- SUSEConnect
-
- Update to 0.3.29
- replace env ruby path with native ruby path during build phase
- Recognize more formats when parsing .curlrc for proxy credentials (bsc#1155027)
- Add rpmlintrc to filter false-positive warning about patch not applied
- Update to 0.3.27
- SUSEConnect now ensures that it writes its configuration when it
encounters errors. This helps in the situation where SUSEConnect
announces itself, but fails during a later step. Without the saved
configuration, a system could have credentials, but be unsure which
registration proxy they're valid for.
- Update to 0.3.26
- Extend the YaST API in order to access to the package search
functionality (jsc#SLE-9109)
- Don't fail de-activation when '-release' package already got removed
- Update to 0.3.25
- Fix cloud_provider detection on AWS large instances (bsc#1160007)
- Update to 0.3.24
- Forbid de-registration for on-demand Public Cloud instances (bsc#1155911)
- 0.3.23
fix .spec file to correctly apply switch_server_cert_location_to_etc.patch to SLE15SP2+ (bsc#1130864)
- bind
-
- Updated named.root (aka /var/lib/named/root.hint) to the newest
version available at ftp://FTP.INTERNIC.NET/domain/named.cache
[named.root, bsc#1181372]
- Each subpackage which has the sonum in its name now Provides:
its basename:
libbind9, libdns, libirs, libisccc, libisccfg, liblwres
and Obsoletes: any previous version, so when thas package is
upgraded, the old version can be easily removed.
[bind.spec]
- cloud-init
-
- Update cloud-init-write-routes.patch (bsc#1180176)
+ Follow up to previous changes. Fix order of operations
error to make gateway comparison between subnet configuration and
route configuration valuable rather than self-comparing.
- Add cloud-init-sle12-compat.patch (jsc#PM-2335)
- Python 3.4 compatibility in setup.py
- Disable some test for mock version compatibility
- Add wget as a requirement (bsc#1178029)
+ wget is used in the CloudStack data source
- Add cloud-init-azure-def-usr-pass.patch (bsc#1179150, bsc#1179151)
+ Properly set the password for the default user in all circumstances
- Patch the full package version into the cloud-init version file
- Update cloud-init-write-routes.patch (bsc#1177526)
+ Fix missing default route when dual stack network setup is used. Once
a default route was configured for Ipv6 or IPv4 the default route
configuration for the othre protocol was skipped.
- Update cloud-init-write-routes.patch (bsc#1177526)
+ Avoid exception if no gateway information is present and warning
is triggered for existing routing.
- Update to version 20.2 (bsc#1174443, bsc#1174444)
+ Remove patches included upstream:
- 0001-Make-tests-work-with-Python-3.8-139.patch
- cloud-init-ostack-metadat-dencode.patch
- cloud-init-use-different-random-src.diff
- cloud-init-long-pass.patch
- cloud-init-mix-static-dhcp.patch
+ Remove patches build switched to Python 3 for all distributions
(jsc#PM-2335)
- cloud-init-python2-sigpipe.patch
- cloud-init-template-py2.patch
+ Add
- cloud-init-after-kvp.diff
- cloud-init-recognize-hpc.patch
+ doc/format: reference make-mime.py instead of an inline script (#334)
+ Add docs about creating parent folders (#330) [Adrian Wilkins]
+ DataSourceNoCloud/OVF: drop claim to support FTP (#333) (LP: #1875470)
+ schema: ignore spurious pylint error (#332)
+ schema: add json schema for write_files module (#152)
+ BSD: find_devs_with_ refactoring (#298) [Gonéri Le Bouder]
+ nocloud: drop work around for Linux 2.6 (#324) [Gonéri Le Bouder]
+ cloudinit: drop dependencies on unittest2 and contextlib2 (#322)
+ distros: handle a potential mirror filtering error case (#328)
+ log: remove unnecessary import fallback logic (#327)
+ .travis.yml: don't run integration test on ubuntu/* branches (#321)
+ More unit test documentation (#314)
+ conftest: introduce disable_subp_usage autouse fixture (#304)
+ YAML align indent sizes for docs readability (#323) [Tak Nishigori]
+ network_state: add missing space to log message (#325)
+ tests: add missing mocks for get_interfaces_by_mac (#326) (LP: #1873910)
+ test_mounts: expand happy path test for both happy paths (#319)
+ cc_mounts: fix incorrect format specifiers (#316) (LP: #1872836)
+ swap file "/size"/ being used before checked if str (#315) [Eduardo Otubo]
+ HACKING.rst: add pytest version gotchas section (#311)
+ docs: Add steps to re-run cloud-id and cloud-init (#313) [Joshua Powers]
+ readme: OpenBSD is now supported (#309) [Gonéri Le Bouder]
+ net: ignore 'renderer' key in netplan config (#306) (LP: #1870421)
+ Add support for NFS/EFS mounts (#300) [Andrew Beresford] (LP: #1870370)
+ openbsd: set_passwd should not unlock user (#289) [Gonéri Le Bouder]
+ tools/.github-cla-signers: add beezly as CLA signer (#301)
+ util: remove unnecessary lru_cache import fallback (#299)
+ HACKING.rst: reorganise/update CLA signature info (#297)
+ distros: drop leading/trailing hyphens from mirror URL labels (#296)
+ HACKING.rst: add note about variable annotations (#295)
+ CiTestCase: stop using and remove sys_exit helper (#283)
+ distros: replace invalid characters in mirror URLs with hyphens (#291)
(LP: #1868232)
+ rbxcloud: gracefully handle arping errors (#262) [Adam Dobrawy]
+ Fix cloud-init ignoring some misdeclared mimetypes in user-data.
[Kurt Garloff]
+ net: ubuntu focal prioritize netplan over eni even if both present
(#267) (LP: #1867029)
+ cloudinit: refactor util.is_ipv4 to net.is_ipv4_address (#292)
+ net/cmdline: replace type comments with annotations (#294)
+ HACKING.rst: add Type Annotations design section (#293)
+ net: introduce is_ip_address function (#288)
+ CiTestCase: remove now-unneeded parse_and_read helper method (#286)
+ .travis.yml: allow 30 minutes of inactivity in cloud tests (#287)
+ sources/tests/test_init: drop use of deprecated inspect.getargspec (#285)
+ setup.py: drop NIH check_output implementation (#282)
+ Identify SAP Converged Cloud as OpenStack [Silvio Knizek]
+ add Openbsd support (#147) [Gonéri Le Bouder]
+ HACKING.rst: add examples of the two test class types (#278)
+ VMWware: support to update guest info gc status if enabled (#261)
[xiaofengw-vmware]
+ Add lp-to-git mapping for kgarloff (#279)
+ set_passwords: avoid chpasswd on BSD (#268) [Gonéri Le Bouder]
+ HACKING.rst: add Unit Testing design section (#277)
+ util: read_cc_from_cmdline handle urlencoded yaml content (#275)
+ distros/tests/test_init: add tests for _get_package_mirror_info (#272)
+ HACKING.rst: add links to new Code Review Process doc (#276)
+ freebsd: ensure package update works (#273) [Gonéri Le Bouder]
+ doc: introduce Code Review Process documentation (#160)
+ tools: use python3 (#274)
+ cc_disk_setup: fix RuntimeError (#270) (LP: #1868327)
+ cc_apt_configure/util: combine search_for_mirror implementations (#271)
+ bsd: boottime does not depend on the libc soname (#269)
[Gonéri Le Bouder]
+ test_oracle,DataSourceOracle: sort imports (#266)
+ DataSourceOracle: update .network_config docstring (#257)
+ cloudinit/tests: remove unneeded with_logs configuration (#263)
+ .travis.yml: drop stale comment (#255)
+ .gitignore: add more common directories (#258)
+ ec2: render network on all NICs and add secondary IPs as static (#114)
(LP: #1866930)
+ ec2 json validation: fix the reference to the 'merged_cfg' key (#256)
[Paride Legovini]
+ releases.yaml: quote the Ubuntu version numbers (#254) [Paride Legovini]
+ cloudinit: remove six from packaging/tooling (#253)
+ util/netbsd: drop six usage (#252)
+ workflows: introduce stale pull request workflow (#125)
+ cc_resolv_conf: introduce tests and stabilise output across Python
versions (#251)
+ fix minor issue with resolv_conf template (#144) [andreaf74]
+ doc: CloudInit also support NetBSD (#250) [Gonéri Le Bouder]
+ Add Netbsd support (#62) [Gonéri Le Bouder]
+ tox.ini: avoid substition syntax that causes a traceback on xenial (#245)
+ Add pub_key_ed25519 to cc_phone_home (#237) [Daniel Hensby]
+ Introduce and use of a list of GitHub usernames that have signed CLA
(#244)
+ workflows/cla.yml: use correct username for CLA check (#243)
+ tox.ini: use xenial version of jsonpatch in CI (#242)
+ workflows: CLA validation altered to fail status on pull_request (#164)
+ tox.ini: bump pyflakes version to 2.1.1 (#239)
+ cloudinit: move to pytest for running tests (#211)
+ instance-data: add cloud-init merged_cfg and sys_info keys to json
(#214) (LP: #1865969)
+ ec2: Do not fallback to IMDSv1 on EC2 (#216)
+ instance-data: write redacted cfg to instance-data.json (#233)
(LP: #1865947)
+ net: support network-config:disabled on the kernel commandline (#232)
(LP: #1862702)
+ ec2: only redact token request headers in logs, avoid altering request
(#230) (LP: #1865882)
+ docs: typo fixed: dta → data [Alexey Vazhnov]
+ Fixes typo on Amazon Web Services (#217) [Nick Wales]
+ Fix docs for OpenStack DMI Asset Tag (#228)
[Mark T. Voelker] (LP: #1669875)
+ Add physical network type: cascading to openstack helpers (#200)
[sab-systems]
+ tests: add focal integration tests for ubuntu (#225)
- From 20.1 (first vesrion after 19.4)
+ ec2: Do not log IMDSv2 token values, instead use REDACTED (#219)
(LP: #1863943)
+ utils: use SystemRandom when generating random password. (#204)
[Dimitri John Ledkov]
+ docs: mount_default_files is a list of 6 items, not 7 (#212)
+ azurecloud: fix issues with instances not starting (#205) (LP: #1861921)
+ unittest: fix stderr leak in cc_set_password random unittest
output. (#208)
+ cc_disk_setup: add swap filesystem force flag (#207)
+ import sysvinit patches from freebsd-ports tree (#161) [Igor Galić]
+ docs: fix typo (#195) [Edwin Kofler]
+ sysconfig: distro-specific config rendering for BOOTPROTO option (#162)
[Robert Schweikert] (LP: #1800854)
+ cloudinit: replace "/from six import X"/ imports (except in util.py) (#183)
+ run-container: use 'test -n' instead of 'test ! -z' (#202)
[Paride Legovini]
+ net/cmdline: correctly handle static ip= config (#201)
[Dimitri John Ledkov] (LP: #1861412)
+ Replace mock library with unittest.mock (#186)
+ HACKING.rst: update CLA link (#199)
+ Scaleway: Fix DatasourceScaleway to avoid backtrace (#128)
[Louis Bouchard]
+ cloudinit/cmd/devel/net_convert.py: add missing space (#191)
+ tools/run-container: drop support for python2 (#192) [Paride Legovini]
+ Print ssh key fingerprints using sha256 hash (#188) (LP: #1860789)
+ Make the RPM build use Python 3 (#190) [Paride Legovini]
+ cc_set_password: increase random pwlength from 9 to 20 (#189)
(LP: #1860795)
+ .travis.yml: use correct Python version for xenial tests (#185)
+ cloudinit: remove ImportError handling for mock imports (#182)
+ Do not use fallocate in swap file creation on xfs. (#70)
[Eduardo Otubo] (LP: #1781781)
+ .readthedocs.yaml: install cloud-init when building docs (#181)
(LP: #1860450)
+ Introduce an RTD config file, and pin the Sphinx version to the RTD
default (#180)
+ Drop most of the remaining use of six (#179)
+ Start removing dependency on six (#178)
+ Add Rootbox & HyperOne to list of cloud in README (#176) [Adam Dobrawy]
+ docs: add proposed SRU testing procedure (#167)
+ util: rename get_architecture to get_dpkg_architecture (#173)
+ Ensure util.get_architecture() runs only once (#172)
+ Only use gpart if it is the BSD gpart (#131) [Conrad Hoffmann]
+ freebsd: remove superflu exception mapping (#166) [Gonéri Le Bouder]
+ ssh_auth_key_fingerprints_disable test: fix capitalization (#165)
[Paride Legovini]
+ util: move uptime's else branch into its own boottime function (#53)
[Igor Galić] (LP: #1853160)
+ workflows: add contributor license agreement checker (#155)
+ net: fix rendering of 'static6' in network config (#77) (LP: #1850988)
+ Make tests work with Python 3.8 (#139) [Conrad Hoffmann]
+ fixed minor bug with mkswap in cc_disk_setup.py (#143) [andreaf74]
+ freebsd: fix create_group() cmd (#146) [Gonéri Le Bouder]
+ doc: make apt_update example consistent (#154)
+ doc: add modules page toc with links (#153) (LP: #1852456)
+ Add support for the amazon variant in cloud.cfg.tmpl (#119)
[Frederick Lefebvre]
+ ci: remove Python 2.7 from CI runs (#137)
+ modules: drop cc_snap_config config module (#134)
+ migrate-lp-user-to-github: ensure Launchpad repo exists (#136)
+ docs: add initial troubleshooting to FAQ (#104) [Joshua Powers]
+ doc: update cc_set_hostname frequency and descrip (#109)
[Joshua Powers] (LP: #1827021)
+ freebsd: introduce the freebsd renderer (#61) [Gonéri Le Bouder]
+ cc_snappy: remove deprecated module (#127)
+ HACKING.rst: clarify that everyone needs to do the LP->GH dance (#130)
+ freebsd: cloudinit service requires devd (#132) [Gonéri Le Bouder]
+ cloud-init: fix capitalisation of SSH (#126)
+ doc: update cc_ssh clarify host and auth keys
[Joshua Powers] (LP: #1827021)
+ ci: emit names of tests run in Travis (#120)
- Disable testing to aid elimination of unittest2 in Factory
- cloud-netconfig
-
- Update to version 1.5:
+ Add support for GCE (bsc#1159460, bsc#1178486)
+ Improve default gateway determination
- cups
-
- cups-1.7.5-CVE-2020-10001.patch fixes CVE-2020-10001
access to uninitialized buffer in ipp.c (bsc#1180520)
- cups-1.7.5-CVE-2019-8842.patc fixes CVE-2019-8842 (bsc#1170671)
the ippReadIO function may under-read an extension field
- cyrus-sasl
-
- bsc#1159635 VUL-0: CVE-2019-19906: cyrus-sasl: cyrus-sasl
has an out-of-bounds write leading to unauthenticated remote
denial-of-service in OpenLDAP via a malformed LDAP packet
o apply upstream patch
- 0001-Fix-587.patch
- glib2
-
- Add patches to support for slim format of timezone (bsc#1178346):
+ glib2-add-g_canonicalize_filename.patch: a helper function
needed by other patch.
+ glib2-add-support-for-slim-timezone-format.patch: basic support
for slim format (glgo#GNOME/glib!1533).
+ glib2-fix-6-days-until-the-end-of-the-month.patch: fix DST
incorrect end day when using slim format
(glgo#GNOME/glib!1683).
- grub2
-
- Fix boot failure in blocklist installation (bsc#1178278)
* Modified 0002-grub-install-Avoid-incompleted-install-on-i386-pc.patch
- Fix grub2-install error with "/failed to get canonical path of
`/boot/grub2/i386-pc'."/ (bsc#1177957)
* modified 0002-grub-install-Avoid-incompleted-install-on-i386-pc.patch
- Fix https boot interrupted by unrecognised network address error message
(bsc#1172952)
* modified 0001-add-support-for-UEFI-network-protocols.patch
- Improve the error handling when grub2-install fails with short mbr gap
(bsc#1176062)
* 0001-Warn-if-MBR-gap-is-small-and-user-uses-advanced-modu.patch
* 0002-grub-install-Avoid-incompleted-install-on-i386-pc.patch
- kdump
-
- kdump-remove-console-hvc0-from-commandline.patch: remove
console=hvc0 from commandline (bsc#1173914).
- kdump-set-serial-console-from-Xen-cmdline.patch: set serial
console from Xen cmdline (bsc#1173914).
- kdump-Remove-noefi-and-acpi_rsdp-for-EFI-firmware.patch: Remove
noefi and acpi_rsdp for EFI firmware (bsc#1123940, bsc#1170336).
- kdump-Add-skip_balance-option-to-BTRFS-mounts.patch: Add
skip_balance option to BTRFS mounts (bsc#1108255).
- kdump-do-not-add-rd.neednet.patch: Do not add 'rd.neednet=1' to
dracut command line (bsc#1177196).
- kernel-default
-
- Fix a bug in rawmidi UAF fix patch (bsc#1179601, CVE-2020-27786)
Refresh patches.suse/ALSA-rawmidi-Fix-racy-buffer-resize-under-concurrent.patch
- commit ce80dfa
- nbd: freeze the queue while we're adding connections
(bsc#1181504 CVE-2021-3348).
- nbd: Fix memory leak in nbd_add_socket (bsc#1181504).
- commit 447797a
- kABI: Fix kABI for extended APIC-ID support (bsc#1181001,
jsc#ECO-3191).
- x86/kvm: Add KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
jsc#ECO-3191).
- x86/apic: Support 15 bits of APIC ID in IOAPIC/MSI where
available (bsc#1181001, jsc#ECO-3191).
- x86/ioapic: Handle Extended Destination ID field in RTE
(bsc#1181001, jsc#ECO-3191).
- x86/msi: Only use high bits of MSI address for DMAR unit
(bsc#1181001, jsc#ECO-3191).
- x86/apic: Fix x2apic enablement without interrupt remapping
(bsc#1181001, jsc#ECO-3191).
- x86/kvm: Reserve KVM_FEATURE_MSI_EXT_DEST_ID (bsc#1181001,
jsc#ECO-3191).
- iommu/vt-d: Don't dereference iommu_device if IOMMU_API is
not built (bsc#1181001, jsc#ECO-3191).
- iommu/vt-d: Gracefully handle DMAR units with no supported
address widths (bsc#1181001, jsc#ECO-3191).
- commit 6482368
- Move futex fixes into the sorted section (bsc#1181349 CVE-2021-3347)
- commit c34c9df
- Update patch References tags for futex fixes (bsc#1181349 CVE-2021-3347)
- commit afd051d
- Refresh patches.suse/4.4.136-002-powerpc-64s-Clear-PCR-on-boot.patch
Also clear PCR on POWER9 and in dt_cpu_ftrs.
- commit c79d65a
- futex: Fix incorrect should_fail_futex() handling (bsc#1181349).
- commit 0ba69a9
- futex: Handle faults correctly for PI futexes (bsc#1181349
bsc#1149032).
- futex: Simplify fixup_pi_state_owner() (bsc#1181349
bsc#1149032).
- futex: Use pi_state_update_owner() in put_pi_state()
(bsc#1181349 bsc#1149032).
- rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
(bsc#1181349 bsc#1149032).
- futex: Provide and use pi_state_update_owner() (bsc#1181349
bsc#1149032).
- futex: Replace pointless printk in fixup_owner() (bsc#1181349
bsc#1149032).
- futex: Ensure the correct return value from futex_lock_pi()
(bsc#1181349 bsc#1149032).
- futex: Don't enable IRQs unconditionally in put_pi_state()
(bsc#1149032).
- locking/futex: Allow low-level atomic operations to return
- EAGAIN (bsc#1149032).
- commit 058c695
- blk-mq: improve heavily contended tag case (bsc#1178198).
- Refresh
patches.suse/sbitmap-fix-race-in-wait-batch-accounting.patch.
- commit ad2cec8
- netfilter: ctnetlink: add a range check for l3/l4 protonum
(CVE-2020-25211 bsc#1176395).
- commit 92230c0
- SUNRPC: cache: ignore timestamp written to 'flush' file
(bsc#1178036).
- commit 257292e
- Update
patches.suse/0001-xen-events-add-a-proper-barrier-to-2-level-uevent-un.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0002-xen-events-fix-race-in-evtchn_fifo_unmask.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0003-xen-events-add-a-new-late-EOI-evtchn-framework.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0004-xen-blkback-use-lateeoi-irq-binding.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0005-xen-netback-use-lateeoi-irq-binding.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0006-xen-scsiback-use-lateeoi-irq-binding.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0008-xen-pciback-use-lateeoi-irq-binding.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0009-xen-events-switch-user-event-channels-to-lateeoi-mod.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0010-xen-events-use-a-common-cpu-hotplug-hook-for-event-c.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0011-xen-events-defer-eoi-in-case-of-excessive-number-of-.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/0012-xen-events-block-rogue-events-for-some-time.patch
(CVE-2020-27673 XSA-332 bsc#1177411).
- Update
patches.suse/XEN-uses-irqdesc-irq_data_common-handler_data-to-sto.patch
(CVE-2020-27673 XSA-332 bsc#1065600).
- Update
patches.suse/xen-events-avoid-removing-an-event-channel-while-han.patch
(CVE-2020-27675 XSA-331 bsc#1177410).
- Update
patches.suse/xen-events-don-t-use-chip_data-for-legacy-IRQs.patch
(CVE-2020-27673 XSA-332 bsc#1065600).
- Added CVE numbers for above patches.
- commit 77fc141
- Refresh
patches.suse/IB-hfi1-Ensure-correct-mm-is-used-at-all-times.patch.
Fixed backport (removed one line too much, d'oh).
- commit 6dc4356
- IB/hfi1: Ensure correct mm is used at all times (bsc#1179878
CVE-2020-27835).
- commit 39a2b87
- xen: support having only one event pending per watch
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit d884e81
- xen: revert Allow watches discard events before queueing
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit 2a4a8da
- xen: revert Add 'will_handle' callback support in
xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6baf8b8
- xen: revert Support will_handle watch callback (bsc#1179508
XSA-349 CVE-2020-29568).
- commit 3918801
- xen: revert Count pending messages for each watch (bsc#1179508
XSA-349 CVE-2020-29568).
- commit 9d30f4d
- xen: revert Disallow pending watch messages (bsc#1179508
XSA-349 CVE-2020-29568).
- commit d039881
- xen-blkback: set ring->xenblkd to NULL after kthread_stop()
(bsc#1179509 XSA-350 CVE-2020-29569).
- commit 1aab73c
- xenbus/xenbus_backend: Disallow pending watch messages
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit 0cdf358
- xen/xenbus: Count pending messages for each watch (bsc#1179508
XSA-349 CVE-2020-29568).
- commit a14bb56
- xen/xenbus/xen_bus_type: Support will_handle watch callback
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit 33a4600
- xen/xenbus: Add 'will_handle' callback support in
xenbus_watch_path() (bsc#1179508 XSA-349 CVE-2020-29568).
- commit 5ef1497
- xen/xenbus: Allow watches discard events before queueing
(bsc#1179508 XSA-349 CVE-2020-29568).
- commit 6f7a44e
- Drop the previous drm/nouveau fix that turned out to be superfluous (CVE-2020-25639 bsc#1176846)
- commit 001c6e5
- Move upstreamed vgacon patch into sorted section
- commit 73d2a02
- drm: bail out of nouveau_channel_new if channel init fails
(CVE-2020-25639 bsc#1176846).
- commit 55debf7
- target: fix XCOPY NAA identifier lookup (CVE-2020-28374,
bsc#1178372).
- commit 2765e76
- mwifiex: Fix possible buffer overflows in
mwifiex_cmd_802_11_ad_hoc_start (CVE-2020-36158 bsc#1180559).
- commit a833298
- s390/dasd: fix hanging device offline processing (bsc#1144912).
- commit ce166b0
- md/cluster: fix deadlock when node is doing resync job
(bsc#1163727).
- md/cluster: block reshape with remote resync job (bsc#1163727).
- md/bitmap: fix memory leak of temporary bitmap (bsc#1163727).
- md/bitmap: md_bitmap_get_counter returns wrong blocks
(bsc#1163727).
- md/bitmap: md_bitmap_read_sb uses wrong bitmap blocks
(bsc#1163727).
- md-cluster: Fix potential error pointer dereference in
resize_bitmaps() (bsc#1163727).
- md-cluster: fix rmmod issue when md_cluster convert bitmap to
none (bsc#1163727).
- md-cluster: fix safemode_delay value when converting to
clustered bitmap (bsc#1163727).
- md-cluster: fix wild pointer of unlock_all_bitmaps()
(bsc#1163727).
- commit ff367e3
- Move upstreamed bt fixes into sorted section
- commit adeed42
- Refresh patches.suse/powerpc-rtas-fix-typo-of-ibm-open-errinjct-in-rtas-f.patch
Refresh to upstream version.
- commit 76e9945
- tracing: Fix race in trace_open and buffer resize call
(CVE-2020-27825 bsc#1179960).
- commit 8b99744
- ring-buffer: speed up buffer resets by avoiding synchronize_rcu
for each CPU (CVE-2020-27825 bsc#1179960).
- commit 0d53945
- ring-buffer: Make resize disable per cpu buffer instead of
total buffer (CVE-2020-27825 bsc#1179960).
- commit 39cee5c
- fix regression in "/epoll: Keep a reference on files added to the check list"/ (bsc#1180031, git-fixes).
- commit d9c444f
- do_epoll_ctl(): clean the failure exits up a bit
(bsc#1180031,CVE-2020-0466).
- epoll: Keep a reference on files added to the check list
(bsc#1180031).
- commit e792e5d
- cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
(CVE-2020-27068 bsc#1180086).
- commit 886ad61
- HID: Fix slab-out-of-bounds read in hid_field_extract
(bsc#1180052).
- commit 5b124d9
- HID: core: Sanitize event code and type when mapping input
(CVE-2020-0465 bsc#1180029).
- commit ebf9f0e
- audit: fix error handling in audit_data_to_entry()
(CVE-2020-0444 bsc#1180027).
- commit f2e7691
- x86/traps: Simplify pagefault tracing logic (bsc#1179895).
- Refresh
patches.suse/10-x86-xen-get-rid-of-paravirt-op-adjust_exception_frame.patch.
- commit f51414e
- x86/tracing: Introduce a static key for exception tracing
(bsc#1179895).
- commit ae1ab84
- tty: Fix ->session locking (bsc#1179745 CVE-2020-29660).
- tty: Fix ->pgrp locking in tiocspgrp() (bsc#1179745
CVE-2020-29661).
- commit a59c61c
- powerpc/rtas: fix typo of ibm,open-errinjct in rtas filter
(CVE-2020-27777 bsc#1179107 bsc#1179887 ltc#190092).
- commit 153fdda
- xfrm: Fix memleak on xfrm state destroy (bsc#1158775).
- commit d801d2b
- net/x25: prevent a couple of overflows (bsc#1178590).
- commit 3f48ad3
- media: xirlink_cit: add missing descriptor sanity checks
(bsc#1168952 CVE-2020-11668).
- commit e978e80
- Update
patches.suse/sched-fair-Don-t-free-p-numa_faults-with-concurrent-.patch
(bsc#1144920, bsc#1179663, CVE-2019-20934).
- commit fad2215
- debugfs_lookup(): switch to lookup_one_len_unlocked() (bsc#1171979).
- Refresh patches.suse/new-helper-lookup_positive_unlocked.patch.
- commit 2aee88e
- kABI workaround for snd_rawmidi buffer_ref field addition
(CVE-2020-27786 bsc#1179601).
- commit 0e8d69d
- ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
(CVE-2020-27786 bsc#1179601).
- commit 3c00a93
- Delete patches.suse/fs-select.c-batch-user-writes-in-do_sys_poll.patch.
(CVE-2020-4788 bsc#1179419).
Patch causes DLM regression. Drop for now.
- commit a422074
- Add missing RESTORE_CTR (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch.
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
patches.suse/powerpc-64s-SLB-miss-already-has-CTR-saved-for-reloc.patch
adds RESTORE_CTR to the SLB miss handler so
patches.suse/powerpc-64s-Convert-slb_miss_common-to-use-RFI_TO_US.patch
must now copy it in the other fork of the exit code as well.
- commit a382dc2
- romfs: fix uninitialized memory leak in romfs_dev_read()
(CVE-2020-29371 bsc#1179429).
- commit c4cfc72
- block: Fix use-after-free in blkdev_get() (bsc#1173834
bsc#1179141 CVE-2020-15436).
- commit 0475fee
- kABI: powerpc: Add back __clear_user (CVE-2020-4788
bsc#1177666).
- commit 9ab0140
- kABI: powerpc: avoid including pgtable.h in kup.h (CVE-2020-4788
bsc#1177666).
- commit 81cd22b
- Refresh patches.suse/nfs-mark-nfsiod-cpu-intensive.patch.
- commit 4ba6c62
- make 'user_access_begin()' do 'access_ok()' (CVE-2020-4788 bsc#1177666).
- Delete patches.suse/drm-i915-CVE-2018-20669-access-check.patch.
- commit ffc3685
- NFS: mark nfsiod as CPU_INTENSIVE (bsc#1177304).
- commit 53e1580
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
(CVE-2020-15437 bsc#1179140).
- commit 76da61e
- powerpc/64s: SLB miss already has CTR saved for relocatable kernel
(CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64s-Set-assembler-machine-type-to-POWER4.patch.
- commit 741f364
- powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC (CVE-2020-4788 bsc#1177666).
- Refresh patches.suse/powerpc-64-Call-setup_barrier_nospec-from-setup_arch.patch
- Refresh patches.suse/powerpc-pmem-Update-ppc64-to-use-the-new-barrier-ins.patch.
- Update config files.
- commit b0085a7
- powerpc/rtas: Restrict RTAS requests from userspace
(CVE-2020-27777 bsc#1179107).
- Update config files.
- commit 3ed445b
- vt: Disable KD_FONT_OP_COPY (CVE-2020-28974 bsc#1178589).
- commit d9af9e6
- powerpc/64s: flush L1D after user accesses (CVE-2020-4788
bsc#1177666).
- Refresh patches.kabi/kABI-powerpc-avoid-including-pgtable.h-in-kup.h.patch.
- powerpc/uaccess: Evaluate macro arguments once, before user
access is allowed (CVE-2020-4788 bsc#1177666).
- powerpc: Fix __clear_user() with KUAP enabled (CVE-2020-4788
bsc#1177666).
- powerpc: Implement user_access_begin and friends (CVE-2020-4788
bsc#1177666).
- powerpc: Add a framework for user access tracking (CVE-2020-4788
bsc#1177666).
- powerpc/64s: flush L1D on kernel entry (CVE-2020-4788
bsc#1177666).
- powerpc/64s: move some exception handlers out of line
(CVE-2020-4788 bsc#1177666).
- powerpc/64s: Define MASKABLE_RELON_EXCEPTION_PSERIES_OOL
(CVE-2020-4788 bsc#1177666).
- powerpc/64s: Rename slb_miss_realmode() to slb_miss_common()
(CVE-2020-4788 bsc#1177666).
- powerpc/64s: Use BRANCH_TO_COMMON() for slb_miss_realmode
(CVE-2020-4788 bsc#1177666).
- commit f7d6c42
- fs/select.c: batch user writes in do_sys_poll (CVE-2020-4788
bsc#1177666).
- commit 011abbd
- Fonts: Replace discarded const qualifier (CVE-2020-28915
bsc#1178886).
- fbcon: Fix global-out-of-bounds read in fbcon_get_font()
(CVE-2020-28915 bsc#1178886).
- Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts
(CVE-2020-28915 bsc#1178886).
- fbdev, newport_con: Move FONT_EXTRA_WORDS macros into
linux/font.h (CVE-2020-28915 bsc#1178886).
- commit 8016c83
- Input: sunkbd - avoid use-after-free in teardown paths
(CVE-2020-25669 bsc#1178182).
- commit e6736dd
- Refresh
patches.suse/0002-x86-speculation-Enable-Spectre-v1-swapgs-mitigations.patch.
- commit aa8cb4c
- NFS: only invalidate dentrys that are clearly invalid
(bsc#1178669 bsc#1170139).
- commit 1f6b5b1
- icmp: randomize the global rate limiter (CVE-2020-25705
bsc#1175721 git-fixes).
- commit 5acc8a6
- powerpc/pseries/cpuidle: add polling idle for shared processor
guests (bsc#1178765 ltc#188968).
- commit d04b75a
- Update
patches.suse/0001-btrfs-reloc-fix-reloc-root-leak-and-NULL-pointer-der.patch
(bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922).
- Update
patches.suse/0002-btrfs-reloc-clear-DEAD_RELOC_TREE-bit-for-orphan-roo.patch
(bsc#1171417 bsc#1160947 bsc#1172366 bsc#1176922).
Add references to bsc#1176922 as suggested by Ales Novak
- commit 07acb24
- scsi: qla2xxx: Do not consume srb greedily (bsc#1173233).
- scsi: qla2xxx: Handle incorrect entry_type entries
(bsc#1173233).
- commit f6ed4ca
- perf/core: Fix a memory leak in perf_event_parse_addr_filter()
(bsc#1178393, CVE-2020-25704).
- commit e96c0c9
- hyperv_fb: disable superfluous VERSION_WIN10_V5 case (bsc#1175306).
- commit 730fe90
- hyperv_fb: Update screen_info after removing old framebuffer
(bsc#1175306).
- x86/kexec: Use up-to-dated screen_info copy to fill boot params
(bsc#1175306).
- video: hyperv: hyperv_fb: Use physical memory for fb on HyperV
Gen 1 VMs (bsc#1175306).
- video: hyperv: hyperv_fb: Support deferred IO for Hyper-V
frame buffer driver (bsc#1175306).
- video: hyperv: hyperv_fb: Obtain screen resolution from Hyper-V
host (bsc#1175306).
- commit 9fb97f3
- Refresh
patches.suse/Bluetooth-A2MP-Fix-not-initializing-all-members.patch.
- Refresh
patches.suse/Bluetooth-L2CAP-Fix-calling-sk_filter-on-non-socket-.patch.
series_sort applied
- commit 7158741
- tty: make FONTX ioctl use the tty pointer they were actually
passed (bsc#1178123 CVE-2020-25668).
- commit 2fb3bcf
- vt: keyboard, extend func_buf_lock to readers (bnc#1177766
CVE-2020-25656).
- vt: keyboard, simplify vt_kdgkbsent (bnc#1177766
CVE-2020-25656).
- commit 933e7f7
- Disable ipa-clones dump for KMP builds (bsc#1178330)
The feature is not really useful for KMP, and rather confusing,
so let's disable it at building out-of-tree codes
- commit 35c709b
- x86/unwind/orc: Fix inactive tasks with stack pointer in %sp
on GCC 10 compiled kernels (bsc#1058115 bsc#1176907).
- commit 683e8d6
- livepatch: Test if -fdump-ipa-clones is really available
As of now we add -fdump-ipa-clones unconditionally. It does not cause a
trouble if the kernel is build with the supported toolchain. Otherwise
it could fail easily. Do the correct thing and test for the
availability.
- commit 2e11163
- Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload (bsc#1177816).
- commit b2fe9bc
- mm/hugetlb: fix a race between hugetlb sysctl handlers
(bsc#1176485, CVE-2020-25285).
- commit e28fbdd
- bpf: reject passing modified ctx to helper functions
(CVE-2020-0430 bsc#1176723).
- commit 6b08077
- btrfs: remove root usage from can_overcommit (bsc#1131277).
- Refresh
patches.suse/0003-btrfs-factor-out-the-ticket-flush-handling.patch.
- Refresh
patches.suse/0004-btrfs-export-space_info_add_-bytes.patch.
- Refresh
patches.suse/0005-btrfs-move-the-space_info-handling-code-to-space-info-c.patch.
- Refresh
patches.suse/0006-btrfs-move-and-export-can_overcommit.patch.
- Refresh
patches.suse/0007-btrfs-add-new-flushing-states-for-the-delayed-refs-rsv.patch.
- Refresh
patches.suse/0007-btrfs-move-the-space-info-update-macro-to-space-info-h.patch.
- Refresh
patches.suse/0008-btrfs-do-not-allow-reservations-if-we-have-pending-tickets.patch.
- Refresh
patches.suse/0008-btrfs-don-t-enospc-all-tickets-on-flush-failure.patch.
- Refresh
patches.suse/0008-btrfs-move-btrfs_space_info_add_-bytes-to-space-info-c.patch.
- Refresh
patches.suse/0009-btrfs-export-block_rsv_use_bytes.patch.
- Refresh
patches.suse/0009-btrfs-roll-tracepoint-into-btrfs_space_info_update-helper.patch.
- Refresh
patches.suse/0010-btrfs-be-more-explicit-about-allowed-flush-states.patch.
- Refresh
patches.suse/0010-btrfs-move-dump_space_info-to-space-info-c.patch.
- Refresh
patches.suse/0011-btrfs-move-reserve_metadata_bytes-and-supporting-code-to-space-info-c.patch.
- Refresh
patches.suse/0011-btrfs-stop-partially-refilling-tickets-when-releasing-space.patch.
- Refresh patches.suse/0012-btrfs-unexport-can_overcommit.patch.
- Refresh
patches.suse/0019-btrfs-make-the-delalloc-block-rsv-per-inode.patch.
- Refresh
patches.suse/0020-btrfs-do-not-account-global-reserve-in-can_overcommit.patch.
- Refresh
patches.suse/btrfs-extent-tree-add-trace-events-for-space-info-numbers-update.patch.
- Refresh
patches.suse/btrfs-extent-tree-detect-bytes_may_use-underflow-earlier.patch.
- Refresh
patches.suse/btrfs-remove-redundant-argument-of-flush_space.patch.
- commit 492e6bd
- xen/events: block rogue events for some time (XSA-332
bsc#1177411).
- commit c472bdc
- xen/events: defer eoi in case of excessive number of events
(XSA-332 bsc#1177411).
- commit a199a64
- xen/events: use a common cpu hotplug hook for event channels
(XSA-332 bsc#1177411).
- commit 9b5ac01
- xen/events: switch user event channels to lateeoi model
(XSA-332 bsc#1177411).
- commit 5d87745
- xen/pciback: use lateeoi irq binding (XSA-332 bsc#1177411).
- commit 286e5c1
- xen/scsiback: use lateeoi irq binding (XSA-332 bsc#1177411).
- commit d34a4a5
- xen/netback: use lateeoi irq binding (XSA-332 bsc#1177411).
- commit e64a874
- xen/blkback: use lateeoi irq binding (XSA-332 bsc#1177411).
- commit e507788
- xen/events: add a new "/late EOI"/ evtchn framework (XSA-332
bsc#1177411).
- commit be58cd0
- xen/events: fix race in evtchn_fifo_unmask() (XSA-332
bsc#1177411).
- commit fb97cc7
- xen/events: add a proper barrier to 2-level uevent unmasking
(XSA-332 bsc#1177411).
- commit abe3eaa
- xen/events: avoid removing an event channel while handling it
(XSA-331 bsc#1177410).
- commit 8e374e0
- xen/events: don't use chip_data for legacy IRQs (XSA-332 bsc#1065600).
- commit 492eb13
- XEN uses irqdesc::irq_data_common::handler_data to store a
per interrupt XEN data pointer which contains XEN specific
information (XSA-332 bsc#1065600).
- commit 884f207
- perf/core: Fix race in the perf_mmap_close() function
(bsc#1177086, CVE-2020-14351).
- commit 4543ba5
- ovl: verify permissions in ovl_path_open() (bsc#1177470,
CVE-2020-16120).
- ovl: switch to mounter creds in readdir (bsc#1177470,
CVE-2020-16120).
- ovl: pass correct flags for opening real directory
(bsc#1177470, CVE-2020-16120).
- commit e32875c
- powercap: Restrict energy meter to root access (bsc#1170415
CVE-2020-8694).
- commit addf703
- Move the upstreamed bluetooth fix into sorted section
- commit ae19157
- kABI workaround for bluetooth l2cap_ops filter addition
(CVE-2020-12351 bsc#1177724).
- commit 7467f71
- Bluetooth: L2CAP: Fix calling sk_filter on non-socket based
channel (CVE-2020-12351 bsc#1177724).
- commit 199fc71
- Bluetooth: A2MP: Fix not initializing all members
(CVE-2020-12352 bsc#1177725).
- commit 2266263
- NFS: Revalidate the file mapping on all fatal writeback errors
(bsc#1177340).
- NFS: On fatal writeback errors, we need to call
nfs_inode_remove_request() (bsc#1177340).
- commit 2b920c4
- Update
patches.suse/nfs-Fix-getxattr-kernel-panic-and-memory-overflow.patch
(bsc#1176381 CVE-2020-25212).
- Update
patches.suse/nfs-Fix-security-label-length-not-being-reset.patch
(bsc#1176381 CVE-2020-25212).
Fix CVE number
- commit 773ac2f
- Disable CONFIG_LIVEPATCH_IPA_CLONES where not needed
Explicitly disable CONFIG_LIVEPATCH_IPA_CLONES in configs where it is
not needed to avoid confusion and unwanted values due to fragment config
files.
- commit 240af1a
- geneve: add transport ports in route lookup for geneve
(CVE-2020-25645 bsc#1177511).
- commit e7568d7
- nfs: Fix security label length not being reset (bsc#1176381
CVE-2020-2521).
- commit a53755a
- kernel-binary.spec.in: Package the obj_install_dir as explicit filelist.
- commit 5587762
- scsi: fnic: Do not call 'scsi_done()' for unhandled commands
(bsc#1168468, bsc#1171675).
- commit 1f37436
- Refresh patches.kabi/futex-Fix-inode-life-time-issue.patch (CVE-2020-14381 bsc#1176011).
Update patch to fix requeue paths such that filp is valid when dropping
the references.
- commit 7c2a3c2
- NFSv4: don't mark all open state for recovery when handling
recallable state revoked flag (bsc#1176935).
- Refresh
patches.suse/NFSv4.1-Only-reap-expired-delegations.patch.
- commit 48c334c
- hdlc_ppp: add range checks in ppp_cp_parse_cr() (CVE-2020-25643
bsc#1177206).
- commit 20e2909
- block: allow for_each_bvec to support zero len bvec
(CVE-2020-25641 bsc#1177121).
- commit 78a0e1e
- rpm/constraints.in: recognize also kernel-source-azure (bsc#1176732)
- commit 7214bbe
- ocfs2: give applications more IO opportunities during fstrim
(bsc#1175228).
- commit 2c09f12
- Fix error in kabi fix for: NFSv4: Fix OPEN / CLOSE race
(bsc#1176950).
- commit 9ae2999
- net/nfc/rawsock.c: add CAP_NET_RAW check (CVE-2020-26088
bsc#1176990).
- commit 94a2f59
- scsi: ibmvfc: Avoid link down on FS9100 canister reboot
(bsc#1176962 ltc#188304).
- scsi: ibmvfc: Use compiler attribute defines instead of
__attribute__() (bsc#1176962 ltc#188304).
- commit 1fef06b
- rpadlpar_io: Add MODULE_DESCRIPTION entries to kernel modules
(bsc#1176869 ltc#188243).
- commit 895eb01
- fbcon: remove soft scrollback code (CVE-2020-14390 bsc#1176235).
- commit 44a3a25
- staging: most: net: fix buffer overflow (CVE-2020-0432
bsc#1176721).
- commit 528cea2
- pinctrl: devicetree: Avoid taking direct reference to device
name string (CVE-2020-0427 bsc#1176725).
- commit 825fe73
- HID: hid-input: clear unmapped usages (CVE-2020-0431
bsc#1176722).
- commit 835f6ff
- kernel-syms.spec.in: Also use bz compression (boo#1175882).
- commit ecaf78d
- Update
patches.suse/media-uvcvideo-Avoid-cyclic-entity-chains-due-to-mal.patch
(bsc#1051510 bsc#1176423 CVE-2020-0404).
- commit 4e69fe9
- nfs: Fix getxattr kernel panic and memory overflow (bsc#1176381
CVE-2020-2521).
- commit 41de7ea
- rpm/kernel-cert-subpackage: add CA check on key enrollment (bsc#1173115)
To avoid the unnecessary key enrollment, when enrolling the signing key
of the kernel package, "/--ca-check"/ is added to mokutil so that mokutil
will ignore the request if the CA of the signing key already exists in
MokList or UEFI db.
Since the macro, %_suse_kernel_module_subpackage, is only defined in a
kernel module package (KMP), it's used to determine whether the %post
script is running in a kernel package, or a kernel module package.
- commit b15c9bf
- futex: Fix inode life-time issue (CVE-2020-14381 bsc#1176011).
- commit 0091d77
- rpm/macros.kernel-source: pass -c proerly in kernel module package (bsc#1176698)
The "/-c"/ option wasn't passed down to %_kernel_module_package so the
ueficert subpackage wasn't generated even if the certificate is
specified in the spec file.
- commit 34808fb
- kernel-binary.spec.in: SLE12 tar does not understand --verbatim-files-from
- commit fe331a6
- rbd: require global CAP_SYS_ADMIN for mapping and unmapping
(CVE-2020-25284 bsc#1176482).
- commit 80192f0
- Revert "/sign also s390x kernel images (bsc#1163524)"/
This reverts commit b38b61155f0a2c3ebca06d4bb0c2e11a19a87f1f.
- commit 344de60
- Revert "/rpm/kernel-binary.spec.in: Also sign ppc64 kernels (jsc#SLE-15857"/
This reverts commit 971fc3df729b6a7692040f4e7fc7664d8e12c659.
- commit 112866d
- livepatch: Add -fdump-ipa-clones to build (fate#323487).
Add support for -fdump-ipa-clones GCC option.
Update config files accordingly.
- commit 19fdfe5
- rpm/kernel-binary.spec.in: pack .ipa-clones files for live patching
When -fdump-ipa-clones option is enabled, GCC reports about its cloning
operation during IPA optimizations. We use the information for live
patches preparation, because it is crucial to know if and how functions
are optimized.
Currently, we create the needed .ipa-clones dump files manually. It is
unnecessary, because the files may be created automatically during our
kernel build. Prepare for the step and provide the resulting files in
- livepatch-devel package.
- commit 98e5a9d
- rpm/kernel-source.spec.in: Also use bz compression (boo#1175882).
- commit 375ec84
- rpm/kernel-binary.spec.in: Also sign ppc64 kernels (jsc#SLE-15857
jsc#SLE-13618).
- commit 971fc3d
- obsolete_kmp: provide newer version than the obsoleted one
(boo#1170232).
- commit c5ecb27
- rpm/kernel-binary.spec.in: restrict livepatch metapackage to default flavor
It has been reported that the kernel-*-livepatch metapackage got
erroneously enabled for SLE15-SP3's new -preempt flavor, leading to a
unresolvable dependency to a non-existing kernel-livepatch-x.y.z-preempt
package.
As SLE12 and SLE12-SP1 have run out of livepatching support, the need to
build said metapackage for the -xen flavor is gone and the only remaining
flavor for which they're still wanted is -default.
Restrict the build of the kernel-*-livepatch metapackage to the -default
flavor.
- commit 58949f3
- rpm/kernel-obs-build.spec.in: Enable overlayfs
Overlayfs is needed for podman or docker builds when no more specific
driver can be used (like lvm or btrfs). As the default build fs is ext4
currently, we need overlayfs kernel modules to be available.
- commit 29474aa
- rpm/kernel-binary.spec.in: do not run klp-symbols for configs with no modules
Starting with 5.8-rc1, s390x/zfcpdump builds fail because rpm/klp-symbols
script does not find .tmp_versions directory. This is missing because
s390x/zfcpdump is built without modules (CONFIG_MODULES disabled).
As livepatching cannot work without modules, the cleanest solution is
setting %klp_symbols to 0 if CONFIG_MODULES is disabled. (We cannot simply
add another condition to the place where %klp_symbols is set as it can be
already set to 1 from prjconf.)
- commit a048c4b
- rpm: drop execute permissions on source files
Sometimes a source file with execute permission appears in upstream
repository and makes it into our kernel-source packages. This is caught by
OBS build checks and may even result in build failures.
Sanitize the source tree by removing execute permissions from all C source
and header files.
- commit 771e293
- rpm/kernel-source.spec.in: Add obsolete_rebuilds (boo#1172073).
- commit 6524463
- rpm/check-for-config-changes: Ignore CONFIG_CC_VERSION_TEXT
- commit 8e6b05f
- kernel-docs: Change Requires on python-Sphinx to earlier than version 3
References: bsc#1166965
From 3 on the internal API that the build system uses was rewritten in
an incompatible way.
See https://github.com/sphinx-doc/sphinx/issues/7421 and
https://bugzilla.suse.com/show_bug.cgi?id=1166965#c16 for some details.
- commit cf60b5c
- rpm/check-for-config-changes: Ignore CONFIG_LD_VERSION
- commit e60242e
- constrants: fix malformed XML
Closing tag of an element is "/</foo>"/, not "/<foo/>"/.
Fixes: 8b37de2eb835 ("/rpm/constraints.in: Increase memory for kernel-docs"/)
- commit 4a8ca28
- rpm/constraints.in: Increase memory for kernel-docs
References: https://build.opensuse.org/request/show/792664
- commit 8b37de2
- rpm/kabi.pl: account for namespace field being moved last
Upstream is moving the namespace field in Module.symvers last in order to
preserve backwards compatibility with kmod tools (depmod, etc). Fix the kabi.pl
script to expect the namespace field last. Since split() ignores trailing empty
fields and delimeters, switch to using tr to count how many fields/tabs are in
a line. Also, in load_symvers(), pass LIMIT of -1 to split() so it does not
strip trailing empty fields, as namespace is an optional field.
- commit a3bb253
- rpm/package-descriptions: garbege collection
remove old ARM and Xen flavors.
- commit bda0360
- Created new preempt kernel flavor (jsc#SLE-11309)
Configs are cloned from the respective $arch/default configs. All
changed configs appart from CONFIG_PREEMPT->y are a result of
dependencies, namely many lock/unlock primitives are no longer
inlined in the preempt kernel. TREE_RCU has been also changed to
PREEMPT_RCU which is the default implementation for PREEMPT kernel.
- commit f994874
- sign also s390x kernel images (bsc#1163524)
- commit b38b611
- rpm/mkspec-dtb: add mt76 based dtb package
- commit 8ff92d0
- rpm/kernel-obs-build.spec.in: add dm-crypt for building with cryptsetup
Co-Authored-By: Adam Spiers <aspiers@suse.com>
- commit 7cf5b9e
- Drop sysctl files for dropped archs, add ppc64le and arm64
(bsc#1178838).
Also fix the ppc64 page size.
- commit 4ae6d3e
- krb5
-
- Add recursion limit for ASN.1 indefinite lengths; (CVE-2020-28196);
(bsc#1178512);
- Added patches:
* 0125-Add-recursion-limit-for-ASN.1-indefinite-lengths.patch
- libnl3
-
- Add libnl3-fix-ipv6-privacy-extension.patch: fix ipv6 privacy
extension of NetworkManager not working by backporting these 3
commits (bsc#1025043):
42c41336000e ("/add support for IFA_FLAGS nl attribute"/)
dcc0baac020e ("/addr: add address flag IFA_F_MANAGETEMPADDR"/)
b203c89d862a ("/addr: add address flag IFA_F_NOPREFIXROUTE"/)
- libxml2
-
- Avoid quadratic checking of identity-constraints: [bsc#1178823]
* key/unique/keyref schema attributes currently use qudratic loops
to check their various constraints (that keys are unique and that
keyrefs refer to existing keys).
* This fix uses a hash table to avoid the quadratic behaviour.
- Add libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
- libzypp
-
- RepoManager: Carefully tidy up the caches. Remove non-directory
entries. (bsc#1178966)
- version 16.21.4 (0)
- ZYPP_MEDIA_CURL_DEBUG logs full Authorization: header (bsc#1174215)
The Authorization: header may include base64 encoded credentials
which could be restored from the log file. The credentials are
now stripped from the log.
- version 16.21.3 (0)
- logrotate
-
- Fix false alarm when using su and compress (bsc#1179189)
Applies commit 15a768b340d1010e22955ace518425cdb13bba5f
* Added patch logrotate-3.11.0-false-alarm-for-su-compress.patch
- lvm2
-
- pvmove destination LV always has KRahead=0 (bsc#1179326)
+ bug-1179326_pvmove-correcting-read_ahead-setting.patch
- Update lvm2.spec file (bsc#1177533)
- in %postun, disable restart blk-availability.service & lvm2-monitor.service
- openldap2-client
-
- bsc#1178909 CVE-2020-25709 CVE-2020-25710 - Resolves two issues
where openldap would crash due to malformed inputs.
* patch: 0207-ITS-9383-remove-assert-in-certificateListValidate.patch
* patch: 0208-ITS-9384-remove-assert-in-obsolete-csnNormalize23.patch
- bsc#1178387 (CVE-2020-25692) - unauthenticated remote denial of
service due to incorrect validation of modrdn equality rules.
* patch: 0206-ITS-9370-check-for-equality-rule-on-old_rdn.patch
- openssh
-
- Add openssh-bsc1148566-scp-handle-quotes-while-checking-filenames-from-serv.patch,
openssh-bsc1148566-scp-show-filename-match-patterns-in-verbose-mode.patch
(bsc#1148566). Fixes a class of false alarms due to filename
validation. Patches by Josef Cejka <jcejka@suse.com>.
- Add openssh-bsc1161684-authorizedkeyscommand-deadlock.patch
(bsc#1161684), which fixes a deadlock when AuthorizedKeysCommand
or AuthorizedPrincipalsCommand produce a lot of output and a
key is matched early.
- Add openssh-CVE-2020-14145-information-leak.patch
(CVE-2020-14145, bsc#1173513). This partially mitigates a
potential information leak during host key exchange that could
be exploited by a man-in-the-middle attacker.
- Add openssh-fips-moduli-skip-filtering-nonfips.patch
(bsc#1179242). This disables time-consuming DH parameter checks
in non-FIPS mode.
- Add openssh-fips-ensure-approved-moduli.patch (bsc#1177939).
This ensures only approved DH parameters are used in FIPS mode.
- openssl-1_0_0
-
- Add declaration of BN_secure_new() needed by other packages
* add openssl-1.0.2p-declare-BN_secure_new.patch
* [bsc#1180777]
- Add FIPS key check necessary for certification.
* modified openssl-DH.patch
* [bsc#1180959]
- OpenSSL Security Advisory [08 December 2020]
* Fix EDIPARTYNAME NULL pointer dereference
(CVE-2020-1971, bsc#1179491)
* add openssl-CVE-2020-1971.patch
- pam
-
- Initialize pam_unix pam_sm_acct_mgmt() local variable "/daysleft"/
to avoid spurious (and misleading)
Warning: your password will expire in ... days.
fixed upstream with commit db6b293046a
[bsc#1178727, pam-bsc1178727-initialize-daysleft.patch]
- pam-modules
-
- The fail delay is fixed and annoying. The relevant code sections
from factory are backported here. There is not patch as the
file with the offending code resides in the top level directory.
[unix2_chkpw.c, bsc#1070595]
- parted
-
- skip probing _part devices (bsc#1137259)
+ parted-bsc1137259-fix-_part-error.patch
- python
-
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- Replace bundled wheels for pip and setuptools with the updated ones
(bsc#1176262 CVE-2019-20916).
- python-azure-agent
-
- Add sysvinit-tools as dependency (bsc#1181600, bsc#1181601)
- Add sle_hpc-is-sles.patch (bsc#1180719)
+ Recognise SLE_HPC as SLES and use the proper RDMA handler and
distro specific initialization code
- python-base
-
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- Replace bundled wheels for pip and setuptools with the updated ones
(bsc#1176262 CVE-2019-20916).
- python-cryptography
-
- Add 5507-mitigate-Bleichenbacher-attacks.patch (bsc#1178168,
CVE-2020-25659).
- python-jsonschema
-
- Update in SLE-12 (fate#326950, bsc#1122668, jsc#PM-1447)
- Convert to single-spec (fate#324191, bsc#1065275)
- Run fdupes to hardlink duplicate files
+ Add fdupes to BuildRequires
+ Add %fdupes %{buildroot}/%{_prefix} to %install
- Add condition around the python2 code to make sure we can build
in python3 only enviroment
- Source url must be https.
- Fix source url.
- Update to 2.6.0
* Improved performance on CPython by adding caching around ref resolution
(#203)
- Implement single-spec version
- Adjust dependencies for Python 2.6 based SLE 11
- update to version 2.5.1:
(no changelog available)
- update to version 2.5.0:
* Improved performance on CPython by adding caching around ref
resolution (#203)
- specfile:
* add python-vcversioner
- drop test requirements and %check section, which is broken
- Fix update-alternatives usage
- python-paramiko
-
- Add 0006-CVE-2018-1000805-auth_bypass.patch to fix bsc#1111151
(CVE-2018-1000805) authentication bypass in auth_handler.py
- python-pip
-
- Add wheel subpackage with the generated wheel for this package
(bsc#1176262, CVE-2019-20916).
- Make wheel a separate build run to avoid the setuptools/wheel build
cycle.
- python-pyserial
-
- Setup single spec build (jsc#PM-2335)
- python-setuptools
-
- Add wheel subpackage with the generated wheel for this package
(bsc#1176262, CVE-2019-20916).
- python-urllib3
-
- Add CVE-2020-26116-CRLF-injection.patch which raises ValueError
if method contains control characters and thus prevents CRLF
injection into URLs (bsc#1177211, bpo#39603, CVE-2020-26116,
gh#urllib3/urllib3#1800).
- python3
-
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- Replace bundled wheels for pip and setuptools with the updated ones
(bsc#1176262 CVE-2019-20916).
- python3-base
-
- Add CVE-2021-3177-buf_ovrfl_PyCArg_repr.patch fixing
bsc#1181126 (CVE-2021-3177) buffer overflow in PyCArg_repr in
_ctypes/callproc.c, which may lead to remote code execution.
- Provide the newest setuptools wheel (bsc#1176262,
CVE-2019-20916) in their correct form (bsc#1180686).
- Replace bundled wheels for pip and setuptools with the updated ones
(bsc#1176262 CVE-2019-20916).
- salt
-
- Revert wrong zypper patch to support vendorchanges flags on pkg.install
- Adjusted python2-cherrypy naming in salt-api. (#40)
- Added:
* revert-add-patch-support-for-allow-vendor-change-opt.patch
- Force zyppnotify to prefer Packages.db than Packages if it exists
- Allow vendor change option with zypper
- Added:
* force-zyppnotify-to-prefer-packages.db-than-packages.patch
* add-patch-support-for-allow-vendor-change-option-wit.patch
- Add pkg.services_need_restart
- Bigvm backports:
virt consoles, CPU tuning and topology, and memory tuning.
- Fix for file.check_perms to work with numeric uid/gid
- Added:
* fix-salt.utils.stringutils.to_str-calls-to-make-it-w.patch
* add-pkg.services_need_restart-302.patch
* opensuse-3000-bigvm-backports-300.patch
- Change 'Requires(pre)' to 'Requires' for salt-minion package (bsc#1083110)
- Fix syntax error on pkgrepo state with Python 2.7
- transactional_update: unify with chroot.call
- Added:
* pkgrepo-support-python-2.7-function-call-294.patch
* transactional_update-unify-with-chroot.call.patch
- Add "/migrated"/ state and GPG key management functions
- Added:
* add-migrated-state-and-gpg-key-management-functions-.patch
- Master can read grains
- Added:
* grains-master-can-read-grains.patch
- Fix for broken psutil (bsc#1102248)
- Added:
* fix-for-bsc-1102248-psutil-is-broken-and-so-process-.patch
- Fix novendorchange handling in zypperpkg module
- Added:
* fix-novendorchange-option-284.patch
- screen
-
- Fix double width combining char handling that could lead
to a segfault [bnc#1182092] [CVE-2021-26937]
new patch: combchar.diff
- sg3_utils
-
- Fix wrong device ID for devices using NAA extended format
(bsc#1116107)
- sudo
-
- Fix Heap-based buffer overflow in Sudo [bsc#1181090,CVE-2021-3156]
* sudo-CVE-2021-3156.patch
- Possible Dir Existence Test due to Race Condition in `sudoedit`
[bsc#1180684,CVE-2021-23239]
* sudo-CVE-2021-23239.patch
- Possible Symlink Attack in SELinux Context in `sudoedit` [bsc#1180685,
CVE-2021-23240]
* sudo-CVE-2021-23240.patch
- User Could Enable Debug Settings not Intended for it [bsc#1180687]
* sudo-fix-bsc-1180687.patch
- systemd
-
- Import commit ff6d4f46f06a3c0a83860b9d35e9fd8ff2e24b6a
c4f1cd656e build-sys: optionnally disable support of journal over the network (bsc#1177458)
b20b43ce81 journal-upload: remove microhttpd dependency
8ae2d0fac4 More polite passphrase prompt
9841d745d0 cryptsetup: support LUKS2 on-disk format (bsc#1083571 jsc#SLE-13842)
84390362cd cryptsetup: ignore _netdev, since it is used in generator (#7282)
d14463fc62 tree-wide: always invoke setmntent() with "/re"/ mode
f99b0fe353 ask-password: prevent buffer overrow when reading from keyring (bsc#1177510)
c9c3eaaec7 ask-password: add extra paranoid overflow check
e2d35a356e mount: don't propagate errors from mount_setup_unit() further up
1f6e0a6c82 basic/virt: Detect PowerVM hypervisor (bsc#1176800)
068036bd1c fs-util: suppress world-writable warnings if we read /dev/null
968fbc4219 udevadm: rename option '--log-priority' into '--log-level'
bcd7560985 udev: rename kernel option 'log_priority' into 'log_level'
29e69c2c94 udev: when reading kernel cmdline options "/-"/ and "/_"/ are now considered equivalent
be8df3996a fstab-generator: add 'nofail' when NFS 'bg' option is used (bsc#1176513)
8b7c5b93b1 core: coldplug possible nop_job (bsc#1139459)
- Rework the enablement of 'journal_remote' support to rely on the new
build option --disable-remote. This allows to drop the workaround
that consisted in cleaning journal-upload files manually when
'journal_remote' support was disabled.
- Drop 0001-core-coldplug-possible-nop_job.patch
It's part of SUSE/v228 branch.
- Move journal-remote.conf.5.* man pages into systemd-journal_remote sub package
- tcpdump
-
- Security fix: [bsc#1178466, CVE-2020-8037]
* PPP decapsulator: Allocate the right buffer size
- Add tcpdump-CVE-2020-8037.patch
- timezone
-
- timezone update 2021a (bsc#1177460)
* South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.
- timezone update 2020f (bsc#1177460)
* 'make rearguard_tarballs' no longer generates a bad rearguard.zi,
fixing a 2020e bug.
- timezone update 2020e (bsc#1177460)
* Volgograd switches to Moscow time on 2020-12-27 at 02:00.
- yast2-ruby-bindings
-
- Reporting augeas parsing errors and displaying them in rich-text
format (bsc#1174198).
- 3.2.18
- Backported jreidinger's patches to SLE-12-SP5 (bsc#1172848):
- yast2-tune
-
- Backport: Fixed scheduler activation: do not activate the new
scheduler for devices which do not support it (bsc#1052770)
(backport request at bsc#1177035)
- 3.2.1
- zypper
-
- Fix typo in list-patches help (bsc#1178925)
- version 1.13.58
- Fix SEGV in Spanish translations (bsc#1178038)
- version 1.13.57
- Fix typo in man page (bsc#1169947)
- version 1.13.56