independend of all other subpackages except for the libs.
- boo#1216022: Call install-alternatives from the devel subpackage
as well, otherwise the symlink for ecpg might be missing.
- Also buildignore the postgresql*-implementation symbols: this is
needed in order to bootstrap when no postgresql version currently
has valid symbols provided. Once the packages are built, OBS
could translate this to the pgname-* packages and accept the
ignores; during bootstrap though, there is nothing providing the
symbol and the existing buildignores do not suffice.
- python-instance-billing-flavor-check
-
- Version 0.0.4
Run the command as sudo only
- Version 0.0.3
Handle exception for Python 3.4
- python-rpm
-
- build for all python modules (jsc#PED-68, jsc#PED-1988)
- salt
-
- Randomize pre_flight_script path (CVE-2023-34049 bsc#1215157)
- Allow all primitive grain types for autosign_grains (bsc#1214477)
- Added:
* allow-all-primitive-grain-types-for-autosign_grains-.patch
* fix-cve-2023-34049-bsc-1215157.patch
- Fix optimization_order opt to prevent testsuite fails
- Improve salt.utils.json.find_json to avoid fails (bsc#1213293)
- Use salt-call from salt bundle with transactional_update
- Only call native_str on curl_debug message in tornado when needed
- Implement the calling for batch async from the salt CLI
- Fix calculation of SLS context vars when trailing dots
on targetted sls/state (bsc#1213518)
- Rename salt-tests to python3-salt-testsuite
- Added:
* improve-salt.utils.json.find_json-bsc-1213293.patch
* only-call-native_str-on-curl_debug-message-in-tornad.patch
* fix-optimization_order-opt-to-prevent-test-fails.patch
* use-salt-call-from-salt-bundle-with-transactional_up.patch
* implement-the-calling-for-batch-async-from-the-salt-.patch
* fix-calculation-of-sls-context-vars-when-trailing-do.patch
- Fix inconsistency in reported version by egg-info metadata (bsc#1215489)
- Added:
* write-salt-version-before-building-when-using-with-s.patch
- Revert usage of long running REQ channel to prevent possible
missing responses on requests and dublicated responses
(bsc#1213960, bsc#1213630, bsc#1213257)
- Fix gitfs cachedir basename to avoid hash collisions
(bsc#1193948, bsc#1214797, CVE-2023-20898)
- Added:
* fixed-gitfs-cachedir_basename-to-avoid-hash-collisio.patch
* revert-usage-of-long-running-req-channel-bsc-1213960.patch
- Make sure configured user is properly set by Salt (bsc#1210994)
- Do not fail on bad message pack message (bsc#1213441, CVE-2023-20897)
- Fix broken tests to make them running in the testsuite
- Prevent possible exceptions on salt.utils.user.get_group_dict (bsc#1212794)
- Create minion_id with reproducible mtime
- Fix detection of Salt codename by "salt_version" execution module
- Fix regression: multiple values for keyword argument 'saltenv' (bsc#1212844)
- Fix the regression of user.present state when group is unset (bsc#1212855)
- Fix zypper repositories always being reconfigured
- Fix utf8 handling in 'pass' renderer and make it more robust
- Added:
* fix-tests-to-make-them-running-with-salt-testsuite.patch
* zypper-pkgrepo-alreadyconfigured-585.patch
* fix-regression-multiple-values-for-keyword-argument-.patch
* mark-salt-3006-as-released-586.patch
* fix-utf8-handling-in-pass-renderer-and-make-it-more-.patch
* do-not-fail-on-bad-message-pack-message-bsc-1213441-.patch
* prevent-possible-exceptions-on-salt.utils.user.get_g.patch
* make-sure-configured-user-is-properly-set-by-salt-bs.patch
* fix-the-regression-of-user.present-state-when-group-.patch
- spacewalk-certs-tools
-
- version 4.3.19-1
* Support EC Cryptography with mgr-ssl-cert-setup
* mgr-ssl-cert-setup: store CA certificate in database
(bsc#1212856)
- spacewalk-client-tools
-
- version 4.3.16-1
* Update translation strings
- python-urllib3
-
- Add CVE-2023-45803.patch (bsc#1216377, CVE-2023-45803)
gh#urllib3/urllib3@4e98d57809da
- Add CVE-2023-43804.patch (bsc#1215968, CVE-2023-43804)
gh#urllib3/urllib3#3139
* Added the Cookie header to the list of headers to strip from
requests when redirecting to a different host. As before,
different headers can be set via Retry.remove_headers_on_redirect.
- uyuni-common-libs
-
- version 4.3.9-1
* Workaround for python3-debian bug about collecting control
file (bsc#1211525, bsc#1208692)
- release-notes-susemanager
-
- Update to SUSE Manager 4.3.9
* Debian 12 support as client
* New Update Notification (jsc#SUMA-111)
* Monitoring: Grafana upgraded to 9.5.8
* Update 'saltkey' endpoints to accept GET instead of POST
* CVEs fixed
CVE-2023-34049
* Bugs mentioned
bsc#1204270, bsc#1211047, bsc#1211145, bsc#1211270, bsc#1211912
bsc#1212168, bsc#1212507, bsc#1213132, bsc#1213376, bsc#1213469
bsc#1213680, bsc#1213689, bsc#1214041, bsc#1214121, bsc#1214463
bsc#1214553, bsc#1214746, bsc#1215027, bsc#1215120, bsc#1215412
bsc#1215514, bsc#1216661, bsc#1215157
- Update to SUSE Manager 4.3.8.2
* Bugs mentioned
bsc#1215857, bsc#1210253, bsc#1215820
- Update to SUSE Manager 4.3.8.1
* Fix the link issue for PAYG guide
- Update to SUSE Manager 4.3.8
* Important Salt minion update
* SUSE Manager Pay-as-you-go (PAYG)
* Automated RHUI credential update
* Monitoring: Prometheus upgraded to 2.45.0
* Monitoring: Apache exporter updated to version 1.0.0
* Expose lastBuildDate property (last build/promote date of an
environment) through contentlifecycle API (jsc#SUMA-280)
* Add saltboot redeploy and repartition based on pillars
(jsc#SUMA-158)
* CVEs fixed
CVE-2023-29409, CVE-2023-20897, CVE-2023-20898
* Bugs mentioned
bsc#1207330, bsc#1208692, bsc#1210935, bsc#1211525, bsc#1211874
bsc#1211884, bsc#1212246, bsc#1212730, bsc#1212814, bsc#1212827
bsc#1212856, bsc#1212943, bsc#1213009, bsc#1213077, bsc#1213288
bsc#1213445, bsc#1213675, bsc#1213716, bsc#1213880, bsc#1214002
bsc#1214121, bsc#1214124, bsc#1214187, bsc#1214266, bsc#1214280
bsc#1214889, bsc#1214982, bsc#1215352, bsc#1215362, bsc#1215497
bsc#1193948, bsc#1214797, bsc#1213441, bsc#1214796, bsc#1213469
bsc#1215413, bsc#1215756
- rsyslog
-
- fix rsyslog crash in imrelp (bsc#1210286)
* add: 0001-Avoid-crash-on-restart-in-imrelp-SIGTTIN-handler.patch
- runc
-
- Update to runc v1.1.9. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.9>.
- Update to runc v1.1.8. Upstream changelog is available from
<https://github.com/opencontainers/runc/releases/tag/v1.1.8>.
- samba
-
- CVE-2023-4091: samba: Client can truncate file with read-only
permissions; (bsc#1215904); (bso#15439).
- CVE-2023-42669: samba: rpcecho, enabled and running in AD DC,
allows blocking sleep on request; (bso#1215905); (bso#15474).
- CVE-2023-4154: samba: dirsync allows SYSTEM access with only
"GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES;
(bsc#1215908); (bso#15424).
- Move libcluster-samba4.so from samba-libs to samba-client-libs;
(bsc#1213940);
- 000release-packages:sle-module-basesystem-release
-
n/a
- 000release-packages:sle-module-containers-release
-
n/a
- 000release-packages:sle-module-public-cloud-release
-
n/a
- 000release-packages:sle-module-server-applications-release
-
n/a
- 000product:sle-module-suse-manager-server-release
-
n/a
- 000release-packages:sle-module-web-scripting-release
-
n/a
- smdba
-
- Version 1.7.12
* re-use configured max_connection value
* keep previous selected value for SSD configuration
- spacecmd
-
- version 4.3.24-1
* Change default scheduler from (none) to (system)
- version 4.3.23-1
* Update translation strings
- spacewalk-admin
-
- version 4.3.13-1
* Integrate instance-flavor-check to detect if the instance is
Pay-as-you-go
* Add checks for csp-billing-adapter in case of a Pay-as-you-go
instance
- spacewalk-backend
-
- version 4.3.24-1
* Only show missing /root/.curlrc error with log_level = 5 (bsc#1212507)
- version 4.3.23-1
* Use a constant to get the product name in python code rather
than reading rhn.conf (bsc#1212943)
* Add key import debug logging to reposync (bsc#1213675)
* Add hint about missing auth header for Pay-as-you-go
instances (bsc#1213445)
* rhn-ssl-dbstore read CA from STDIN (bsc#1212856)
* Implement new RHUI support in reposync
- spacewalk-web
-
- version 4.3.35-1
* Add missing translation wrappers for Salt formula catalog
* Shows a notification when an update for SUSE Manager is available
- version 4.3.34-1
* Fix datetimepicker erroneously updating the date field (bsc#1210253, bsc#1215820)
- version 4.3.33-1
* Update the messages after syncing the products
* Fix issue that prevented to delete credentials
* Add warning message in login UI for Pay-as-you-go with SCC
credentials and no forward registration.
* Hide SSH info for `localhost` in Pay-as-you-go section
* Integrate @formatjs/intl as a replacement for t()
* Fix link interpolation in message maps
- spacewalk-config
-
- version 4.3.12-1
* Handle spaces in /ks/dist/ file names (bsc#1213680)
- version 4.3.11-1
* Allow calling instance-flavor-check via sudo
- spacewalk-java
-
- version 4.3.68-1
* Sync GPG properties on each build in CLM (bsc#1213689)
* Change list endpoints in saltkey namespace to accept GET
requests instead of POST (bsc#1214463)
* Respect user email preferences when sending 'user creation' emails (bsc#1214553)
* Fix server error when visiting the notifications page
* Fixed the value of the advisory release for Ubuntu erratas
* Restart the bunch from where it was interrupted when rescheduling
* Moved the Ubuntu errata processing in its own separate taskomatic
task (bsc#1211145)
* Stop the taskomatic bunch execution if it was not possible to
execute one of the tasks
* Add detection of Debian 12
* Implement different way to copy data for SystemPackageUpdate
report database table (bsc#1211912)
* Avoid SCC credentials check if `server.susemanager.fromdir` is
set (bsc#1211270)
* Fix bug about listing Ansible inventories (bsc#1213132)
* Remove SUSE Manager proxy 4.2 product channel for PAYG
instance (bsc#1215412)
* Show a notification when an update for SUSE Manager is available
* Optimize memory usage in UbuntuErrataManager
* Handle spaces in /ks/dist/ file names (bsc#1213680)
* Change default scheduler from (none) to (system)
* Set user for package list refresh action if possible
* Fix recurring state execution not using the correct order (bsc#1215027)
* Ignore mandatory channels results that don't match list of channels (bsc#1204270)
* Token cleanup process removing invalid tokens using sql query (bsc#1213376)
* Fix failed actions rescheduling (bsc#1214121)
* Fix unscheduling actions when the trigger name changed after retry (bsc#1214121)
* Improve Taskomatic by removing invalid triggers before starting and enhancing logs
* Revert action executor fix that was intended to prevent blocking of Taskomatic threads (bsc#1214121)
* Extend success message after adding monitoring property (bsc#1212168)
- version 4.3.67-1
* Do not call SCC when updating the repositories authentication
for PAYG (bsc#1215857)
- version 4.3.66-1
* Fix RHUI support for RHEL 7 clients (bsc#1215756)
- version 4.3.65-1
* Combine the PAYG credentials and the repository paths when they
collide (bsc#1215413)
- version 4.3.64-1
* Fix token issue with cloned deb channels (bsc#1214982)
* Fix PAYG credentials extraction for SLES 12 clients (bsc#1215352)
* Improved detection of the best authentication for accessing a
repository in case of PAYG credentials (bsc#1215362)
* Do not warn about missing Client Tools Channel subscription in a
PAYG environment
- version 4.3.63-1
* Fix X-Instance-Identifier header when doing a product refresh
at Cloud RMT Server (bsc#1214889)
- version 4.3.62-1
* Add environment build/promote date to CLM API output
(jsc#SUMA-280)
* Call mgr-libmod with its absolute path
* Introduce new API to update the products page metadata
* Extract additional authentication information needed for
Pay-as-you-go
* Fix handling of null credentials in RMT credentials check
* Integrate instance-flavor-check to detect if the instance is
Pay-as-you-go
* Add rule to count only servers with SUSE Manager Tools as
managed clients
* Create flag to disable update status (bsc#1212730)
* Fix syntax error in sql query for source package search
* Catch exceptions and log a message when mailer setup failed
(bsc#1213009)
* Fix logging of libraries using apache-commons-logging
* Invalidate Pay-as-you-go client credentials after repeated
connection failure (bsc#1213445)
* Restrict product migrations for Pay-as-you-go
* Add warning message in login UI for Pay-as-you-go with SCC
credentials and no forward registration.
* Restrict cloning channels under different product channels for
Pay-as-you-go
* Avoid sending data to SCC about Pay-as-you-go instances
* Add saltboot redeploy and repartition based on pillars
(jsc#SUMA-158)
* Add system pillar API access {get|set}Pillar
* Consider the venv-salt-minion package update as Salt update to
prevent backtraces on upgrading Salt with itself (bsc#1211884)
* Fix processing of pkg.purged results (bsc#1213288)
* Fix Null Pointer Exception in auth endpoint when an empty body
is provided
* Do not ignore scheduling error in Taskomatic
* Add compliance checks when running as PAYG
* Add RHUI support to Pay-as-you-go connection feature
* Fix debian Packages file generation (bsc#1213716)
* Fix action executor to prevent blocking Taskomatic for actions
that are already finished (bsc#1214121)
* Fix detection in case RHEL-based products (bsc#1214280)
* Improve error message when instance-flavor-check tool is not
installed
* Fix auto product refresh in case of SUSE Manager Pay-as-you-go
Server
* Optimize org channel accessibility query (bsc#1211874)
* Check csp billing adapter status
- spacewalk-setup
-
- version 4.3.18-1
* Do not rely on rpm runtime status, rather check rhn.conf if is
configured (bsc#1210935)
* Remove storing CA in DB directly as it is now part of
mgr-ssl-cert-setup (bsc#1212856)
- spacewalk-utils
-
- version 4.3.18-1
* Add Debian 12 repositories
- supportutils-plugin-susemanager
-
- version 4.3.9-1
* Add cloud and Pay-as-you-go checks
* Write configured crypto-policy in supportconfig
- supportutils
-
- Changes in version 3.1.26
+ powerpc plugin to collect the slots and active memory (bsc#1210950)
+ A Cleartext Storage of Sensitive Information vulnerability CVE-2022-45154
+ supportconfig: collect BPF information (pr#154)
+ Added additional iscsi information (pr#155)
- Added run time detection (bsc#1213127)
- ha_info sle15 uses /var/log/pacemaker/ (pq#153)
- Changes for supportutils version 3.1.25
+ Removed iSCSI passwords CVE-2022-45154 (bsc#1207598)
+ powerpc: Collect lsslot,amsstat, and opal elogs (pr#149)
+ powerpc: collect invscout logs (pr#150)
+ powerpc: collect RMC status logs (pr#151)
+ Added missing nvme nbft commands (bsc#1211599)
+ Fixed invalid nvme commands (bsc#1211598)
+ Added missing podman information (PED-1703, bsc#1181477)
+ Removed dependency on sysfstools
+ Check for systool use (bsc#1210015)
+ Added selinux checking (bsc#1209979)
+ Updated SLES_VER matrix
- Fixed missing status detail for apparmor (bsc#1196933)
- Corrected invalid argument list in docker.txt (bsc#1206608)
- Applies limit equally to sar data and text files (bsc#1207543)
- Collects hwinfo hardware logs (bsc#1208928)
- Collects lparnumascore logs (issue#148)
- Add dependency to `numactl` on ppc64le and `s390x`, this enforces
that `numactl --hardware` data is provided in supportconfigs
- Changes to supportconfig.rc version 3.1.11-35
+ Corrected _sanitize_file to include iscsi.conf and others (bsc#1206402)
- Changes to supportconfig version 3.1.11-46.4
+ Added plymouth_info
- Changes to getappcore version 1.53.02
+ The location of chkbin was updated earlier. This documents that
change (bsc#1205533, bsc#1204942)
- suse-build-key
-
- add and run a import-suse-build-key scripts, this will be ran
after installation with libzypp based installers. (jsc#PED-2777)
- suse-module-tools
-
- Update to version 15.4.18:
* blacklist RNDIS modules (bsc#1205767, jsc#PED-5731, CVE-2023-23559)
* modprobe.d: Blacklist cls_tcindex module (bsc#1210335, CVE-2023-1829)
(note: this is not a full fix for that CVE)
- Update to version 15.4.17:
* cert-script: warn only once about non-writable efivarfs
* cert-script: skip cert handling if efivarfs is not writable
(bsc#1213428, bsc#1201066)
- susemanager-docs_en
-
- Removed technical preview statement about Ansible in Administration
Guide (bsc#1216661)
- Replaced "Quick Start: Public Cloud" with "Public Cloud Guide" in
Specialized Guides
- Changed Proxy base system version number in the installation
description to version 15 SP4 (bsc#1213469)
- Added comment about SCC subscription to Administration Guide
(bsc#1211270)
- Added Debian 12 as supported client in Client Configuration Guide
- Fixed over-long table issue in openSCAP chapter in
Administration Guide
- Update Hardware Requirements section about disk space for
/var/spacewalk in the Installation and Upgrade Guide
- Documented disabling automatic channel selection for cloned
channels in Content Lifecycle Management chapter of
Administration Guide (bsc#1211047)
- Fixed broken links and references in the Image building file in
Administration Guide
- Updated autoinstallation chapter in Client Configuration Guide
about buildiso command in the context of Cobbler
- Removed end-of-life openSUSE Leap clients from the support matrix
in the Client Configuration Guide
- Added note about Jinja templating for configuration files
management on Salt Clients in Client Configuration Guide
- Fixed DHCP example for Cobbler autoinstallation and added one
per architecture in Client Configuration Guide (bsc#1214041)
- Base server version corrected in the Installation and Upgrade
Guide (bsc#1213469)
- Improved Red Hat Update Infrastructure documentation (bsc#1215373)
- Added background information on Ansible playbooks in the Ansible
chapter in Administration Guide (bsc#1213077)
- Added Best practices and image pillars files to Retail Guide
- Added a warning about channel synchronization failure because of
invalidated credentials in Connect Pay-as-you-go instance section
of the Installation and Upgrade Guide
- Added detailed information about all supported SUSE Linux
Enterprise Micro versions
- Updated Ansible chapter in Administration Guide for clarity
(bsc#1213077)
- Added Saltboot redeployment subchapter in the Retail Guide
- Added a note for SUSE Linux Enterprise Micro clients only having
Node and Blackbox exporter for monitoring available, in the
Administration Guide (bsc#1212246)
- Removed the step calling rhn-ssl-dbstore from the SSL setup as it
is now integrated into mgr-ssl-cert-setup in Administration Guide
- Added a workflow describing channel removal to the Common
Workflows Guide
- Minimal memory requirement is now 16 GB for a SUSE Manager Server
installation
- Listed supported key types for SSL certificates in Import SSL
Certificates section of the Administation Guide
- Fixed Ubuntu channel names in Ubuntu chapter of the Client
Configuration Guide (bsc#1212827)
- Typo correction for cobbler buildiso command in Client Configuration
Guide
- Replaced plain text with dedicated attribute for AutoYaST
- Changed filename for configuring Tomcat memory usage in Specialized
Guides (bsc#1212814)
- susemanager-schema
-
- version 4.3.21-1
* Add index on server needed cache to improve performance for some queries (bsc#1211912)
* Moved the Ubuntu errata processing in its own separate taskomatic
task (bsc#1211145)
- version 4.3.20-1
* Add new credentials type RHUI
* Store the Pay-as-you-go products
- susemanager-sls
-
- version 4.3.36-1
* Do not install instance-flavor-check tool on openSUSE
- version 4.3.35-1
* Integrate instance-flavor-check to detect if the instance is
Pay-as-you-go
* Do not disable salt-minion on salt-ssh managed clients
* Keep original traditional stack tools for RHEL7 RHUI connection
* Include automatic migration from Salt 3000 to Salt Bundle in
highstate
* Use recurse stratedy to merge formula pillar with existing
pillars
* Mask Uyuni roster module password on logs
- susemanager-sync-data
-
- version 4.3.13-1
* Add OES2023.4 (bsc#1215514)
* Add Debian 12 amd64
- susemanager
-
- version 4.3.32-1
* Add bootstrap repository definition for OES2023.4 (bsc#1215514)
* Add bootstrap repository definitions for Debian 12
* Fix SLES 15 for SAP not being listed in mgr-create-bootstrap-repo (bsc#1215120)
* Add missing PKGLIST15_TRAD for SLES 15 SAP mgr-create-bootstrap-repo entries (bsc#1215120)
* Fix possible permission issues with database migration script (bsc#1214746)
- version 4.3.31-1
* Require LTSS channel for SUSE Manager Proxy 4.2 (bsc#1214187)
- systemd-rpm-macros
-
- Bump version to 14
- Switch to `systemd-hwdb` tool when updating the HW database. It's been
introduced in systemd v219 and replaces the deprecated command `udevadm hwdb`.
- tomcat
-
- Update to Tomcat 9.0.82
* Catalina
+ Add: 65770: Provide a lifecycle listener that will
automatically reload TLS configurations a set time before the
certificate is due to expire. This is intended to be used with
third-party tools that regularly renew TLS certificates.
+ Fix: Fix handling of an error reading a context descriptor on
deployment.
+ Fix: Fix rewrite rule qsd (query string discard) being ignored
if qsa was also use, while it should instead take precedence.
+ Fix: 67472: Send fewer CORS-related headers when CORS is not
actually being engaged.
+ Add: Improve handling of failures within recycle() methods.
* Coyote
+ Fix: 67670: Fix regression with HTTP compression after code
refactoring.
+ Fix: 67198: Ensure that the AJP connector attribute
tomcatAuthorization takes precedence over the
tomcatAuthentication attribute when processing an auth_type
attribute received from a proxy server.
+ Fix: 67235: Fix a NullPointerException when an AsyncListener
handles an error with a dispatch rather than a complete.
+ Fix: When an error occurs during asynchronous processing,
ensure that the error handling process is only triggered once
per asynchronous cycle.
+ Fix: Fix logic issue trying to match no argument method in
IntropectionUtil.
+ Fix: Improve thread safety around readNotify and writeNotify
in the NIO2 endpoint.
+ Fix: Avoid rare thread safety issue accessing message digest
map.
+ Fix: Improve statistics collection for upgraded connections
under load.
+ Fix: Align validation of HTTP trailer fields with standard
fields.
+ Fix: Improvements to HTTP/2 overhead protection (bsc#1216182,
CVE-2023-44487)
* jdbc-pool
+ Fix: 67664: Correct a regression in the clean-up of
unnecessary use of fully qualified class names in 9.0.81
that broke the jdbc-pool.
* Jasper
+ Fix: 67080: Improve performance of EL expressions in JSPs that
use implicit objects
- Update to Tomcat 9.0.80
* Catalina
+ Add RateLimitFilter which can be used to mitigate DoS and
Brute Force attacks
+ Move the management of the utility executor from the
init()/destroy() methods of components to the start()/stop()
methods.
+ Add org.apache.catalina.core.StandardVirtualThreadExecutor,
a virtual thread based executor that may be used with one or
more Connectors to process requests received by those
Connectors using virtual threads. This Executor requires a
minimum Java version of Java 21.
+ 66513: Add a per session Semaphore to the PersistentValve that
ensures that, within a single Tomcat instance, there is no
more than one concurrent request per session. Also expand the
debug logging to include whether a request bypasses the Valve
and the reason if a request fails to obtain the per session
Semaphore.
+ 66609: Ensure that the default servlet correctly escapes file
names in directory listings when using XML output.
+ 66618: Add a numeric last modified field to the XML directory
listings produced by the default servlet to enable sorting in
the XSLT.
+ 66621: Attempts to lock a collection with WebDAV may
incorrectly fail if a child collection has an expired lock.
+ 66622: Deprecate the xssProtectionEnabled setting from the
HttpHeaderSecurityFilter and change the default value to false
as support for the associated HTTP header has been removed
from all major browsers.
+ 59232: Add org.apache.catalina.core.ContextNamingInfoListener,
a listener which creates context naming information
environment entries.
+ 66665: Add
org.apache.catalina.core.PropertiesRoleMappingListener, a
listener which populates the context's role mapping from a
properties file.
+ Fix an edge case where intra-web application symlinks would be
followed if the web applications were deliberately crafted to
allow it even when allowLinking was set to false.
+ Add utility config file resource lookup on Context to allow
looking up resources from the webapp (prefixed with webapp:)
and make the resource lookup API more visible.
+ Fix potential database connection leaks in
DataSourceUserDatabase identified by Coverity Scan.
+ Make parsing of ExtendedAccessLogValve patterns more robust.
+ Fix failure trying to persist configuration for an internal
credential handler.
+ 66680: When serializing a session during the session
presistence process, do not log a warning that null Principals
are not serializable.
+ Catch NamingException in JNDIRealm#getPrincipal. It is used in
Java up to 17 to signal closed connections.
+ 66822: Use the same naming format in log messages for
Connector instances as the associated ProtocolHandler instance.
+ The parts count should also lower the actual maxParameterCount
used for parsing parameters if parts are parsed first.
+ If an application or library sets both a non-500 error code
and the javax.servlet.error.exception request attribute, use
the provided error code during error page processing rather
than assuming an error code of 500.
+ Update code comments and Tomcat output to use MiB for
1024 * 1024 bytes and KiB for 1024 bytes rather than
MB and kB.
+ Avoid protocol relative redirects in FORM authentication
(CVE-2023-41080, bsc#1214666).
* Coyote
+ Update the HTTP/2 implementation to use the prioritization
scheme defined in RFC 9218 rather than the one defined in
RFC 7540.
+ 66602: not sending WINDOW_UPDATE when dataLength is ZERO on
call SwallowedDataFramePayload.
+ 66627: Restore the documented behaviour of
MessageBytes.getType() that it returns the type of the
original content rather than reflecting the most recent
conversion.
+ 66635: Correct certificate logging on start-up so it
differentiates between keystore based keys/certificates and
PEM file based keys/certificates and logs the relevant
information for each.
+ Refactor blocking reads and writes for the NIO connector to
remove code paths that could allow a notification from the
Poller to be missed resuting in a timeout rather than the
expected read or write.
+ Refactor waiting for an HTTP/2 stream or connection window
update to handle spurious wake-ups during the wait.
+ Correct a regression introduced in 9.0.78 and use the correct
constant when constructing the default value for the
certificateKeystoreFile attribute of an
SSLHostConfigCertificate instance.
+ Refactor HTTP/2 implementation to reduce pinning when using
virtual threads.
+ Pass through ciphers referring to an OpenSSL profile, such as
PROFILE=SYSTEM instead of producing an error trying to parse
it.
+ 66841: Ensure that AsyncListener.onError() is called after an
error during asynchronous processing with HTTP/2.
+ 66842: When using asynchronous I/O (the default for NIO and
NIO2), include DATA frames when calculating the HTTP/2
overhead count to ensure that connections are not prematurely
terminated.
+ Correct a race condition that could cause spurious RST
messages to be sent after the response had been written to an
HTTP/2 stream.
* WebSocket
+ 66548: Expand the validation of the value of the
Sec-Websocket-Key header in the HTTP upgrade request that
initiates a WebSocket connection. The value is not decoded but
it is checked for the correct length and that only valid
characters from the base64 alphabet are used.
+ Improve handling of error conditions for the WebSocket server,
particularly during Tomcat shutdown.
+ Correct a regression in the fix for 66574 that meant the
WebSocket session could return false for onOpen() before the
onClose() event had been completed.
+ 66681: Fix a NullPointerException when flushing batched
messages with compression enabled using permessage-deflate.
* Web applications
+ Documentation. Expand the security guidance to cover the
embedded use case and add notes on the uses made of the
java.io.tmpdir system property.
+ 66662: Documentation. Fix a typo in the name of the algorithms
attribute in the configuration section for the Digest
authentication value.
+ Documentation. Update documentation to use MiB for
1024 * 1024 bytes and KiB for 1024 bytes rather than
MB and kB.
* jdbc-pool
+ Fix the releaseIdleCounter does not increment when testAllIdle
releases them.
+ Fix the ConnectionState state will be inconsistent with actual
state on the connection when an exception occurs while
writing.
* Other
+ Update to Commons Daemon 1.3.4.
+ Improvements to French translations.
+ Update Checkstyle to 10.12.0.
+ Update the packaged version of the Apache Tomcat Native
Library to 1.2.37 to pick up the Windows binaries built with
with OpenSSL 1.1.1u.
+ Include the Windows specific binary distributions in the files
uploaded to Maven Central.
+ Improvements to French translations.
+ Improvements to Japanese translations.
+ Update UnboundID to 6.0.9.
+ Update Checkstyle to 10.12.1.
+ Update BND to 6.4.1.
+ Update JSign to 5.0.
+ Correct properties for JSign dependency.
+ Align documentation for maxParameterCount to match hard-coded
defaults.
+ Update NSIS to 3.0.9.
+ Update Checkstyle to 10.12.2.
+ Improvements to French translations.
+ Improvements to Japanese translations.
+ 66829: Fix quoting so users can use the _RUNJAVA environment
variable as intended on Windows when the path to the Java
executable contains spaces.
+ Update Tomcat Native to 1.2.38 to pick up Windows binaries
built with OpenSSL 1.1.1v.
+ Improvements to Chinese translations.
+ Improvements to French translations.
+ Improvements to Japanese translations
- Removed patch:
* tomcat-9.0.75-CVE-2023-41080.patch
+ integrated in this version
- Fixed CVEs:
* CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666)
- Added patches:
* tomcat-9.0.75-CVE-2023-41080.patch
- Modified patch:
* tomcat-9.0-osgi-build.patch
+ make it more robust to change in number of artifacts in bnd
+ do not enumerate jars, just take all jars from the aqute-bnd
directory into the classpath
- Require(pre) shadow because groupadd is needed early
- vim
-
- Updated to version 9.0 with patch level 1894, fixes the following security problems
* Fixing bsc#1214922 (CVE-2023-4738) - VUL-0: CVE-2023-4738: vim: heap-buffer-overflow in vim_regsub_both
* Fixing bsc#1214924 (CVE-2023-4735) - VUL-0: CVE-2023-4735: vim: OOB Write ops.c
* Fixing bsc#1214925 (CVE-2023-4734) - VUL-0: CVE-2023-4734: vim: segmentation fault in function f_fullcommand
* Fixing bsc#1215004 (CVE-2023-4733) - VUL-0: CVE-2023-4733: vim: use-after-free in function buflist_altfpos
* Fixing bsc#1215006 (CVE-2023-4752) - VUL-0: CVE-2023-4752: vim: Heap Use After Free in function ins_compl_get_exp
* Fixing bsc#1215033 (CVE-2023-4781) - VUL-0: CVE-2023-4781: vim: heap-buffer-overflow in function vim_regsub_both
- drop patches: disable-unreliable-tests.patch
ignore-flaky-test-failure.patch
vim-8.1.0297-dump3.patch
- droped %check - most of tests didn't work correctly in OBS
and maitenace burden of this was getting too big
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1632...v9.0.1894
- Use app icon generated from vimlogo.eps in source tarball; add
higher res icons of sizes 128, 256, and 512px as png sources.
Our current icons deviate from upstream flatpaks for example.
- Updated to version 9.0 with patch level 1632
- for the complete list of changes see
https://github.com/vim/vim/compare/v9.0.1443...v9.0.1632
- xen
-
- bsc#1216807 - VUL-0: CVE-2023-46836: xen: x86: BTC/SRSO fixes not
fully effective (XSA-446)
xsa446.patch
- bsc#1216654 - VUL-0: CVE-2023-46835: xen: x86/AMD: mismatch in
IOMMU quarantine page table levels (XSA-445)
xsa445.patch
- bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow
reference dropped too early for 64-bit PV guests (XSA-438)
650abbfe-x86-shadow-defer-PV-top-level-release.patch
- bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional
execution leak via division by zero (XSA-439)
64e5b4ac-x86-AMD-extend-Zenbleed-check.patch
65087000-x86-spec-ctrl-SPEC_CTRL_EXIT_TO_XEN-confusion.patch
65087001-x86-spec-ctrl-fold-DO_SPEC_CTRL_EXIT_TO_XEN.patch
65087002-x86-spec-ctrl-SPEC_CTRL-ENTRY-EXIT-asm-macros.patch
65087003-x86-spec-ctrl-SPEC_CTRL-ENTER-EXIT-comments.patch
65087004-x86-entry-restore_all_xen-stack_end.patch
65087005-x86-entry-track-IST-ness-of-entry.patch
65087006-x86-spec-ctrl-VERW-on-IST-exit-to-Xen.patch
65087007-x86-AMD-Zen-1-2-predicates.patch
65087008-x86-spec-ctrl-Zen1-DIV-leakage.patch
- bsc#1215746 - VUL-0: CVE-2023-34326: xen: x86/AMD: missing IOMMU
TLB flushing (XSA-442)
65263470-AMD-IOMMU-flush-TLB-when-flushing-DTE.patch
- bsc#1215747 - VUL-0: CVE-2023-34325: xen: Multiple
vulnerabilities in libfsimage disk handling (XSA-443)
65263471-libfsimage-xfs-remove-dead-code.patch
65263472-libfsimage-xfs-amend-mask32lo.patch
65263473-libfsimage-xfs-sanity-check-superblock.patch
65263474-libfsimage-xfs-compile-time-check.patch
65263475-pygrub-remove-unnecessary-hypercall.patch
65263476-pygrub-small-refactors.patch
65263477-pygrub-open-output-files-earlier.patch
65263478-libfsimage-function-to-preload-plugins.patch
65263479-pygrub-deprivilege.patch
6526347a-libxl-allow-bootloader-restricted-mode.patch
6526347b-libxl-limit-bootloader-when-restricted.patch
- bsc#1215748 - VUL-0: CVE-2023-34327,CVE-2023-34328: xen: x86/AMD:
Debug Mask handling (XSA-444)
6526347c-SVM-fix-AMD-DR-MASK-context-switch-asymmetry.patch
6526347d-x86-PV-auditing-of-guest-breakpoints.patch
- Upstream bug fixes (bsc#1027519)
64e6459b-revert-VMX-sanitize-rIP-before-reentering.patch
64eef7e9-x86-reporting-spurious-i8259-interrupts.patch
64f71f50-Arm-handle-cache-flush-at-top.patch
65084ba5-x86-AMD-dont-expose-TscFreqSel.patch
- Patches dropped / replaced by newer upstream versions
xsa438.patch
xsa439-00.patch
xsa439-01.patch
xsa439-02.patch
xsa439-03.patch
xsa439-04.patch
xsa439-05.patch
xsa439-06.patch
xsa439-07.patch
xsa439-08.patch
xsa439-09.patch
xsa442.patch
xsa443-01.patch
xsa443-02.patch
xsa443-03.patch
xsa443-04.patch
xsa443-05.patch
xsa443-06.patch
xsa443-07.patch
xsa443-08.patch
xsa443-09.patch
xsa443-10.patch
xsa443-11.patch
xsa444-1.patch
xsa444-2.patch
- bsc#1215744 - VUL-0: CVE-2023-34323: xen: xenstored: A
transaction conflict can crash C Xenstored (XSA-440)
xsa440.patch
- bsc#1215746 - VUL-0: CVE-2023-34326: xen: x86/AMD: missing IOMMU
TLB flushing (XSA-442)
xsa442.patch
- bsc#1215747 - VUL-0: CVE-2023-34325: xen: Multiple
vulnerabilities in libfsimage disk handling (XSA-443)
xsa443-01.patch
xsa443-02.patch
xsa443-03.patch
xsa443-04.patch
xsa443-05.patch
xsa443-06.patch
xsa443-07.patch
xsa443-08.patch
xsa443-09.patch
xsa443-10.patch
xsa443-11.patch
- bsc#1215748 - VUL-0: CVE-2023-34327,CVE-2023-34328: xen: x86/AMD:
Debug Mask handling (XSA-444)
xsa444-1.patch
xsa444-2.patch
- bsc#1215474 - VUL-0: CVE-2023-20588: xen: AMD CPU transitional
execution leak via division by zero (XSA-439)
xsa439-00.patch
xsa439-01.patch
xsa439-02.patch
xsa439-03.patch
xsa439-04.patch
xsa439-05.patch
xsa439-06.patch
xsa439-07.patch
xsa439-08.patch
xsa439-09.patch
- bsc#1215145 - VUL-0: CVE-2023-34322: xen: top-level shadow
reference dropped too early for 64-bit PV guests (XSA-438)
xsa438.patch
- Handle potential unaligned access to bitmap in
libxc-sr-restore-hvm-legacy-superpage.patch
If setting BITS_PER_LONG at once, the initial bit must be aligned
- zypper
-
- Fix name of the bash completion script (bsc#1215007)
In 1.14.63 the location of the bash completion script was changed
to /usr/share/bash-completion/completions/. But the patch failed
to also rename the completion script. The original script name
zypper.sh is not recognized at the new location.
- Update notes about failing signature checks (bsc#1214395)
It might be a transient issue if the server is in the midst of
receiving new data. Retry after a few minutes might work.
- Improve the SIGINT handler to be signal safe (bsc#1214292)
This patch updates the SIGINT handling strategy to be signal
safe. Meaning the signal handler will do not much more than
setting a flag, which we are going to check in the normal program
flow as much as possible.
- version 1.14.64