- apparmor
-
- Add update-samba-bgqd.diff to add new rule to fix 'DENIED' open on
/proc/{pid}/fd for samba-bgqd (bnc#1196850).
- Add update-usr-sbin-smbd.diff to add new rule to allow reading of
openssl.cnf (bnc#1195463).
- bind
-
- Security Fixes:
* Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused
to severely impact the performance of named running as a recursive
resolver. This has been fixed.
[bsc#1203614, CVE-2022-2795, bind-CVE-2022-2795.patch]
* A memory leak was fixed that could be externally triggered in the
DNSSEC verification code for the ECDSA algorithm.
[bsc#1203619, CVE-2022-38177, bind-CVE-2022-38177.patch]
* Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm.
[bsc#1203620, CVE-2022-38178, bind-CVE-2022-38178.patch]
- ca-certificates-mozilla
-
- Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
Added:
- Certainly Root E1
- Certainly Root R1
- DigiCert SMIME ECC P384 Root G5
- DigiCert SMIME RSA4096 Root G5
- DigiCert TLS ECC P384 Root G5
- DigiCert TLS RSA4096 Root G5
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
Removed:
- Hellenic Academic and Research Institutions RootCA 2011
- Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
Added:
- Autoridad de Certificacion Firmaprofesional CIF A62634068
- D-TRUST BR Root CA 1 2020
- D-TRUST EV Root CA 1 2020
- GlobalSign ECC Root CA R4
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- HiPKI Root CA - G1
- ISRG Root X2
- Telia Root CA v2
- vTrus ECC Root CA
- vTrus Root CA
Removed:
- Cybertrust Global Root
- DST Root CA X3
- DigiNotar PKIoverheid CA Organisatie - G2
- GlobalSign ECC Root CA R4
- GlobalSign Root CA R2
- GTS Root R1
- GTS Root R2
- GTS Root R3
- GTS Root R4
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
- Added CAs:
+ HARICA Client ECC Root CA 2021
+ HARICA Client RSA Root CA 2021
+ HARICA TLS ECC Root CA 2021
+ HARICA TLS RSA Root CA 2021
+ TunTrust Root CA
- Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
- Added new root CAs:
- NAVER Global Root Certification Authority
- Removed old root CA:
- GeoTrust Global CA
- GeoTrust Primary Certification Authority
- GeoTrust Primary Certification Authority - G3
- GeoTrust Universal CA
- GeoTrust Universal CA 2
- thawte Primary Root CA
- thawte Primary Root CA - G2
- thawte Primary Root CA - G3
- VeriSign Class 3 Public Primary Certification Authority - G4
- VeriSign Class 3 Public Primary Certification Authority - G5
- cifs-utils
-
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
(bsc#1198976, CVE-2022-29869)
* add cifs-utils-CVE-2022-29869.patch
- cloud-regionsrv-client
-
- Follow up fix to 10.0.4 (bsc#1202706)
- While the source code was updated to support SLE Micro the spec file
was not updated for the new locations of the cache and the certs.
Update the spec file to be consistent with the code implementation.
- Update to version 10.0.5 (bsc#1201612)
- Handle exception when trying to deregister a system form the server
- Update to version 10.0.4 (bsc#1199668)
- Store the update server certs in the /etc path instead of /usr to
accomodate read only setup of SLE-Micro
- crash
-
- Fix lookup of symbol "/linux_banner"/, as in newer kernels the symbol is
placed in the .init section ('D') as opposed to the read-only section ('R').
Also make this specific to kernels >= 2.6.11. This fix is a combination of
upstream commit fce91bec and a chunk from upstream commit 9fab193e.
(bsc#1195911)
Added:
crash-Fix-the-failure-of-reporting-vmcore-and-vmlinux-do-n.patch
- ------------------------------------------------------------------
- cronie
-
- Allow to define the logger info and warning priority, fixes
jsc#SLE-24577
* run-crons
* sysconfig.cron
- curl
-
- Security fix: [bsc#1202593, CVE-2022-35252]
* Control codes in cookie denial of service
* Add curl-CVE-2022-35252.patch
- expat
-
- Security fix:
* (CVE-2022-40674, bsc#1203438) use-after-free in the doContent
function in xmlparse.c
- Added patch expat-CVE-2022-40674.patch
- gpg2
-
- Security fix [CVE-2022-34903, bsc#1201225]
- Vulnerable to status injection
- Added patch gnupg-CVE-2022-34903.patch
- icu
-
- Backport icu-CVE-2020-21913.patch: backport commit 727505bdd
from upstream, use LocalMemory for cmd to prevent use after free
(bsc#1193951 CVE-2020-21913).
- json-c
-
- Added CVE-2020-12762.patch (bsc#1171479, CVE-2020-12762)
- Added gcc7-fix.patch
- Update to upstream release 0.12.1
- Removed upstream fixed json-c-0.12-unused_variable_size.patch
- Added fix-set-but-not-used.patch
- json-c 0.12
Fixes for security issues contained in this release have been
previously patched into this package, but listed for completeness:
* Address security issues:
* CVE-2013-6371: hash collision denial of service
* CVE-2013-6370: buffer overflow if size_t is larger than int
- Further changes:
* Avoid potential overflow in json_object_get_double
* Eliminate the mc_abort() function and MC_ABORT macro.
* Make the json_tokener_errors array local. It has been deprecated for
a while, and json_tokener_error_desc() should be used instead.
* change the floating point output format to %.17g so values with
more than 6 digits show up in the output.
* Remove the old libjson.so name compatibility support. The library is
only created as libjson-c.so now and headers are only installed
into the ${prefix}/json-c directory.
* When supported by the linker, add the -Bsymbolic-functions flag.
* Make strict mode more strict:
* number must not start with 0
* no single-quote strings
* no comments
* trailing char not allowed
* only allow lowercase literals
* Added a json_object_new_double_s() convenience function to allow
an exact string representation of a double to be specified when
creating the object and use it in json_tokener_parse_ex() so
a re-serialized object more exactly matches the input.
* Add support NaN and Infinity
- packaging changes:
* json-c-hash-dos-and-overflow-random-seed-4e.patch is upstream
* Move from json-c-lfs.patch which removed warning errors and
autoconf call to json-c-0.12-unused_variable_size.patch from
upstream which fixes the warning
* except for SLE 11 where autoreconf call is required
* add licence file to main package
- kernel-azure
-
- Revert "/sysfb: Enable boot time VESA graphic mode selection (bsc#1129770)"/
This reverts commit 8d1c33d1ed3d4b198344cf4cf8763447532f6b90
since it breaks the build
- commit 253e49e
- Add CVE reference on lightnvm removal patch
modified:
- patches.drivers/lightnvm-remove-lightnvm-implemenation.patch
- commit 0412b0e
- fbdev: fb_pm2fb: Avoid potential divide by zero error (bsc#1154048)
- commit 0429966
- video: fbdev: s3fb: Check the size of screen before memset_io() (bsc#1154048)
- commit 1828312
- video: fbdev: arkfb: Check the size of screen before memset_io() (bsc#1154048)
- commit 960c031
- video: fbdev: vt8623fb: Check the size of screen before memset_io() (bsc#1154048)
- commit 8e21ba7
- video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() (bsc#1154048)
- commit 24dad4e
- video: fbdev: sis: fix typos in SiS_GetModeID() (bsc#1154048)
- commit 3b41e99
- video: fbdev: amba-clcd: Fix refcount leak bugs (bsc#1154048)
Backporting notes:
* context changes
- commit f023a62
- Revert "/drivers/video/backlight/platform_lcd.c: add support for (bsc#1154048)
- commit 6c2117a
- sysfb: Enable boot time VESA graphic mode selection (bsc#1129770)
Backporting notes:
* context changes
* config update
- commit 8d1c33d
- Revert "/video: imsttfb: fix potential NULL pointer dereferences"/ (bsc#1129770)
- commit 015493e
- Revert "/video: hgafb: fix potential NULL pointer dereference"/ (bsc#1129770)
Backporting notes:
* test return value of ioremap() and return an error
- commit dfae32b
- char: pcmcia: synclink_cs: Fix use-after-free in mgslpc_ops
(CVE-2022-41848 bsc#1203987).
- commit 4b5f9dc
- Input: melfas_mip4 - fix return value check in mip4_probe()
(git-fixes).
- commit 327938f
- xhci: bail out early if driver can't accress host in resume
(git-fixes).
- commit 7b6647e
- blacklist.conf: no gadget mode in SLE12
- commit 4ef9a32
- blacklist.conf: breaks kABI for an issue relevant only in a minor HC
- commit 0686374
- usbnet: Fix memory leak in usbnet_disconnect() (git-fixes).
- commit 6704bc6
- explicit set MODULE_SIG_HASH in azure config (bsc#1203933)
Setting this option became mandatory in Feb 2022.
While the lack of this option did not cause issues with automated builds,
a manual osc build started to fail due to incorrect macro expansion.
- commit 6dde286
- net: mana: Add rmb after checking owner bits (git-fixes).
- commit 0c59466
- net: mana: Add the Linux MANA PF driver (bug#1201309, jsc#PED-529).
- commit 80ea4bf
- scsi: qla2xxx: Remove unused declarations for qla2xxx
(bsc#1203935).
- scsi: qla2xxx: Drop DID_TARGET_FAILURE use (bsc#1203935).
- scsi: qla2xxx: Update version to 10.02.07.900-k (bsc#1203935).
- scsi: qla2xxx: Add NVMe parameters support in Auxiliary Image
Status (bsc#1203935).
- scsi: qla2xxx: Add debugfs create/delete helpers (bsc#1203935).
- scsi: qla2xxx: Fix response queue handler reading stale packets
(bsc#1203935).
- scsi: qla2xxx: Revert "/scsi: qla2xxx: Fix response queue
handler reading stale packets"/ (bsc#1203935).
- scsi: qla2xxx: Log message "/skipping scsi_scan_host()"/ as
informational (bsc#1203935).
- scsi: qla2xxx: Avoid flush_scheduled_work() usage (bsc#1203935).
- scsi: qla2xxx: Always wait for qlt_sess_work_fn() from
qlt_stop_phase1() (bsc#1203935).
- scsi: qla2xxx: Remove unused qlt_tmr_work() (bsc#1203935).
- scsi: qla2xxx: Remove unused del_sess_list field (bsc#1203935).
- commit 6a1070c
- scsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()
(bsc#1203935).
- scsi: qla2xxx: Disable ATIO interrupt coalesce for quad port
ISP27XX (bsc#1203935).
- commit c812e29
- blacklist.conf: Add 1bf4580e00a2 fork,memcg: alloc_thread_stack_node needs to set tsk->stack
- commit 2a37e27
- Input: stop telling users to snail-mail Vojtech (git-fixes).
- commit d956a8c
- Input: iforce - constify usb_device_id and fix space before
'[' error (git-fixes).
- commit bfb50de
- scsi: qla2xxx: Fix memory leak in __qlt_24xx_handle_abts()
(git-fixes).
- scsi: mpt3sas: Fix use-after-free warning (git-fixes).
- scsi: lpfc: Add missing destroy_workqueue() in error path
(git-fixes).
- commit b282bf7
- USB: serial: ftdi_sio: add Belimo device ids (git-fixes).
- commit f6eaf2e
- USB: serial: option: add Quectel RM500K module support.
- commit 981a205
- USB: serial: option: add Quectel EM05-G modem (git-fixes).
- commit 3376669
- USB: serial: option: add Telit LE910Cx 0x1250 composition
(git-fixes).
- commit f8d705a
- blacklist.conf: irrelevant in our configurations
- commit c5487ee
- USB: serial: option: add support for Cinterion MV31 with new
baseline (git-fixes).
- commit ce91afd
- usb: typec: tcpci: Don't skip cleanup in .remove() on error
(git-fixes).
- commit 2a4a3b7
- usb-storage: Add ignore-residue quirk for NXP PN7462AU
(git-fixes).
- commit 4e282b8
- usb: typec: altmodes/displayport: correct pin assignment for
UFP receptacles (git-fixes).
- commit 85d64e6
- usb: dwc2: fix wrong order of phy_power_on and phy_init
(git-fixes).
- commit 63072dd
- USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020)
(git-fixes).
- commit 93c7c8f
- blacklist.conf: irrelevant in our configurations
- commit 1ea4ae1
- USB: core: Prevent nested device-reset calls (git-fixes).
- commit fc09d0c
- blacklist.conf: blacklist commit 02c0cab8e734
- commit 07b2c53
- usb.h: struct usb_device: hide new member (git-fixes).
- commit 21400d8
- ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC (CVE-2022-3303
bsc#1203769).
- Refresh patches.kabi/ALSA-pcm-oss-rw_ref-kabi-fix.patch.
- commit accf4df
- md: call __md_stop_writes in md_stop (git-fixes).
- Revert "/md-raid: destroy the bitmap after destroying the thread"/
(git-fixes).
- SUNRPC: Reinitialise the backchannel request buffers before
reuse (git-fixes).
- NFSv4.1: RECLAIM_COMPLETE must handle EACCES (git-fixes).
- md-raid10: fix KASAN warning (git-fixes).
- NFS: LOOKUP_DIRECTORY is also ok with symlinks (git-fixes).
- NFSD: Fix zero-length NFSv3 WRITEs (git-fixes).
- commit ab754e2
- blacklist.conf: 441947019138 Documentation: Add documentation for Processor MMIO Stale Data
- commit a86f7ba
- media: dvb-core: Fix UAF due to refcount races at releasing
(CVE-2022-41218 bsc#1202960).
- commit 231362a
- blacklist.conf: add several SCSI commits to black list
- commit 82ee683
- blacklist.conf: e9b6013a7ce3 x86/speculation: Update link to AMD speculation whitepaper
- commit b210a45
- media: em28xx: initialize refcount before kref_get
(CVE-2022-3239 bsc#1203552).
- commit 477c587
- powerpc: Use device_type helpers to access the node type
(bsc#1203424 ltc#199544).
- Refresh patches.suse/powerpc-numa-remove-unreachable-topology-update-code.patch.
- commit b1e0425
- powerpc/memhotplug: Make lmb size 64bit (bsc#1203424
ltc#199544).
- powerpc/drmem: Make lmb_size 64 bit (bsc#1203424 ltc#199544).
- commit 5d51965
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
bsc#1202677).
- Refresh for the above patch added in,
blacklist.conf: remove the above patch from blaclist.conf
patches.suse/0034-dm-verity-add-check_at_most_once-option-to-only-vali.patch.
- commit 1b3d265
- dm verity: set DM_TARGET_IMMUTABLE feature flag (CVE-2022-2503,
bsc#1202677).
- commit b644c0f
- Update references:
- patches.kabi/kabi-return-type-change-of-secure_ipv-46-_port_ephem.patch
- patches.suse/secure_seq-use-the-64-bits-of-the-siphash-for-port-o.patch
- patches.suse/tcp-add-small-random-increments-to-the-source-port.patch
- patches.suse/tcp-drop-the-hash_32-part-from-the-index-calculation.patch
- patches.suse/tcp-dynamically-allocate-the-perturb-table-used-by-s.patch
- patches.suse/tcp-increase-source-port-perturb-table-to-2-16.patch
- patches.suse/tcp-resalt-the-secret-every-10-seconds.patch
- patches.suse/tcp-use-different-parts-of-the-port_offset-for-index.patch
(add CVE-2022-32296 bsc#1200288)
- commit 97c264a
- x86/bugs: Reenable retbleed=off
While for older kernels the return thunks are statically built in and
cannot be dynamically patched out, retbleed=off should still be possible
to do so that the mitigation can still be disabled on Intel who don't
use the return thunks but IBRS.
- Refresh
patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch.
- Refresh patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch.
- commit e330fc7
- dm thin metadata: Fix use-after-free in dm_bm_set_read_only
(bsc#1203462).
- commit b3b2090
- ppc64/kdump: Limit kdump base to 512MB (bsc#1203410 ltc#199904).
- commit 39653db
- Update
patches.suse/ch-fixup-refcounting-imbalance-for-SCSI-devices.patch
(bsc#1124235), adding back Refernces lost in previous update.
- commit 47c6490
- scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure
(git-fixes).
- Refresh patches.suse/scsi-libfc-handling-of-extra-kref.
- commit 27f7754
- mmc: block: fix read single on recovery logic (CVE-2022-20008
bsc#1199564).
- commit 1fdd74c
- scsi: ch: Make it possible to open a ch device multiple times
again (git-fixes).
- Refresh
patches.suse/ch-add-missing-mutex_lock-mutex_unlock-in-ch_release.patch.
- Replace/Refresh
patches.suse/ch-fixup-refcounting-imbalance-for-SCSI-devices.patch
("/scsi: ch: fixup refcounting imbalance for SCSI devices"/)
with actual upstream version of this commit, which makes it apply
correctly (it was just a "/submitted"/ version)
- commit cb2ed7c
- ftrace: Fix NULL pointer dereference in is_ftrace_trampoline
when ftrace is dead (git-fixes).
- commit 6d3bb9f
- arm64: cpufeature: Allow different PMU versions in ID_DFR0_EL1 (git-fixes)
- commit 85ce439
- blacklist.conf: ("/arm64: fix clang warning about TRAMP_VALIAS"/)
- commit a67ea91
- Refresh
patches.suse/netfilter-nf_conntrack_irc-Fix-forged-IP-logic.patch.
- commit ed06fa8
- scsi: lpfc: Check the return value of alloc_workqueue()
(git-fixes).
- scsi: sg: Allow waiting for commands to complete on removed
device (git-fixes).
- scsi: smartpqi: Fix DMA direction for RAID requests (git-fixes).
- scsi: sd: Fix Opal support (git-fixes).
- scsi: mpt3sas: Fix ioctl timeout (git-fixes).
- scsi: mpt3sas: Fix sync irqs (git-fixes).
- scsi: mpt3sas: Don't call disable_irq from IRQ poll handler
(git-fixes).
- scsi: sd: enable compat ioctls for sed-opal (git-fixes).
- scsi: sd_zbc: Fix compilation warning (git-fixes).
- Revert "/scsi: sd: Keep disk read-only when re-reading partition"/
(git-fixes).
- scsi: core: Avoid that a kernel warning appears during system
resume (git-fixes).
- scsi: core: Avoid that system resume triggers a kernel warning
(git-fixes).
- commit 2cdb167
- cifs: clean up an inconsistent indenting (bsc#1190317).
- commit 84e7187
- Update
patches.suse/mm-rmap.c-don-t-reuse-anon_vma-if-we-just-want-a-copy.patch
(git-fixes, bsc#1203098).
- commit 3881fc3
- mm: Force TLB flush for PFNMAP mappings before unlink_file_vma()
(CVE-2022-39188, bsc#1203107).
- commit 7df6276
- netfilter: nf_conntrack_irc: Tighten matching on DCC message
(CVE-2022-2663 bsc#1202097).
- netfilter: nf_conntrack_irc: Fix forged IP logic (CVE-2022-2663
bsc#1202097).
- commit 7253cd6
- fuse: limit nsec (bsc#1203126).
- commit 4695dc9
- blacklist.conf: add 2fdbb8dd0155 to blacklist
- commit 374db7c
- objtool: Track original function across branches (bsc#1202396).
- Refresh
patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- Refresh
patches.suse/objtool-make-bp-scratch-register-warning-more-robust.patch.
- commit d5d2614
- objtool: Don't use ignore flag for fake jumps (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- commit 3c1c10e
- objtool: Add --backtrace support (bsc#1202396).
- Refresh
patches.suse/objtool-clean-instruction-state-before-each-function-validation.patch.
- commit 59346c1
- objtool: Set insn->func for alternatives (bsc#1202396).
- Refresh patches.suse/objtool-add-is_static_jump-helper.patch.
- Refresh
patches.suse/objtool-add-relocation-check-for-alternative-sections.patch.
- commit 55a9c4c
- mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse
(git-fixes, bsc#1203098).
kABI: Fix kABI after "/mm/rmap: Fix anon_vma->degree ambiguity
leading to double-reuse"/ (git-fixes, bsc#1203098).
- commit 9b79372
- mm/rmap.c: don't reuse anon_vma if we just want a copy
(git-fixes, bsc#1203098).
- commit d3fffdb
- cifs: fix the cifs_reconnect path for DFS (bsc#1190317).
- commit 8addcab
- blacklist.conf: add c5deb27895e0, as no fix is needed (problem can't occur)
- commit d29d53a
- xen/xenbus: fix return type in xenbus_file_read() (git-fixes).
- commit 7fc364d
- Update
patches.suse/x86-speculation-Add-RSB-VM-Exit-protections.patch.
- Update
patches.suse/x86-speculation-change-fill_return_buffer-to-work-with-objtool.patch.
Add missing objtool annotations from upstream commits to fix bsc#1202396.
- commit 8f6e21f
- KVM: x86: Set error code to segment selector on LLDT/LTR
non-canonical #GP (git-fixes).
- commit 3b2de9e
- KVM: x86: Mark TSS busy during LTR emulation _after_ all fault
checks (git-fixes).
- commit beb4e5a
- objtool: Allow no-op CFI ops in alternatives (bsc#1202396).
- commit df2ab3a
- objtool: Add support for intra-function calls (bsc#1202396).
- commit 72c2448
- objtool: Remove INSN_STACK (bsc#1202396).
- commit df6f4c2
- objtool: Make handle_insn_ops() unconditional (bsc#1202396).
- commit 696a729
- objtool: Rework allocating stack_ops on decode (bsc#1202396).
- commit 9614631
- objtool: Fix ORC vs alternatives (bsc#1202396).
- commit 7725f8e
- objtool: Uniquely identify alternative instruction groups
(bsc#1202396).
- commit cad8676
- objtool: Remove check preventing branches within alternative
(bsc#1202396).
- commit f556567
- objtool: Fix !CFI insn_state propagation (bsc#1202396).
- commit 7537bdc
- blacklist.conf: add dbac14a5a05f, as it would break kabi
- commit b0b1864
- objtool: Rename struct cfi_state (bsc#1202396).
- commit f1ccddb
- objtool: Support multiple stack_op per instruction
(bsc#1202396).
- commit bd1355d
- objtool: Support conditional retpolines (bsc#1202396).
- commit 7d5809e
- objtool: Convert insn type to enum (bsc#1202396).
- commit 1160056
- objtool: Rename elf_open() to prevent conflict with libelf
from elftoolchain (bsc#1202396).
- commit c167b3d
- objtool: Use Elf_Scn typedef instead of assuming struct name
(bsc#1202396).
- commit fc37030
- squashfs: fix xattr id and id lookup sanity checks
(bsc#1203013).
- commit e118d89
- squashfs: fix inode lookup sanity checks (bsc#1203013).
- commit 6748621
- rpm/kernel-source.spec.in: simplify finding of broken symlinks
"/find -xtype l"/ will report them, so use that to make the search a bit
faster (without using shell).
- commit 13bbc51
- cifs: move from strlcpy with unused retval to strscpy
(bsc#1190317).
- commit bb4c21d
- cifs: remove useless parameter 'is_fsctl' from SMB2_ioctl()
(bsc#1190317).
- commit f2b9741
- cifs: remove unused server parameter from calc_smb_size()
(bsc#1190317).
- commit c52dabc
- cifs: Do not use tcon->cfid directly, use the cfid we get from
open_cached_dir (bsc#1190317).
- commit ed7d7cd
- cifs: fix lock length calculation (bsc#1190317).
- commit 704a256
- cifs: alloc_mid function should be marked as static
(bsc#1190317).
- commit 1cd087c
- cifs: remove "/cifs_"/ prefix from init/destroy mids functions
(bsc#1190317).
- commit 7d1a646
- cifs: remove useless DeleteMidQEntry() (bsc#1190317).
- commit 39cdb6e
- cifs: remove remaining build warnings (bsc#1190317).
- commit bb9d34f
- smb2: small refactor in smb2_check_message() (bsc#1190317).
- commit 36dc5c1
- cifs: remove minor build warning (bsc#1190317).
- commit 99f07da
- cifs: remove some camelCase and also some static build warnings
(bsc#1190317).
- commit 12a6e0e
- cifs: remove unnecessary (void*) conversions (bsc#1190317).
- commit 042656d
- cifs: remove redundant initialization to variable
mnt_sign_enabled (bsc#1190317).
- commit 5f2fe58
- smb3: check xattr value length earlier (bsc#1190317).
- commit 420acb4
- mkspec: eliminate @NOSOURCE@ macro
This should be alsways used with @SOURCES@, just include the content
there.
- commit 403d89f
- kernel-source: include the kernel signature file
We assume that the upstream tarball is used for released kernels.
Then we can also include the signature file and keyring in the
kernel-source src.rpm.
Because of mkspec code limitation exclude the signature and keyring from
binary packages always - mkspec does not parse spec conditionals.
- commit e76c4ca
- kernel-binary: move @NOSOURCE@ to @SOURCES@ as in other packages
- commit 4b42fb2
- dtb: Do not include sources in src.rpm - refer to kernel-source
Same as other kernel binary packages there is no need to carry duplicate
sources in dtb packages.
- commit 1bd288c
- smb3: add trace point for SMB2_set_eof (bsc#1190317).
- commit cc50c41
- cifs: return errors during session setup during reconnects
(bsc#1190317).
- commit f26e757
- cifs: fix uninitialized pointer in error case in
dfs_cache_get_tgt_share (bsc#1190317).
- commit 2cd67ba
- cifs: skip trailing separators of prefix paths (bsc#1190317).
- commit 6ad2a16
- cifs: version operations for smb20 unneeded when legacy support
disabled (bsc#1190317).
- commit c14744a
- cifs: when extending a file with falloc we should make files
not-sparse (bsc#1190317).
- commit 722a067
- smb3: check for null tcon (bsc#1190317).
- commit 19827ce
- cifs: return the more nuanced writeback error on close()
(bsc#1190317).
- commit 21102b1
- cifs: remove repeated debug message on cifs_put_smb_ses()
(bsc#1190317).
- commit 55e93f1
- smb3: don't set rc when used and unneeded in query_info_compound
(bsc#1190317).
- commit b7a8710
- cifs: smbd: fix typo in comment (bsc#1190317).
- commit 0fd8d36
- cifs: set the CREATE_NOT_FILE when opening the directory in
use_cached_dir() (bsc#1190317).
- commit 18a7023
- cifs: check for smb1 in open_cached_dir() (bsc#1190317).
- commit cebd44b
- cifs: move definition of cifs_fattr earlier in cifsglob.h
(bsc#1190317).
- commit de5bdb2
- objtool: Fix sibling call detection (bsc#1202396).
- commit 7a3804d
- objtool: Rewrite alt->skip_orig (bsc#1202396).
- commit 34b4ec9
- af_key: Do not call xfrm_probe_algs in parallel (bsc#1202898
CVE-2022-3028).
- commit e68eb5b
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit c9ac9a2
- Update patch reference for net rds fix (CVE-2022-21385 bsc#1202897)
- commit d995183
- usbnet: Fix linkwatch use-after-free on disconnect (git-fixes).
- commit cbbd572
- powerpc/perf: Add privileged access check for thread_imc
(FATE#322448, bsc#1054914, git-fixes).
- powerpc/perf: Fix loop exit condition in nest_imc_event_init
(FATE#322448, bsc#1054914, git-fixes).
- powerpc/perf: Return accordingly on invalid chip-id in
(FATE#322448, bsc#1054914, git-fixes).
- powerpc: Use sizeof(*foo) rather than sizeof(struct foo)
(FATE#322448, bsc#1054914, git-fixes).
- Refresh patches.suse/powerpc-powernv-Return-for-invalid-IMC-domain.patch
- commit 0095cdd
- cifs: fix signed integer overflow when fl_end is OFFSET_MAX
(bsc#1190317).
- commit ef2c03a
- SMB3: EBADF/EIO errors in rename/open caused by race condition
in smb2_compound_op (bsc#1190317).
- commit 1850f8f
- cifs: use correct lock type in cifs_reconnect() (bsc#1190317).
- commit a9f06fa
- cifs: fix NULL ptr dereference in refresh_mounts()
(bsc#1190317).
- commit 67eb87c
- cifs: Use kzalloc instead of kmalloc/memset (bsc#1190317).
- commit 60e64c6
- cifs: verify that tcon is valid before dereference in
cifs_kill_sb (bsc#1190317).
- commit 2548aaa
- cifs: potential buffer overflow in handling symlinks
(bsc#1190317).
- commit 4a3401c
- cifs: Split the smb3_add_credits tracepoint (bsc#1190317).
- commit a7766a9
- cifs: release cached dentries only if mount is complete
(bsc#1190317).
- commit 0e4cc46
- cifs: Check the IOCB_DIRECT flag, not O_DIRECT (bsc#1190317).
- commit 396d99d
- cifs: remove check of list iterator against head past the loop
body (bsc#1190317).
- commit 53771a6
- cifs: fix NULL ptr dereference in smb2_ioctl_query_info()
(bsc#1190317).
- commit 4dc7010
- cifs: prevent bad output lengths in smb2_ioctl_query_info()
(bsc#1190317).
- commit d9eafa4
- ceph: don't truncate file in atomic_open (bsc#1202830).
- commit 5d95105
- cifs: change smb2_query_info_compound to use a cached fid,
if available (bsc#1190317).
- commit 8153d9b
- cifs: convert the path to utf16 in smb2_query_info_compound
(bsc#1190317).
- commit feab50e
- cifs: we do not need a spinlock around the tree access during
umount (bsc#1190317).
- commit 3cf620b
- cifs: fix handlecache and multiuser (bsc#1190317).
- commit 61380d0
- Backport causes crashes on all arches so revert the patch until
I find the root cause
- commit 83c44b2
- cifs: modefromsids must add an ACE for authenticated users
(bsc#1190317).
- commit 33643f3
- cifs: fix double free race when mount fails in cifs_get_root()
(bsc#1190317).
- commit 96ae468
- cifs: do not use uninitialized data in the owner/group sid
(bsc#1190317).
- commit dd406c0
- cifs: fix set of group SID via NTSD xattrs (bsc#1190317).
- commit 063a3b9
- cifs: mark sessions for reconnection in helper function
(bsc#1190317).
- commit 145a355
- Fix a warning about a malformed kernel doc comment in cifs
(bsc#1190317).
- commit 5777710
- check sk_peer_cred pointer before put_cred() call
- commit 78087f4
- cifs: alloc_path_with_tree_prefix: do not append sep. if the
path is empty (bsc#1190317).
- commit 11e7725
- tpm: fix reference counting for struct tpm_chip (CVE-2022-2977
bsc#1202672).
- commit 743f12e
- net: handle kABI change in struct sock (bsc#1194535
CVE-2021-4203).
- commit c37013b
- Drop the unused function after porting on 4.12
- commit a8cf8a3
- spmi: trace: fix stack-out-of-bound access in SPMI tracing
functions (git-fixes).
- commit 977d6ab
- blacklist.conf: update blacklist
- commit 185c40c
- mvpp2: fix panic on module removal (git-fixes).
- commit 7f3079c
- mvpp2: refactor the HW checksum setup (git-fixes).
- commit 8ea5b04
- net/mlx5: Imply MLXFW in mlx5_core (git-fixes).
- commit 10e6082
- net/mlx5e: Use the inner headers to determine tc/pedit offload
limitation on decap flows (git-fixes).
- commit 9697304
- blacklist.conf: update blacklist
- commit 46ff3d0
- fuse: handle kABI change in struct sock (bsc#1194535
CVE-2021-4203).
- commit cb0be42
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
(bsc#1194535 CVE-2021-4203).
- commit cfbed38
- SUNRPC: Fix the svc_deferred_event trace class (git-fixes).
- commit 851ec16
- tracing/uprobes: Check the return value of kstrdup() for
tu->filename (git-fixes).
- commit 8dca833
- tracepoint: Add tracepoint_probe_register_may_exist() for BPF
tracing (git-fixes).
- commit 7aa1321
- xprtrdma: Fix trace point use-after-free race (git-fixes).
- commit a8b511a
- tracing: Fix race in perf_trace_buf initialization (git-fixes).
- commit 2512414
- tracing/perf: Use strndup_user() instead of buggy open-coded
version (git-fixes).
- commit f7c4f1b
- cifs: fix FILE_BOTH_DIRECTORY_INFO definition (bsc#1190317).
- commit 2dd27f0
- cifs: move superblock magic defitions to magic.h (bsc#1190317).
- commit ec6873e
- cifs: Fix smb311_update_preauth_hash() kernel-doc comment
(bsc#1190317).
- commit c2c268e
- cifs: sanitize multiple delimiters in prepath (bsc#1190317).
- commit f5d8a69
- cifs: fix ntlmssp auth when there is no key exchange
(bsc#1190317).
- commit 0965ebd
- USB: serial: io_ti: add Agilent E5805A support (git-fixes).
- commit ea690c7
- USB: new quirk for Dell Gen 2 devices (git-fixes).
- commit 73ad842
- usb: misc: fix improper handling of refcount in uss720_probe()
(git-fixes).
- commit 7d782ba
- Revert "/USB: xhci: fix U1/U2 handling for hardware with
XHCI_INTEL_HOST quirk set"/ (git-fixes).
- commit 7bb63b3
- add Kirk Allan as branch maintainer
- commit 9600c20
- blacklist.conf: cleanup designed to break kABI
- commit d77a5a8
- blacklist.conf: cleanup on a minor driver that would require a kABI fixup
- commit 4b84bde
- blacklist.conf: optimization on a minor driver that would require a kABI fixup
- commit ab46ac0
- blacklist.conf: driver only introduced in v4.14
- commit c8efaee
- blacklist.conf: for an architecture unsupported on SLE12
- commit e27f3be
- blacklist.conf: irrelevant in our config
- commit cca8fdf
- blacklist.conf: subsystem the patch is for is introduced only in v4.13
- commit 94d5cd2
- squashfs: add more sanity checks in id lookup (git-fixes).
- commit 0993c72
- squashfs: add more sanity checks in inode lookup (git-fixes).
- commit 5e5b6f8
- squashfs: add more sanity checks in xattr id lookup (git-fixes).
- commit acc3d9a
- phy: tegra: fix device-tree node lookups (git-fixes).
- commit 8650336
- squashfs: fix divide error in calculate_skip() (git-fixes).
- commit f2d03b6
- blacklist.conf: very likely to cause regressions
- commit 857d8cc
- powerpc/xive: Fix refcount leak in xive_get_max_prio
(fate#322438 git-fixess).
- commit 6f2e0e1
- powerpc: Enable execve syscall exit tracepoint (bsc#1065729).
- commit ccc3683
- powerpc: define get_cycles macro for arch-override
(bsc#1065729).
- commit db10d90
- blacklist.conf: Add 235cee162459 KVM: PPC: Tick accounting should defer vtime accounting 'til after IRQ handling
- commit c398028
- net_sched: cls_route: disallow handle of 0 (bsc#1202393).
- net_sched: cls_route: remove from list when handle is 0
(CVE-2022-2588 bsc#1202096).
- commit 05c19f7
- KVM: PPC: Book3S HV: Context tracking exit guest context before
enabling irqs (bsc#1065729).
- commit d7f9277
- usbnet: smsc95xx: Fix deadlock on runtime resume (git-fixes).
- commit 2e356ce
- blacklist.conf: later reverted upstream
- commit a099951
- ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback (git-fixes).
- commit 202a421
- Revert "/r8152: adjust the settings about MAC clock speed down
for RTL8153"/ (git-fixes).
- commit 893a9a7
- net: usb: lan78xx: Connect PHY before registering MAC
(git-fixes).
- commit d406530
- blacklist.conf: misattributed
- commit 113cb73
- lightnvm: Remove lightnvm implemenation (bsc#1191881 bsc#1201420
ZDI-CAN-17325).
- commit 30cd9be
- xfs: check sb_meta_uuid for dabuf buffer recovery (bsc#1202577).
- commit ea9c6cd
- ext4: make sure ext4_append() always allocates new block
(bsc#1198577 CVE-2022-1184).
- commit bc8c541
- ext4: check if directory block is within i_size (bsc#1198577
CVE-2022-1184).
- commit b9efa04
- ext4: Fix check for block being out of directory size
(bsc#1198577 CVE-2022-1184).
- commit be40637
- btrfs: do not do preemptive flushing if the majority is global rsv (bsc#1202528).
- commit e115339
- btrfs: reduce the preemptive flushing threshold to 90% (bsc#1202528).
- commit f4a62aa
- 9p: migrate from sync_inode to filemap_fdatawrite_wbc (bsc#1202528).
- commit bfdf1f9
- btrfs: use the filemap_fdatawrite_wbc helper for delalloc shrinking (bsc#1202528).
- commit a4caa5b
- fs: add a filemap_fdatawrite_wbc helper (bsc#1202528).
- commit eedfc1d
- btrfs: wait on async extents when flushing delalloc (bsc#1202528).
- commit 0d074a5
- btrfs: use delalloc_bytes to determine flush amount for shrink_delalloc (bsc#1202528).
- commit 83cf4e8
- btrfs: enable a tracepoint when we fail tickets (bsc#1202528).
- commit b1b7482
- Fix releasing of old bundles in xfrm_bundle_lookup()
(bsc#1201264 bsc#1190397 bsc#1199617).
- commit bc50d6c
- btrfs: include delalloc related info in dump space info tracepoint (bsc#1202528).
- commit 41ed5ae
- btrfs: wake up async_delalloc_pages waiters after submit (bsc#1202528).
- commit 7ff1a2f
- cxgb4vf: update kernel-doc line comments (git-fixes).
- commit 86bb074
- cxgb4: update kernel-doc line comments (git-fixes).
- commit 54c720b
- cxgb4: fix endian conversions for L4 ports in filters
(git-fixes).
- commit aa42e53
- cxgb4: parse TC-U32 key values and masks natively (git-fixes).
- commit dc23e3b
- cxgb4: move handling L2T ARP failures to caller (git-fixes).
- commit b83d2bf
- blacklist.conf: update blacklist
- commit 8032df7
- blacklist.conf: update blacklist
- commit aea5602
- btrfs: rip out btrfs_space_info::total_bytes_pinned (bsc#1202528).
- Delete
patches.suse/btrfs-dump_space_info-when-encountering-total_bytes_pinned-0-at-umount.patch.
- commit 354153b
- qed: fix kABI in qed_rdma_create_qp_in_params (git-fixes).
- commit 68811a9
- btrfs: rip the first_ticket_bytes logic from fail_all_tickets (bsc#1202528).
- commit d9b864b
- qed: Add EDPM mode type for user-fw compatibility (git-fixes).
- commit a73dbd4
- btrfs: remove FLUSH_DELAYED_REFS from data ENOSPC flushing (bsc#1202528).
- commit 60db43c
- btrfs: rip out may_commit_transaction (bsc#1202528).
- Refresh
patches.suse/btrfs-handle-preemptive-delalloc-flushing-slightly-differently.patch.
- commit c5ab5f9
- btrfs: use percpu_read_positive instead of sum_positive for need_preempt (bsc#1202528).
- Refresh
patches.suse/btrfs-only-ignore-delalloc-if-delalloc-is-much-smaller-than-ordered.patch.
- commit 59f31f6
- btrfs: handle preemptive delalloc flushing slightly differently (bsc#1202528).
- commit f7a119e
- btrfs: only ignore delalloc if delalloc is much smaller than ordered (bsc#1202528).
- commit 9a30ad9
- btrfs: don't include the global rsv size in the preemptive used amount (bsc#1202528).
- commit a265556
- btrfs: use the global rsv size in the preemptive thresh calculation (bsc#1202528).
- commit b31d6c3
- btrfs: take into account global rsv in need_preemptive_reclaim (bsc#1202528).
- commit fbc80a6
- btrfs: only clamp the first time we have to start flushing (bsc#1202528).
- commit db608fb
- btrfs: check worker before need_preemptive_reclaim (bsc#1202528).
- commit 8aab0b2
- btrfs: Convert fs_info->free_chunk_space to atomic64_t (bsc#1202528).
- Refresh
patches.suse/0006-btrfs-move-and-export-can_overcommit.patch.
- Refresh
patches.suse/0020-btrfs-do-not-account-global-reserve-in-can_overcommit.patch.
- Refresh
patches.suse/Btrfs-fix-race-between-adding-and-putting-tree-mod-s.patch.
- Refresh
patches.suse/btrfs-ensure-replaced-device-doesn-t-have-pending-chunk-allocation.patch.
- Refresh
patches.suse/btrfs-fix-btrfs_calc_reclaim_metadata_size-calculation.patch.
- commit f88ccad
- net/mlx5: Clear LAG notifier pointer after unregister
(git-fixes).
- commit d878d7c
- net: dsa: mt7530: Change the LINK bit to reflect the link status
(git-fixes).
- commit ece75a8
- net: ll_temac: Fix RX buffer descriptor handling on GFP_ATOMIC
pressure (git-fixes).
- commit 8794a66
- net: ll_temac: Fix iommu/swiotlb leak (git-fixes).
- commit 9d72e43
- net: ll_temac: Enable DMA when ready, not before (git-fixes).
- commit 3faa94c
- btrfs: add a trace class for dumping the current ENOSPC state (bsc#1202528).
- commit 9bb464a
- btrfs: adjust the flush trace point to include the source (bsc#1202528).
- commit dfed983
- btrfs: implement space clamping for preemptive flushing (bsc#1202528).
- commit fa5b783
- btrfs: simplify the logic in need_preemptive_flushing (bsc#1202528).
- commit ed57e7f
- btrfs: rework btrfs_calc_reclaim_metadata_size (bsc#1202528).
- commit 99a8046
- btrfs: check reclaim_size in need_preemptive_reclaim (bsc#1202528).
- commit efb656d
- btrfs: rename need_do_async_reclaim (bsc#1202528).
- commit f95c0ae
- btrfs: improve preemptive background space flushing (bsc#1202528).
- commit 951dafe
- btrfs: introduce a FORCE_COMMIT_TRANS flush operation (bsc#1202528).
- commit f16f950
- btrfs: add a trace point for reserve tickets (bsc#1202528).
- commit ac2920d
- btrfs: make flush_space take a enum btrfs_flush_state instead of int (bsc#1202528).
- commit 5a1a4e8
- ata: libata: add qc->flags in ata_qc_complete_template
tracepoint (git-fixes).
- commit 8897145
- blacklist.conf: not-relevant cleanups for drivers/char/random
- commit 4551df9
- net: sock: tracing: Fix sock_exceed_buf_limit not to dereference
stale pointer (git-fixes).
- commit 8449873
- PCI: dwc: Deallocate EPC memory on dw_pcie_ep_init() errors
(git-fixes).
- crypto: inside-secure - Add missing MODULE_DEVICE_TABLE for of
(git-fixes).
- crypto: arm64/gcm - Select AEAD for GHASH_ARM64_CE (git-fixes).
- ACPI: CPPC: Do not prevent CPPC from working in the future
(git-fixes).
- drivers/perf: arm_spe: Fix consistency of SYS_PMSCR_EL1.CX
(git-fixes).
- commit ce1e4d8
- kabi/severities: add mlx5 internal symbols
- commit 8c6dd4b
- net: ll_temac: Add more error handling of dma_map_single()
calls (git-fixes).
- commit af7573f
- net: ll_temac: Fix support for little-endian platforms
(git-fixes).
- Refresh
patches.suse/net-ll_temac-Fix-race-condition-causing-TX-hang.patch.
- commit 12402e7
- net: ll_temac: Fix typo bug for 32-bit (git-fixes).
- commit 5bf9adc
- net: ll_temac: Fix support for 64-bit platforms (git-fixes).
- commit 5222049
- net: xilinx: replace dev_kfree_skb_irq by dev_consume_skb_irq
for drop profiles (git-fixes).
- commit e2d5d61
- net: emaclite: Simplify if-else statements (git-fixes).
- commit 43fe9bd
- net/mlx5: Fix auto group size calculation (git-fixes).
- commit f65c99f
- net: stmmac: gmac4: bitrev32 returns u32 (git-fixes).
- commit 717b8ab
- rpm/kernel-binary.spec.in: move vdso to a separate package (bsc#1202385)
We do the move only on 15.5+.
- commit 9c7ade3
- rpm/kernel-binary.spec.in: simplify find for usrmerged
The type test and print line are the same for both cases. The usrmerged
case only ignores more, so refactor it to make it more obvious.
- commit 583c9be
- xfrm: xfrm_policy: fix a possible double xfrm_pols_put()
in xfrm_bundle_lookup() (bsc#1201948 CVE-2022-36879).
- commit 6a240fe
- net/packet: fix slab-out-of-bounds access in packet_recvmsg()
(CVE-2022-20368 bsc#1202346).
- commit bcc8988
- media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers
across ioctls (bsc#1202347 CVE-2022-20369).
- commit 0cf8c8f
- iommu/vt-d: avoid invalid memory access via node_online(NUMA_NO_NODE) (git-fixes).
- commit 832ae90
- scsi: smartpqi: set force_blk_mq=1.(bsc#1179310)
- commit 10f3936
- Update metadata references
- commit 7183678
- md/bitmap: don't set sb values if can't pass sanity check
(bsc#1197158).
- commit 34e4bcc
- x86/speculation: Add LFENCE to RSB fill sequence (bsc#1201726
CVE-2022-26373).
- commit a207cec
- x86/speculation: Add RSB VM Exit protections (bsc#1201726
CVE-2022-26373).
- commit 30ef9f9
- Move kABI patches to kABI section.
- commit a80bab0
- powerpc: powernv: kABI: add back powernv_get_random_long
(bsc#1065729).
- commit 3080872
- powerpc/powernv: rename remaining rng powernv_ functions to pnv_
(bsc#1065729).
- powerpc/powernv: delay rng platform device creation until
later in boot (bsc#1065729).
- commit 869d405
- md-raid: destroy the bitmap after destroying the thread
(git-fixes).
- SUNRPC: Fix READ_PLUS crasher (git-fixes).
- dm raid: fix KASAN warning in raid5_add_disks (git-fixes).
- pNFS: Don't keep retrying if the server replied
NFS4ERR_LAYOUTUNAVAILABLE (git-fixes).
- commit 3bc259d
- powerpc/powernv/kvm: Use darn for H_RANDOM on Power9
(bsc#1065729).
- powerpc/powernv: Avoid crashing if rng is NULL (bsc#1065729).
- commit 42e06ba
- KVM: nVMX: Set UMIP bit CR4_FIXED1 MSR when emulating UMIP
(bsc#1120716).
- commit ce36184
- powerpc/powernv: wire up rng during setup_arch (bsc#1065729).
- powerpc/pseries: wire up rng during setup_arch() (bsc#1065729).
- Refresh patches.suse/powerpc-64s-rename-pnv-pseries_setup_rfi_flush-to-_s.patch
- powerpc/powernv: Staticify functions without prototypes
(bsc#1065729).
- powerpc/powernv: Use darn instruction for get_random_seed()
on Power9 (bsc#1065729).
- commit 4e67aee
- xfs: fix NULL pointer dereference in xfs_getbmap() (git-fixes).
- commit 9ad699f
- KVM: arm64: Avoid setting the upper 32 bits of TCR_EL2 and CPTR_EL2 (bsc#1201442)
- commit a44d410
- x86/speculation: Fill RSB on vmexit for IBRS (bsc#1201726
CVE-2022-26373).
- commit 8e898cd
- x86/speculation: Change FILL_RETURN_BUFFER to work with objtool
(bsc#1201726 CVE-2022-26373).
- commit 9388584
- net/sched: cls_u32: fix netns refcount changes in u32_change()
(CVE-2022-29581 bsc#1199665).
- commit 944805b
- openvswitch: fix OOB access in reserve_sfa_size() (CVE-2022-2639
bsc#1202154).
- commit 0d36370
- ipv4: avoid using shared IP generator for connected sockets
(CVE-2020-36516 bsc#1196616).
- ipv4: tcp: send zero IPID in SYNACK messages (CVE-2020-36516
bsc#1196616).
- commit df5e606
- blacklist.conf: Relatively high risk of unexpected performance change
- commit 58f819d
- blacklist.conf: Many dependencies with relatively high risk of unexpected performance change
- commit 56dc959
- Fix parsing of rpm/macros.kernel-source on SLE12 (bsc#1201019).
- commit 9816878
- xfs: always free inline data before resetting inode fork during
ifree (bsc#1202017).
- commit 89a46fc
- blacklist.conf: remove 98c4f78dcdd8 from blacklist
This is a required fix, as 43518812d2 was backported.
- commit 62ac6c4
- blacklist.conf: Add fadump commits introducing boot_mem_top
bec53196adf4 powerpc/fadump: add support to preserve crash data on FADUMP disabled kernel
7dee93a9a880 powerpc/fadump: support holes in kernel boot memory area
The current fadump code in 4.12 kernel does not support bootmem holes.
If these commits are backported the current backports need review for
use of boot_memory_size instead of boot_mem_top
- commit 66afc75
- powerpc/fadump: fix PT_LOAD segment for boot memory area
(bsc#1103269 ltc#169948 git-fixes).
- powerpc/fadump: make crash memory ranges array allocation
generic (bsc#1103269 ltc#169948 git-fixes).
- Refresh patches.suse/powerpc-fadump-fix-race-between-pstore-write-and-fad.patch
- commit 2607c5c
- blacklist.conf: Append 'drm/amdgpu/acp: Make PM domain really work'
- commit 5d0cbbf
- blacklist.conf: Append 'drm: mxsfb: Clear FIFO_CLEAR bit'
- commit a9d2273
- blacklist.conf: Append 'drm: mxsfb: Increase number of outstanding requests on V4 and newer HW'
- commit eb95663
- blacklist.conf: Append 'drm: mxsfb: Enable recovery on underflow'
- commit 5c872c1
- blacklist.conf: Append 'drm/i915/display: Fix the 12 BPC bits for PIPE_MISC reg'
- commit 9af6ddf
- blacklist.conf: Append 'drm/radeon: Fix off-by-one power_state index heap overwrite'
- commit 0f57ec5
- blacklist.conf: Append 'drm/radeon: Avoid power table parsing memory leaks'
- commit 2212d5c
- blacklist.conf: Append 'amdgpu: fix GEM obj leak in amdgpu_display_user_framebuffer_create'
- commit 6d1e3d5
- blacklist.conf: Append 'drm/radeon: Fix a missing check bug in radeon_dp_mst_detect()'
- commit 5ae4891
- blacklist.conf: Append 'Fix misc new gcc warnings'
- commit ba680f8
- blacklist.conf: Append 'drm/vc4: crtc: Reduce PV fifo threshold on hvs4'
- commit 6465ff9
- blacklist.conf: Append 'drm/amdgpu: check alignment on CPU page for bo map'
- commit 11881ba
- blacklist.conf: Append 'drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings()'
- commit 06bd647
- blacklist.conf: Append 'drm/i915: Fix the GT fence revocation runtime PM logic'
- commit 278dbb6
- blacklist.conf: Append 'drm/i915/dsi: Use unconditional msleep for the panel_on_delay when there is no reset-deassert MIPI-sequence'
- commit 46e7a2f
- blacklist.conf: Append 'drm/i915/dp: Track pm_qos per connector'
- commit 1a3ef34
- blacklist.conf: Append 'drm/i915: Avoid mixing integer types during batch copies'
- commit e361acc
- blacklist.conf: Append 'drm/i915/gem: Avoid implicit vmap for highmem on x86-32'
- commit f730816
- blacklist.conf: Append 'drm/dp_mst: Kill the second sideband tx slot, save the world'
- commit ee6a373
- blacklist.conf: Append 'drm: mst: Fix query_payload ack reply struct'
- commit 9b06dd2
- blacklist.conf: Append 'drm/i915/gen8+: Add RC6 CTX corruption WA'
- commit 7617aa6
- blacklist.conf: Append 'make 'user_access_begin()' do 'access_ok()''
- commit 36185b4
- lkdtm: Disable return thunks in rodata.c (bsc#1114648).
- commit 1db863b
- x86/retbleed: Add fine grained Kconfig knobs (bsc#1114648).
- commit c693b03
- blacklist.conf: Add ppc numa commits
e75130f20b1f powerpc/numa: Offline memoryless cpuless node 0
10f78fd0dabb powerpc/numa: Fix a regression on memoryless node 0
- commit f94fd1c
- KVM: emulate: do not adjust size of fastop and setcc subroutines
(bsc#1201930).
- commit 7c39b90
- kvm/emulate: Fix SETcc emulation function offsets with SLS
(bsc#1201930).
- commit 0c004d2
- netfilter: nf_queue: do not allow packet truncation below
transport header offset (bsc#1201940 CVE-2022-36946).
- commit 06aa700
- latent_entropy: avoid build error when plugin cflags are not
set (git-fixes).
- Refresh patches.suse/fdt-add-support-for-rng-seed.patch.
- commit 66e3bae
- block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code'
explicit (git-fixes).
- linux/random.h: Mark CONFIG_ARCH_RANDOM functions __must_check
(git-fixes).
- linux/random.h: Use false with bool (git-fixes).
- linux/random.h: Remove arch_has_random, arch_has_random_seed
(git-fixes).
- random: always fill buffer in get_random_bytes_wait (git-fixes).
- commit 4bf323f
- scsi: qla2xxx: Update version to 10.02.07.800-k (bsc#1201958).
- scsi: qla2xxx: Update manufacturer details (bsc#1201958).
- scsi: qla2xxx: Fix sparse warning for dport_data (bsc#1201651).
- scsi: qla2xxx: Fix discovery issues in FC-AL topology
(bsc#1201651).
- scsi: qla2xxx: Fix imbalance vha->vref_count (bsc#1201651).
- scsi: qla2xxx: edif: Fix dropped IKE message (bsc#1201651).
- scsi: qla2xxx: Fix response queue handler reading stale packets
(bsc#1201651).
- scsi: qla2xxx: Zero undefined mailbox IN registers
(bsc#1201651).
- scsi: qla2xxx: Fix incorrect display of max frame size
(bsc#1201958).
- scsi: qla2xxx: Check correct variable in qla24xx_async_gffid()
(bsc#1201958).
- scsi: qla2xxx: Update version to 10.02.07.700-k (bsc#1201958).
- scsi: qla2xxx: Fix erroneous mailbox timeout after PCI error
injection (bsc#1201958).
- scsi: qla2xxx: Fix losing FCP-2 targets on long port disable
with I/Os (bsc#1201958).
Refresh:
- patches.suse/revert-scsi-qla2xxx-Changes-to-support-FCP2-Target.patch
- scsi: qla2xxx: Add debug prints in the device remove path
(bsc#1201958).
- scsi: qla2xxx: Fix losing target when it reappears during delete
(bsc#1201958).
- scsi: qla2xxx: Fix losing FCP-2 targets during port perturbation
tests (bsc#1201958).
- scsi: qla2xxx: Fix crash due to stale SRB access around I/O
timeouts (bsc#1201958).
- scsi: qla2xxx: Turn off multi-queue for 8G adapters
(bsc#1201958).
- scsi: qla2xxx: Wind down adapter after PCIe error (bsc#1201958).
- scsi: qla2xxx: Add a new v2 dport diagnostic feature
(bsc#1201958).
- scsi: qla2xxx: Fix excessive I/O error messages by default
(bsc#1201958).
- scsi: qla2xxx: Update version to 10.02.07.600-k (bsc#1201958).
- scsi: qla2xxx: edif: Fix slow session teardown (bsc#1201958).
- scsi: qla2xxx: edif: Reduce N2N thrashing at app_start time
(bsc#1201958).
- scsi: qla2xxx: edif: Fix no logout on delete for N2N
(bsc#1201958).
- scsi: qla2xxx: edif: Fix session thrash (bsc#1201958).
- scsi: qla2xxx: edif: Tear down session if keys have been removed
(bsc#1201958).
- scsi: qla2xxx: edif: Fix no login after app start (bsc#1201958).
- scsi: qla2xxx: edif: Reduce disruption due to multiple app start
(bsc#1201958).
- scsi: qla2xxx: edif: Send LOGO for unexpected IKE message
(bsc#1201958).
- scsi: qla2xxx: edif: Fix I/O timeout due to over-subscription
(bsc#1201958).
- scsi: qla2xxx: Update version to 10.02.07.500-k (bsc#1201958).
- scsi: qla2xxx: edif: Fix n2n login retry for secure device
(bsc#1201958).
- scsi: qla2xxx: edif: Fix n2n discovery issue with secure target
(bsc#1201958).
- scsi: qla2xxx: edif: Remove old doorbell interface
(bsc#1201958).
- scsi: qla2xxx: edif: Add retry for ELS passthrough
(bsc#1201958).
- scsi: qla2xxx: edif: Synchronize NPIV deletion with
authentication application (bsc#1201958).
- scsi: qla2xxx: edif: Fix potential stuck session in sa update
(bsc#1201958).
- scsi: qla2xxx: edif: Add bsg interface to read doorbell events
(bsc#1201958).
- scsi: qla2xxx: edif: Wait for app to ack on sess down
(bsc#1201958).
- scsi: qla2xxx: edif: bsg refactor (bsc#1201958).
- scsi: qla2xxx: edif: Reduce Initiator-Initiator thrashing
(bsc#1201958).
- scsi: qla2xxx: Remove unused 'ql_dm_tgt_ex_pct' parameter
(bsc#1201958).
- scsi: qla2xxx: Remove setting of 'req' and 'rsp' parameters
(bsc#1201958).
- commit a8936d6
- Drop qla2xxx patch which prevented nvme port discovery
(bsc#1200651 bsc#1200644 bsc#1201954 bsc#1201958)
Upstream fixed the problem by reverting the offending commit.
Delete:
- patches.suse/scsi-qla2xxx-Fix-disk-failure-to-rediscover.patch.
- commit 452db23
- scsi: lpfc: Address NULL pointer dereference after
starget_to_rport() (git-fixes).
- commit 996de99
- net: ethernet: aeroflex: fix UAF in greth_of_remove (git-fixes).
- commit 5f1b81f
- ehea: fix error return code in ehea_restart_qps() (git-fixes).
- commit 8656e81
- net: xilinx_emaclite: Do not print real IOMEM pointer
(git-fixes).
- commit 1032862
- mvpp2: suppress warning (git-fixes).
- commit 163d5b9
- net: ethernet: fix potential use-after-free in ec_bhf_remove
(git-fixes).
- commit 08e620e
- net: hamradio: fix memory leak in mkiss_close (git-fixes).
- commit d5b5550
- net: fec_ptp: add clock rate zero check (git-fixes).
- commit 4e39a7a
- netxen_nic: Fix an error handling path in 'netxen_nic_probe()'
(git-fixes).
- commit 5a1c833
- qlcnic: Fix an error handling path in 'qlcnic_probe()'
(git-fixes).
- commit 70491b7
- net: stmmac: dwmac1000: Fix extended MAC address registers
definition (git-fixes).
- commit 0a365bd
- net: mdio: octeon: Fix some double free issues (git-fixes).
- commit 770566f
- net: mdio: thunder: Fix a double free issue in the .remove
function (git-fixes).
- commit 77a03ff
- net: fec: fix the potential memory leak in fec_enet_init()
(git-fixes).
- commit 3c37ef9
- net: fec: check DMA addressing limitations (git-fixes).
- commit 994eea1
- net: dsa: bcm_sf2: Qualify phydev->dev_flags based on port
(git-fixes).
- commit c9228da
- net: stmmac: fix incorrect DMA channel intr enable setting of
EQoS v4.10 (git-fixes).
- commit 2b936dd
- Refresh
patches.suse/x86-prepare-asm-files-for-straight-line-speculation.patch.
- commit c149c1b
- Remove our homegrown IBRS implementation
... now that there's an upstream version.
- x86/entry: Add kernel IBRS implementation (bsc#1199657
CVE-2022-29900 CVE-2022-29901).
- Refresh
patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh
patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Delete
patches.suse/x86-enter-Create-macros-to-restrict-unrestrict-Indir.patch.
- Delete
patches.suse/x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Delete
patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Delete
patches.suse/x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Delete
patches.suse/x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- commit 7278759
- media: saa7146: mxb: Fix a NULL pointer dereference in
mxb_attach() (git-fixes).
- commit d6ee03c
- media: dib8000: Fix a memleak in dib8000_init() (git-fixes).
- commit 2128de3
- media: uvcvideo: fix division by zero at stream start
(git-fixes).
- commit 24c7763
- blacklist.conf: cleanup breaking kABI by renames
- commit 112598f
- blacklist.conf: cleanup breaking kABI by renames
- commit 25ac149
- Bluetooth: hci_qca: Use del_timer_sync() before freeing
(git-fixes).
- commit 945069e
- blacklist.conf: misattributed patch
- commit 379c546
- bnxt_en: Re-write PCI BARs after PCI fatal error (git-fixes).
- commit 3e6c035
- net: korina: fix kfree of rx/tx descriptor array (git-fixes).
- commit acd09d7
- net: macb: mark device wake capable when "/magic-packet"/
property present (git-fixes).
- commit 674240e
- net/sonic: Fix a resource leak in an error handling path in
'jazz_sonic_probe()' (git-fixes).
- commit 0674aaf
- vrf: Fix IPv6 with qdisc and xfrm (git-fixes).
- commit 0a2458c
- net: stmmac: dwmac1000: Disable ACS if enhanced descs are not
used (git-fixes).
- commit 2e76107
- net: stmmac: Fix misuses of GENMASK macro (git-fixes).
- commit fc6700d
- kABI workaround for including mm.h in fs/sysfs/file.c
(bsc#1200598 CVE-2022-20166).
- commit fe1fe6b
- blacklist.conf: update blacklist
- commit ae741a4
- mm: and drivers core: Convert hugetlb_report_node_meminfo to
sysfs_emit (bsc#1200598 CVE-2022-20166).
- commit 3d23964
- drivers core: Miscellaneous changes for sysfs_emit (bsc#1200598
CVE-2022-20166).
- commit c8e2e5b
- drivers core: Remove strcat uses around sysfs_emit and neaten
(bsc#1200598 CVE-2022-20166).
- commit 5cd9512
- drivers core: Use sysfs_emit and sysfs_emit_at for show(device
* ...) functions (bsc#1200598 CVE-2022-20166).
- commit 7554520
- sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output
(bsc#1200598 CVE-2022-20166).
- commit c5a70d7
- cxgb3/l2t: Fix undefined behaviour (git-fixes).
- commit 8076d39
- kabi/severities: add cxgb3 network driver
- commit 3a6a137
- x86/entry: Remove skip_r11rcx (bsc#1201644).
- Refresh
patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- commit 5efdb64
- Sort in RETbleed backport into the sorted section
Now that it is upstream...
- Refresh
patches.suse/KVM-x86-speculation-Disable-Fill-buffer-clear-within-guests.patch.
- Refresh
patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch.
- Refresh
patches.suse/sched-topology-Improve-load-balancing-on-AMD-EPYC.patch.
- Refresh patches.suse/x86-Add-magic-AMD-return-thunk.patch.
- Refresh patches.suse/x86-Undo-return-thunk-damage.patch.
- Refresh patches.suse/x86-Use-return-thunk-in-asm-code.patch.
- Refresh
patches.suse/x86-bugs-Add-AMD-retbleed-boot-parameter.patch.
- Refresh patches.suse/x86-bugs-Add-retbleed-ibpb.patch.
- Refresh
patches.suse/x86-bugs-Do-IBPB-fallback-check-only-once.patch.
- Refresh
patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch.
- Refresh patches.suse/x86-bugs-Enable-STIBP-for-JMP2RET.patch.
- Refresh
patches.suse/x86-bugs-Group-MDS-TAA-Processor-MMIO-Stale-Data-mitigations.patch.
- Refresh
patches.suse/x86-bugs-Keep-a-per-CPU-IA32_SPEC_CTRL-value.patch.
- Refresh
patches.suse/x86-bugs-Optimize-SPEC_CTRL-MSR-writes.patch.
- Refresh
patches.suse/x86-bugs-Report-AMD-retbleed-vulnerability.patch.
- Refresh
patches.suse/x86-bugs-Report-Intel-retbleed-vulnerability.patch.
- Refresh
patches.suse/x86-bugs-Split-spectre_v2_select_mitigation-and-spectre_v2.patch.
- Refresh
patches.suse/x86-common-Stamp-out-the-stepping-madness.patch.
- Refresh
patches.suse/x86-cpu-add-a-steppings-field-to-struct-x86_cpu_id.patch.
- Refresh
patches.suse/x86-cpu-add-table-argument-to-cpu_matches.patch.
- Refresh patches.suse/x86-cpu-amd-Add-Spectral-Chicken.patch.
- Refresh patches.suse/x86-cpu-amd-Enumerate-BTC_NO.patch.
- Refresh
patches.suse/x86-cpufeatures-Move-RETPOLINE-flags-to-word-11.patch.
- Refresh
patches.suse/x86-enter-Use-IBRS-on-syscall-and-interrupts.patch.
- Refresh
patches.suse/x86-entry-Add-kernel-IBRS-implementation.patch.
- Refresh
patches.suse/x86-kvm-Fix-SETcc-emulation-for-return-thunks.patch.
- Refresh
patches.suse/x86-microcode-amd-increase-microcode-patch_max_size.patch.
- Refresh patches.suse/x86-retpoline-Use-mfunction-return.patch.
- Refresh
patches.suse/x86-sev-Avoid-using-__x86_return_thunk.patch.
- Refresh
patches.suse/x86-speculation-Add-a-common-function-for-MD_CLEAR-mitigation-update.patch.
- Refresh
patches.suse/x86-speculation-Add-basic-IBRS-support-infrastructur.patch.
- Refresh
patches.suse/x86-speculation-Add-inlines-to-control-Indirect-Bran.patch.
- Refresh
patches.suse/x86-speculation-Add-spectre_v2-ibrs-option-to-support-Kern.patch.
- Refresh
patches.suse/x86-speculation-Fix-SPEC_CTRL-write-on-SMT-state-change.patch.
- Refresh
patches.suse/x86-speculation-Fix-firmware-entry-SPEC_CTRL-handling.patch.
- Refresh
patches.suse/x86-speculation-Remove-x86_spec_ctrl_mask.patch.
- Refresh
patches.suse/x86-speculation-Use-cached-host-SPEC_CTRL-value-for-guest-.patch.
- Refresh
patches.suse/x86-speculation-add-special-register-buffer-data-sampling-srbds-mitigation.patch.
- Refresh
patches.suse/x86-speculation-add-srbds-vulnerability-and-mitigation-documentation.patch.
- Refresh
patches.suse/x86-speculation-include-unprivileged-ebpf-status-in-spectre-v2-mitigation-reporting.patch.
- Refresh
patches.suse/x86-speculation-mmio-Add-mitigation-for-Processor-MMIO-Stale-Data.patch.
- Refresh
patches.suse/x86-speculation-mmio-Add-sysfs-reporting-for-Processor-MMIO-Stale-Data.patch.
- Refresh
patches.suse/x86-speculation-mmio-Enable-CPU-Fill-buffer-clearing-on-idle.patch.
- Refresh
patches.suse/x86-speculation-mmio-Enumerate-Processor-MMIO-Stale-Data-bug.patch.
- Refresh
patches.suse/x86-speculation-mmio-Reuse-SRBDS-mitigation-for-SBDS.patch.
- Refresh
patches.suse/x86-speculation-restore-speculation-related-msrs-during-s3-resume.patch.
- Refresh
patches.suse/x86-speculation-srbds-Update-SRBDS-mitigation-selection.patch.
- Refresh
patches.suse/x86-vsyscall_emu-64-Don-t-use-RET-in-vsyscall-emulation.patch.
- commit d06c642
- KABI: cgroup: Restore KABI of css_set (bsc#1201610).
- cgroup: Use separate src/dst nodes when preloading css_sets
for migration (bsc#1201610).
- commit 674875f
- random: fix crash on multiple early calls to (git-fixes)
- commit cf465a0
- vt: vt_ioctl: fix race in VT_RESIZEX (bsc#1200910
CVE-2020-36558).
- commit 3c76a1f
- vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
(bsc#1201429 CVE-2020-36557).
- commit f15e18d
- Refresh
patches.suse/x86-bugs-Do-not-enable-IBPB-on-entry-when-IBPB-is-no.patch.
- commit 7e31757
- kernel-obs-build: include qemu_fw_cfg (boo#1201705)
- commit e2263d4
- vt: drop old FONT ioctls (bsc#1201636 CVE-2021-33656).
- commit 704434f
- Refresh patches.suse/fbcon-Prevent-that-screen-size-is-smaller-than-font-.patch
Fix the build error due to missing is_console_locked()
- commit 39e2064
- Delete patches.suse/IBRS-forbid-shooting-in-foot.patch.
Backported upstream commit
7c693f54c873 ("/x86/speculation: Add spectre_v2=ibrs option to support Kernel IBRS"/)
already takes care of that.
- commit e4bbbc2
- fbmem: Check virtual screen sizes in fb_set_var()
(CVE-2021-33655 bsc#1201635).
- fbcon: Prevent that screen size is smaller than font size
(CVE-2021-33655 bsc#1201635).
- fbcon: Disallow setting font bigger than screen size
(CVE-2021-33655 bsc#1201635).
- commit c1a0922
- Delete patches.suse/x86-idle-Control-Indirect-Branch-Speculation-in-idle.patch.
Superceded by the upstream version
patches.suse/intel_idle-Disable-IBRS-during-long-idle.patch
- commit 5309cbd
- blacklist.conf: add a few patches
- commit cf91d33
- serial: mvebu-uart: correctly report configured baudrate value
(git-fixes).
- tty: serial: fsl_lpuart: fix potential bug when using both
of_alias_get_id and ida_simple_get (git-fixes).
- PCI: qcom: Fix runtime PM imbalance on probe errors (git-fixes).
- irqchip/exiu: Fix acknowledgment of edge triggered interrupts
(git-fixes).
- fsl_lpuart: Don't enable interrupts too early (git-fixes).
- arch_topology: Do not set llc_sibling if llc_id is invalid
(git-fixes).
- net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove
(git-fixes).
- commit 4567918
- net: usb: qmi_wwan: add Telit 0x1070 composition (git-fixes).
- commit c9dc552
- net: usb: qmi_wwan: add Telit 0x1060 composition (git-fixes).
- commit 08341d7
- blacklist.conf: cosmetic fix
- commit 5ba3d81
- net: usb: ax88179_178a: Fix packet receiving (git-fixes).
- commit 346b0d8
- blacklist.conf: adds an uevent user space is not ready for
- commit 6ac2a70
- usbnet: fix memory leak in error case (git-fixes).
- commit f3b6abf
- usbnet: fix memory allocation in helpers.
- commit 9363858
- xen/netback: avoid entering xenvif_rx_next_skb() with an empty
rx queue (bsc#1201381).
- commit 334fe0b
- Refresh
patches.suse/crypto-qat-remove-dma_free_coherent-for-DH.patch.
revert the effect of mainline 453431a54934d917153 on patch.
- Refresh
patches.suse/crypto-qat-remove-dma_free_coherent-for-RSA.patch.
revert the effect of mainline 453431a54934d917153 on patch.
- commit 6824fa5
- crypto: qat - remove dma_free_coherent() for DH (git-fixes).
- crypto: qat - remove dma_free_coherent() for RSA (git-fixes).
- crypto: qat - fix memory leak in RSA (git-fixes).
- crypto: qat - set to zero DH parameters before free (git-fixes).
- crypto: qat - disable registration of algorithms (git-fixes).
- commit 1dda89e
- rpm/kernel-binary.spec.in: Require dwarves >= 1.22 on SLE15-SP3 or newer
Dwarves 1.22 or newer is required to build kernels with BTF information
embedded in modules.
- commit ee19e9d
- pty: do tty_flip_buffer_push without port->lock in pty_write
(bsc#1198829 CVE-2022-1462).
- commit c0b9f34
- tty: use new tty_insert_flip_string_and_push_buffer() in
pty_write() (bsc#1198829 CVE-2022-1462).
- tty: extract tty_flip_buffer_commit() from
tty_flip_buffer_push() (bsc#1198829 CVE-2022-1462).
- commit 1b70eb4
- dm mirror log: round up region bitmap size to BITS_PER_LONG
(git-fixes).
- dm crypt: make printing of the key constant-time (git-fixes).
- dm integrity: fix error code in dm_integrity_ctr() (git-fixes).
- dm stats: add cond_resched when looping over entries
(git-fixes).
- hex2bin: fix access beyond string end (git-fixes).
- hex2bin: make the function hex_to_bin constant-time (git-fixes).
- dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS
(git-fixes).
- dm btree remove: fix use after free in rebalance_children()
(git-fixes).
- blk-cgroup: synchronize blkg creation against policy
deactivation (git-fixes).
- dm: fix mempool NULL pointer race when completing IO
(git-fixes).
- blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN
(git-fixes).
- blk-zoned: allow zone management send operations without
CAP_SYS_ADMIN (git-fixes).
- lib/hexdump.c: return -EINVAL in case of error in hex2bin()
(git-fixes).
- commit 4cd1fd7
- blacklist.conf: Update for git-fixes
- commit e740cc0
- net: ll_temac: Fix TX BD buffer overwrite (git-fixes).
- commit 1ff015f
- net: ll_temac: Fix race condition causing TX hang (git-fixes).
- commit 0c73d92
- net: ll_temac: Fix bug causing buffer descriptor overrun
(git-fixes).
- commit 2fe2e0f
- net: stmmac: fix missing IFF_MULTICAST check in
dwmac4_set_filter (git-fixes).
- commit 075d2fd
- bnxt_en: Remove the setting of dev_port (git-fixes).
- commit 1fccfbd
- blacklist.conf: update
- commit d2fcee3
- Refresh
patches.suse/v5-0001-crypto-DRBG-add-FIPS-140-2-CTRNG-for-noise-source.patch.
A modified version of the patch did make it mainline. Detected by git-fixes.
- commit 9eec360
- don't call utsname() after ->nsproxy is NULL (bsc#1201196).
- commit 2a23102
- Refresh
patches.suse/msft-hv-2588-PCI-hv-Do-not-set-PCI_COMMAND_MEMORY-to-reduce-VM-bo.patch.
Fix a build warning.
- commit 539b424
- rpm/check-for-config-changes: ignore GCC12/CC_NO_ARRAY_BOUNDS
Upstream commit f0be87c42cbd (gcc-12: disable '-Warray-bounds'
universally for now) added two new compiler-dependent configs:
* CC_NO_ARRAY_BOUNDS
* GCC12_NO_ARRAY_BOUNDS
Ignore them -- they are unset by dummy tools (they depend on gcc version
== 12), but set as needed during real compilation.
- commit a14607c
- blacklist.conf: Add 6a2d90ba027a ptrace: Reimplement PTRACE_KILL by always sending SIGKILL
- commit 22a9ddc
- kernel-binary.spec: check s390x vmlinux location
As a side effect of mainline commit edd4a8667355 ("/s390/boot: get rid of
startup archive"/), vmlinux on s390x moved from "/compressed"/ subdirectory
directly into arch/s390/boot. As the specfile is shared among branches,
check both locations and let objcopy use one that exists.
- commit cd15543
- Add missing recommends of kernel-install-tools to kernel-source-vanilla (bsc#1200442)
- commit 93b1375
- kernel-binary.spec: Support radio selection for debuginfo.
To disable debuginfo on 5.18 kernel a radio selection needs to be
switched to a different selection. This requires disabling the currently
active option and selecting NONE as debuginfo type.
- commit 43b5dd3
- Add dtb-starfive
- commit 85335b1
- blacklist.conf: Add e7f7c99ba911 signal: In get_signal test for signal_group_exit every time through the loop
- commit a90bbcf
- rpm/kernel-obs-build.spec.in: Also depend on dracut-systemd (bsc#1195775)
- commit 5d4e32c
- pahole 1.22 required for full BTF features.
also recommend pahole for kernel-source to make the kernel buildable
with standard config
- commit 364f54b
- use jobs not processors in the constraints
jobs is the number of vcpus available to the build, while processors
is the total processor count of the machine the VM is running on.
- commit a6e141d
- rpm/constraints.in: skip SLOW_DISK workers for kernel-source
- commit e84694f
- rpm/*.spec.in: remove backtick usage
- commit 87ca1fb
- rpm/kernel-obs-build.spec.in: add systemd-initrd and terminfo dracut module (bsc#1195775)
- commit d9a821b
- powerpc: Set crashkernel offset to mid of RMA region
(bsc#1190812).
- powerpc/64: Move paca allocation later in boot (bsc#1190812).
- commit b6d78fb
- rpm/kernel-obs-build.spec.in: use default dracut modules (bsc#1195926,
bsc#1198484)
Let's iron out the reduced initrd optimisation in Tumbleweed.
Build full blown dracut initrd with systemd for SLE15 SP4.
- commit ea76821
- Add dtb-microchip
- commit c797107
- rpm/kernel-source.spec.in: temporary workaround for a build failure
Upstream c6x architecture removal left a dangling link behind which
triggers openSUSE post-build check in kernel-source, failing
kernel-source build.
A fix deleting the danglink link has been submitted but it did not make
it into 5.12-rc1. Unfortunately we cannot add it as a patch as patch
utility does not handle symlink removal. Add a temporary band-aid which
deletes all dangling symlinks after unpacking the kernel source tarball.
[jslaby] It's not that temporary as we are dragging this for quite some
time in master. The reason is that this can happen any time again, so
let's have this in packaging instead.
- commit 52a1ad7
- keyutils
-
- Apply default TTL to DNS records from getaddrinfo() (upstream):
* dns-Apply-a-default-TTL-to-records-obtained-from-get.patch
- less
-
- Fix Startup terminal initialization, bsc#1200738
* bsc1200738.patch
- libcroco
-
- Add libcroco-CVE-2020-12825.patch: limit recursion in block and
any productions (boo#1171685 CVE-2020-12825).
- libgcrypt
-
- FIPS: Auto-initialize drbg if needed. [bsc#1200095]
* Add a _gcry_drbg_init() to _gcry_drbg_randomize() and to
_gcry_drbg_add_bytes() to fix a crash in FIPS mode.
* Add libgcrypt-FIPS-Autoinitialize-drbg-if-needed.patch
- libnl-1_1
-
- Fix elevation of privilege vulnerability (bsc#1020123, CVE-2017-0386).
Add: libnl-1_1-fix-elevation-of-privilege-vulnerability.patch
- libnl3
-
- Fix elevation of privilege vulnerability (bsc#1020123, CVE-2017-0386).
Add: libnl3-fix-elevation-of-privilege-vulnerability.patch
- logrotate
-
- Security fix: (bsc#1192449) related to (bsc#1191281, CVE-2021-3864)
* enforce stricter parsing to avoid CVE-2021-3864
* Added patch logrotate-enforce-stricter-parsing-and-extra-tests.patch
- Fix "/logrotate emits unintended warning: keyword size not properly
separated, found 0x3d"/ (bsc#1200278, bsc#1200802):
* Added patch logrotate-dont_warn_on_size=_syntax.patch
- mozilla-nspr
-
- update to version 4.34
* add an API that returns a preferred loopback IP on hosts that
have two IP stacks available.
- update to 4.33:
* fixes to build system and export of private symbols
- mozilla-nss
-
- update to NSS 3.79.1 (bsc#1202645)
* bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier.
* bmo#1771498 - Uninitialized value in cert_ComputeCertType.
* bmo#1759794 - protect SFTKSlot needLogin with slotLock.
* bmo#1760998 - avoid data race on primary password change.
* bmo#1330271 - check for null template in sec_asn1{d,e}_push_state.
- Update nss-fips-approved-crypto-non-ec.patch to unapprove the
rest of the DSA ciphers, keeping signature verification only
(bsc#1201298).
- Update nss-fips-constructor-self-tests.patch to fix compiler
warning.
- Update nss-fips-constructor-self-tests.patch to add on-demand
integrity tests through sftk_FIPSRepeatIntegrityCheck()
(bsc#1198980).
- Update nss-fips-approved-crypto-non-ec.patch to mark algorithms
as approved/non-approved according to security policy
(bsc#1191546, bsc#1201298).
- Update nss-fips-approved-crypto-non-ec.patch to remove hard
disabling of unapproved algorithms. This requirement is now
fulfilled by the service level indicator (bsc#1200325).
- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need
the workaround in FIPS mode (bsc#1200325).
- Remove nss-fips-tests-skip.patch. This is no longer needed since
we removed the code to short-circuit broken hashes and moved to
using the SLI.
- Remove upstreamed patches:
* nss-fips-version-indicators.patch
* nss-fips-tests-pin-paypalee-cert.patch
- update to NSS 3.79
- bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
- bmo#1766907 - Update mercurial in clang-format docker image.
- bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
- bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
- bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
- bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP.
- bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts.
- bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version.
- bmo#1764788 - Correct invalid record inner and outer content type alerts.
- bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding.
- bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
- bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.
- bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
- update to NSS 3.78.1
* bmo#1767590 - Initialize pointers passed to
NSS_CMSDigestContext_FinishMultiple
- update to NSS 3.78
bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests.
bmo#1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries.
bmo#1763120 - Add ECH Grease Support to tstclnt
bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname.
bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false.
bmo#1760813 - Make SEC_PKCS12EnableCipher succeed
bmo#1762489 - Update zlib in NSS to 1.2.12.
- update to NSS 3.77
* Bug 1762244 - resolve mpitests build failure on Windows.
* bmo#1761779 - Fix link to TLS page on wireshark wiki
* bmo#1754890 - Add two D-TRUST 2020 root certificates.
* bmo#1751298 - Add Telia Root CA v2 root certificate.
* bmo#1751305 - Remove expired explicitly distrusted certificates
from certdata.txt.
* bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix
* bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate.
* bmo#1756271 - Remove token member from NSSSlot struct.
* bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime.
* bmo#1757279 - Support UTF-8 library path in the module spec string.
* bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun.
* bmo#1760827 - Add a CI Target for gcc-11.
* bmo#1760828 - Change to makefiles for gcc-4.8.
* bmo#1741688 - Update googletest to 1.11.0
* bmo#1759525 - Add SetTls13GreaseEchSize to experimental API.
* bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts.
* bmo#1755904 - Fix calculation of ECH HRR Transcript.
* bmo#1758741 - Allow ld path to be set as environment variable.
* bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests.
* bmo#1758478 - Fix DataBuffer Move Assignment.
* bmo#1552254 - internal_error alert on Certificate Request with
sha1+ecdsa in TLS 1.3
* bmo#1755092 - rework signature verification in mozilla::pkix
- Require nss-util in nss.pc and subsequently remove -lnssutil3
- update to NSS 3.76.1
NSS 3.76.1
* bmo#1756271 - Remove token member from NSSSlot struct.
NSS 3.76
* bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in
nssTrustDomain_GetActiveSlots.
* bmo#1370866 - Check return value of PK11Slot_GetNSSToken.
* bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS
* bmo#1679803 - Add SHA256 fingerprint comments to old
certdata.txt entries.
* bmo#1753505 - Avoid truncating files in nss-release-helper.py.
* bmo#1751157 - Throw illegal_parameter alert for illegal extensions
in handshake message.
- Add nss-util pkgconfig and config files (copied from RH/Fedora)
- update to NSS 3.75
* bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI.
* bmo#1749794 - Make DottedOIDToCode.py compatible with python3.
* bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing.
* bmo#1748386 - Remove redundant key type check.
* bmo#1749869 - Update ABI expectations to match ECH changes.
* bmo#1748386 - Enable CKM_CHACHA20.
* bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown.
* bmo#1747310 - real move assignment operator.
* bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests.
* bmo#1743302 - Add ECDSA test vectors to the bltest command line tool.
* bmo#1747772 - Allow to build using clang's integrated assembler.
* bmo#1321398 - Allow to override python for the build.
* bmo#1747317 - test HKDF output rather than input.
* bmo#1747316 - Use ASSERT macros to end failed tests early.
* bmo#1747310 - move assignment operator for DataBuffer.
* bmo#1712879 - Add test cases for ECH compression and unexpected
extensions in SH.
* bmo#1725938 - Update tests for ECH-13.
* bmo#1725938 - Tidy up error handling.
* bmo#1728281 - Add tests for ECH HRR Changes.
* bmo#1728281 - Server only sends GREASE HRR extension if enabled
by preference.
* bmo#1725938 - Update generation of the Associated Data for ECH-13.
* bmo#1712879 - When ECH is accepted, reject extensions which were
only advertised in the Outer Client Hello.
* bmo#1712879 - Allow for compressed, non-contiguous, extensions.
* bmo#1712879 - Scramble the PSK extension in CHOuter.
* bmo#1712647 - Split custom extension handling for ECH.
* bmo#1728281 - Add ECH-13 HRR Handling.
* bmo#1677181 - Client side ECH padding.
* bmo#1725938 - Stricter ClientHelloInner Decompression.
* bmo#1725938 - Remove ECH_inner extension, use new enum format.
* bmo#1725938 - Update the version number for ECH-13 and adjust
the ECHConfig size.
- update to NSS 3.74
* bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in
OCSP responses
* bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR
* bmo#1721426 - NSS does not properly restrict server keys based on policy
* bmo#1733003 - Set nssckbi version number to 2.54
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate
* bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate
* bmo#1735407 - Replace GlobalSign ECC Root CA R4
* bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3
* bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root
certificates
* bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional
CIF A62634068 root certificate
* bmo#1740095 - Add iTrusChina ECC root certificate
* bmo#1740095 - Add iTrusChina RSA root certificate
* bmo#1738805 - Add ISRG Root X2 root certificate
* bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate
* bmo#1738028 - Avoid a clang 13 unused variable warning in opt build
* bmo#1735028 - Check for missing signedData field
* bmo#1737470 - Ensure DER encoded signatures are within size limits
- enable key logging option (boo#1195040)
- update to NSS 3.73.1:
* Add SHA-2 support to mozilla::pkix's OSCP implementation
- update to NSS 3.73
* bmo#1735028 - check for missing signedData field.
* bmo#1737470 - Ensure DER encoded signatures are within size limits.
* bmo#1729550 - NSS needs FiPS 140-3 version indicators.
* bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs
* bmo#1738600 - sunset Coverity from NSS
MFSA 2021-51 (bsc#1193170)
* CVE-2021-43527 (bmo#1737470)
Memory corruption via DER-encoded DSA and RSA-PSS signatures
- update to NSS 3.72
* Remove newline at the end of coreconf.dep
* bmo#1731911 - Fix nsinstall parallel failure.
* bmo#1729930 - Increase KDF cache size to mitigate perf
regression in about:logins
- update to NSS 3.71
* bmo#1717716 - Set nssckbi version number to 2.52.
* bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
* bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported
* bmo#1717707 - Add HARICA Client ECC Root CA 2021.
* bmo#1717707 - Add HARICA Client RSA Root CA 2021.
* bmo#1717707 - Add HARICA TLS ECC Root CA 2021.
* bmo#1717707 - Add HARICA TLS RSA Root CA 2021.
* bmo#1728394 - Add TunTrust Root CA certificate to NSS.
- update to NSS 3.70
* bmo#1726022 - Update test case to verify fix.
* bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
* bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
* bmo#1681975 - Avoid using a lookup table in nssb64d.
* bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
* bmo#1714579 - Change default value of enableHelloDowngradeCheck to true.
* bmo#1726022 - Cache additional PBE entries.
* bmo#1709750 - Read HPKE vectors from official JSON.
- Update to NSS 3.69.1
* bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
* bmo#1720226 (Backout) - integrity checks in key4.db not happening
on private components with AES_CBC
NSS 3.69
* bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
* bmo#1720226 - integrity checks in key4.db not happening on private
components with AES_CBC (backed out again)
* bmo#1720235 - SSL handling of signature algorithms ignores
environmental invalid algorithms.
* bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
nss failures.
(removed obsolete nss-btrfs-sqlite.patch)
* bmo#1720230 - Gtest update changed the gtest reports, losing gtest
details in all.sh reports.
* bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
* bmo#1720232 - SQLite calls could timeout in starvation situations.
* bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
* bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
* bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE
- Update nss-fips-constructor-self-tests.patch to scan
LD_LIBRARY_PATH for external libraries to be checksummed.
- Run test suite at build time, and make it pass (bsc#1198486).
Based on work by Marcus Meissner.
- Add nss-fips-tests-skip.patch to skip algorithms that are hard
disabled in FIPS mode.
- Add nss-fips-tests-pin-paypalee-cert.patch to prevent expired
PayPalEE cert from failing the tests.
- Add nss-fips-tests-enable-fips.patch, which enables FIPS during
test certificate creation and disables the library checksum
validation during same.
- Update nss-fips-constructor-self-tests.patch to allow
checksumming to be disabled, but only if we entered FIPS mode
due to NSS_FIPS being set, not if it came from /proc.
- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This
makes the PBKDF known answer test compliant with NIST SP800-132.
- Update FIPS validation string to version-release format.
- Update nss-fips-approved-crypto-non-ec.patch to remove XCBC MAC
from list of FIPS approved algorithms.
- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID
for build.
- Update nss-fips-approved-crypto-non-ec.patch to claim 3DES
unapproved in FIPS mode (bsc#1192080).
- Update nss-fips-constructor-self-tests.patch to allow testing
of unapproved algorithms (bsc#1192228).
- Add nss-fips-version-indicators.patch (bmo#1729550, bsc#1192086).
This adds FIPS version indicators.
- Add nss-fips-180-3-csp-clearing.patch (bmo#1697303, bsc#1192087).
Most of the relevant changes are already upstream since NSS 3.60.
- ncurses
-
- Add patch ncurses-bnc1198627.patch
* Fix bsc#1198627: CVE-2022-29458: ncurses: segfaulting OOB read
- openldap2
-
- bsc#1198341 - Prevent memory reuse which may lead to instability
* 0226-Change-malloc-to-use-calloc-to-prevent-memory-reuse-.patch
- p11-kit
-
- Conflict with ca-certificates < 1_201403302107-15.6.2 to make sure
update-ca-certifictes calls trust export with --format=pem-directory-hash
(bsc#1201985)
- CVE-2020-29362: Fixed a 4 byte overread (bsc#1180065)
Added p11-kit-CVE-2020-29362.patch:
- permissions
-
* chkstat: also consider group controlled paths (bsc#1203018, CVE-2022-31252)
* add capability for prometheus-blackbox_exporter (bsc#1191194)
* make btmp root:utmp (bsc#1050467)
* pcp: remove no longer needed / conflicting entries
- Update to version 20170707:
- python
-
- Add patch CVE-2021-28861-double-slash-path.patch:
* BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- python-M2Crypto
-
- Add CVE-2020-25657-Bleichenbacher-attack.patch (CVE-2020-25657,
bsc#1178829), which mitigates the Bleichenbacher timing attacks
in the RSA decryption API.
- Add python-M2Crypto.keyring to verify GPG signature of tarball.
- python-PyJWT
-
- Add CVE-2022-29217-non-blocked-pubkeys.patch fixing
CVE-2022-29217 (bsc#1199756), which disallows use of blocked
pubkeys (heavily modified from upstream).
- python-azure-core
-
- Add az-core-py2-syntx-bsc1202024.patch (bsc#1202024)
+ Fix syntax error in Python2
- python-base
-
- Add patch CVE-2021-28861-double-slash-path.patch:
* BaseHTTPServer: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- python-paramiko
-
- Add patch BZ-1199454-Fix-Deprecation-Warnings.patch from upstream pull
request https://github.com/paramiko/paramiko/pull/1379 to fix deprecation
warnings. NOTE: the .travis changes were excluded as the file doesn't
exist in the tarball as it was used by upstream CI only. bsc#1199454
- python3
-
- Add patch CVE-2021-28861-double-slash-path.patch:
* http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- python3-base
-
- Add patch CVE-2021-28861-double-slash-path.patch:
* http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- python3-lxml
-
- Add patch CVE-2020-27783.patch to fix CVE-2020-27783 mXSS due to the use of
improper parser
Fix bsc#1179534
- python36
-
- Add patch CVE-2021-28861-double-slash-path.patch:
* http.server: Fix an open redirection vulnerability in the HTTP server
when an URI path starts with //. (bsc#1202624, CVE-2021-28861)
- release-notes-sles
-
- 12.5.20220718 (tracked in bsc#933411)
- Added note about Samba 4.15 (jsc#SLE-23330)
(bsc#1196097)
- Added note about DFS share failover (jsc#SLE-20041)
- Added note about Xenstore stubdom (bsc#1185196)
- Added note about CONFIG_NUMA_EMU (jsc#SLE-11600)
- Removed LibreOffice and MariaDB from requiring specific contracts
- rsync
-
- Apply "/rsync-CVE-2022-29154.patch"/ to fix a security vulnerability
in the do_server_recv() function. [bsc#1201840, CVE-2022-29154]
- rsyslog
-
- add Requires for latest lbfastjsion version (bsc#1202243)
- fix segfault in qDeqLinkedList during shutdown (bsc#1199283)
* add 0001-queue-Add-NULL-check-in-qDeqLinkedList.patch
- samba
-
- CVE-2022-1615: Do not ignore errors in random number generation;
(bso#15103); (bsc#1202976);
- Fix Use after free when iterating
smbd_server_connection->connections after tree disconnect
failure; (bso#15128); (bsc#1200102).
- CVE-2022-32746: samba: Use-after-free occurring in database
audit logging; (bso#15009); (bso#15096); (bsc#1201490).
- CVE-2022-32745: samba: ldb: AD users can crash the server
process with an LDAP add or modify request; (bso#15008);
(bso#15096); (bsc#1201492).
- CVE-2022-2031: samba, ldb: AD users can bypass certain
restrictions associated with changing passwords; (bso#15047);
(bsc#1201495);
- CVE-2022-32742:SMB1 code does not correct verify SMB1write,
SMB1write_and_close, SMB1write_and_unlock lengths; (bso#15085);
(bsc#1201496).
- CVE-2022-32744: samba, ldb: AD users can forge password change
requests for any user; (bso#15074); (bso#15047); (bsc#1201493).
- Update to 4.15.8
* Use pathref fd instead of io fd in vfs_default_durable_cookie;
(bso#15042).
* Setting fruit:resource = stream in vfs_fruit causes a panic;
(bso#15099).
* Add support for bind 9.18; (bso#14986).
* logging dsdb audit to specific files does not work;
(bso#15076).
* vfs_gpfs with vfs_shadowcopy2 fail to restore file if original
file had been deleted; (bso#15069)
* netgroups support removed; (bso#15087); (bsc#1199247).
* net ads info shows LDAP Server: 0.0.0.0 depending on contacted
server; (bso#14674); (bsc#1199734).
* waf produces incorrect names for python extensions with Python
3.11; (bso#15071).
* smbclient commands del & deltree fail with
NT_STATUS_OBJECT_PATH_NOT_FOUND with DFS; (bso#15100);
(bsc#1200556).
* vfs_gpfs recalls=no option prevents listing files; (bso#15055).
* waf produces incorrect names for python extensions with Python
3.11; (bso#15071).
* Compile error in source3/utils/regedit_hexedit.c; (bso#15091).
* ldconfig: /lib64/libsmbconf.so.0 is not a symbolic link;
(bso#15108).
* smbd doesn't handle UPNs for looking up names; (bso#15054).
* Out-by-4 error in smbd read reply max_send clamp; (bso#14443).
- Move pdb backends from package samba-libs to package
samba-client-libs and remove samba-libs requirement from
samba-winbind; (bsc#1200964); (bsc#1198255);
- sqlite3
-
- update to 3.39.3:
* Use a statement journal on DML statement affecting two or more
database rows if the statement makes use of a SQL functions
that might abort.
* Use a mutex to protect the PRAGMA temp_store_directory and
PRAGMA data_store_directory statements, even though they are
decremented and documented as not being threadsafe.
- update to 3.39.2:
* Fix a performance regression in the query planner associated
with rearranging the order of FROM clause terms in the
presences of a LEFT JOIN.
* Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and
1345947, forum post 3607259d3c, and other minor problems
discovered by internal testing. [boo#1201783]
- update to 3.39.1:
* Fix an incorrect result from a query that uses a view that
contains a compound SELECT in which only one arm contains a
RIGHT JOIN and where the view is not the first FROM clause term
of the query that contains the view
* Fix a long-standing problem with ALTER TABLE RENAME that can
only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set
to a very small value.
* Fix a long-standing problem in FTS3 that can only arise when
compiled with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
option.
* Fix the initial-prefix optimization for the REGEXP extension so
that it works correctly even if the prefix contains characters
that require a 3-byte UTF8 encoding.
* Enhance the sqlite_stmt virtual table so that it buffers all of
its output.
- update to 3.39.0:
* Add (long overdue) support for RIGHT and FULL OUTER JOIN
* Add new binary comparison operators IS NOT DISTINCT FROM and
IS DISTINCT FROM that are equivalent to IS and IS NOT,
respective, for compatibility with PostgreSQL and SQL standards
* Add a new return code (value "/3"/) from the sqlite3_vtab_distinct()
interface that indicates a query that has both DISTINCT and
ORDER BY clauses
* Added the sqlite3_db_name() interface
* The unix os interface resolves all symbolic links in database
filenames to create a canonical name for the database before
the file is opened
* Defer materializing views until the materialization is actually
needed, thus avoiding unnecessary work if the materialization
turns out to never be used
* The HAVING clause of a SELECT statement is now allowed on any
aggregate query, even queries that do not have a GROUP BY
clause
* Many microoptimizations collectively reduce CPU cycles by about
2.3%.
- drop sqlite-src-3380100-atof1.patch, included upstream
- add sqlite-src-3390000-func7-pg-181.patch to skip float precision
related test failures on 32 bit
- update to 3.38.5:
* Fix a blunder in the CLI of the 3.38.4 release
- includes changes from 3.38.4:
* fix a byte-code problem in the Bloom filter pull-down
optimization added by release 3.38.0 in which an error in the
byte code causes the byte code engine to enter an infinite loop
when the pull-down optimization encounters a NULL key
- update to 3.38.3:
* Fix a case of the query planner be overly aggressive with
optimizing automatic-index and Bloom-filter construction,
using inappropriate ON clause terms to restrict the size of the
automatic-index or Bloom filter, and resulting in missing rows
in the output.
* Other minor patches. See the timeline for details.
- update to 3.38.2:
* Fix a problem with the Bloom filter optimization that might
cause an incorrect answer when doing a LEFT JOIN with a WHERE
clause constraint that says that one of the columns on the
right table of the LEFT JOIN is NULL.
* Other minor patches.
- Remove obsolete configure flags
- Package the Tcl bindings here again so that we only ship one copy
of SQLite (bsc#1195773).
- update to 3.38.1:
* Fix problems with the new Bloom filter optimization that might
cause some obscure queries to get an incorrect answer.
* Fix the localtime modifier of the date and time functions so
that it preserves fractional seconds.
* Fix the sqlite_offset SQL function so that it works correctly
even in corner cases such as when the argument is a virtual
column or the column of a view.
* Fix row value IN operator constraints on virtual tables so that
they work correctly even if the virtual table implementation
relies on bytecode to filter rows that do not satisfy the
constraint.
* Other minor fixes to assert() statements, test cases, and
documentation. See the source code timeline for details.
- add upstream patch to run atof1 tests only on x86_64
sqlite-src-3380100-atof1.patch
- update to 3.38.0
* Add the -> and ->> operators for easier processing of JSON
* The JSON functions are now built-ins
* Enhancements to date and time functions
* Rename the printf() SQL function to format() for better
compatibility, with alias for backwards compatibility.
* Add the sqlite3_error_offset() interface for helping localize
an SQL error to a specific character in the input SQL text
* Enhance the interface to virtual tables
* CLI columnar output modes are enhanced to correctly handle tabs
and newlines embedded in text, and add options like "/--wrap N"/,
"/--wordwrap on"/, and "/--quote"/ to the columnar output modes.
* Query planner enhancements using a Bloom filter to speed up
large analytic queries, and a balanced merge tree to evaluate
UNION or UNION ALL compound SELECT statements that have an
ORDER BY clause.
* The ALTER TABLE statement is changed to silently ignores
entries in the sqlite_schema table that do not parse when
PRAGMA writable_schema=ON
- update to 3.37.2:
* Fix a bug introduced in version 3.35.0 (2021-03-12) that can
cause database corruption if a SAVEPOINT is rolled back while
in PRAGMA temp_store=MEMORY mode, and other changes are made,
and then the outer transaction commits
* Fix a long-standing problem with ON DELETE CASCADE and ON
UPDATE CASCADE in which a cache of the bytecode used to
implement the cascading change was not being reset following a
local DDL change
- update to 3.37.1:
* Fix a bug introduced by the UPSERT enhancements of version
3.35.0 that can cause incorrect byte-code to be generated for
some obscure but valid SQL, possibly resulting in a NULL-
pointer dereference.
* Fix an OOB read that can occur in FTS5 when reading corrupt
database files.
* Improved robustness of the --safe option in the CLI.
* Other minor fixes to assert() statements and test cases.
- SQLite3 3.37.0:
* STRICT tables provide a prescriptive style of data type
management, for developers who prefer that kind of thing.
* When adding columns that contain a CHECK constraint or a
generated column containing a NOT NULL constraint, the
ALTER TABLE ADD COLUMN now checks new constraints against
preexisting rows in the database and will only proceed if no
constraints are violated.
* Added the PRAGMA table_list statement.
* Add the .connection command, allowing the CLI to keep multiple
database connections open at the same time.
* Add the --safe command-line option that disables dot-commands
and SQL statements that might cause side-effects that extend
beyond the single database file named on the command-line.
* CLI: Performance improvements when reading SQL statements that
span many lines.
* Added the sqlite3_autovacuum_pages() interface.
* The sqlite3_deserialize() does not and has never worked
for the TEMP database. That limitation is now noted in the
documentation.
* The query planner now omits ORDER BY clauses on subqueries and
views if removing those clauses does not change the semantics
of the query.
* The generate_series table-valued function extension is modified
so that the first parameter ("/START"/) is now required. This is
done as a way to demonstrate how to write table-valued
functions with required parameters. The legacy behavior is
available using the -DZERO_ARGUMENT_GENERATE_SERIES
compile-time option.
* Added new sqlite3_changes64() and sqlite3_total_changes64()
interfaces.
* Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
* Use less memory to hold the database schema.
* bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
extension when a column has no collating sequence.
- systemd-presets-branding-SLE
-
- Enable suseconnect-keepalive.timer for SUSEConnect (jsc#SLE-23312)
- timezone
-
- Update to reflect new Chile DST change, bsc#1202310
* bsc1202310.patch
- unzip
-
- Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string
to a local string (CVE-2022-0530, bsc#1196177)
* CVE-2022-0530.patch
- Fix CVE-2022-0529, Heap out-of-bound writes and reads during
conversion of wide string to local string (CVE-2022-0529, bsc#1196180)
* CVE-2022-0529.patch
- update-alternatives
-
- util-linux
-
- su: Change owner and mode for pty (bsc#1200842,
util-linux-login-move-generic-setting-to-ttyutils.patch,
util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
(bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
in utab (bsc#1198731,
util-linux-libmount-moving-mount-point-sub-mounts.patch,
util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
- util-linux-systemd
-
- su: Change owner and mode for pty (bsc#1200842,
util-linux-login-move-generic-setting-to-ttyutils.patch,
util-linux-su-change-owner-and-mode-for-pty.patch).
- mesg: use only stat() to get the current terminal status
(bsc#1200842, util-linux-mesg-use-only-stat.patch).
- agetty: Resolve tty name even if stdin is specified (bsc#1197178,
util-linux-agetty-resolve-tty-if-stdin-is-specified.patch).
- libmount: When moving a mount point, update all sub mount entries
in utab (bsc#1198731,
util-linux-libmount-moving-mount-point-sub-mounts.patch,
util-linux-libmount-fix-and-improve-utab-on-ms_move.patch).
- which
-
- https urls, added signature (but did not find the public key)
- Use %license instead of %doc [bsc#1082318]
- Move installinfo scriptlet to preun so it won't fail
- Cleanup spec file with spec-cleaner
- Correct usage of info scriplets
- GNU which 2.21:
* Upgraded code from bash to version 4.3 (now uses eaccess).
* Fixed a bug related to getgroups / sysconfig that caused Which
not to see more than 64 groups for a single user
* Build system maintenance.
- Update project and source URL to GNU project
- xfsprogs
-
- mkfs: validate extent size hint parameters (bsc#1138247)
- add xfsprogs-xfs-move-inode-extent-size-hint-validation-to-libxfs.patch
- add xfsprogs-xfs_repair-use-libxfs-extsize-cowextsize-validation-.patch
- add xfsprogs-mkfs-validate-extent-size-hint-parameters.patch
- xfs_repair: Fix root inode's parent when it's bogus for sf directory
(bsc#1138227)
- add xfsprogs-xfs_repair-Fix-root-inode-s-parent-when-it-s-bogus-f.patch
- yast2-storage
-
- Partitioner: PVs are not wrongly removed when resizing a VG
(bsc#1197208).
- 3.2.23
- zlib
-
- Fix heap-based buffer over-read or buffer overflow in inflate via
large gzip header extra field (bsc#1202175, CVE-2022-37434,
CVE-2022-37434-extra-header-1.patch,
CVE-2022-37434-extra-header-2.patch).