- _product:sle-sdk-release
-
n/a
- wget
-
- Fix mishandled semicolons in the userinfo subcomponent could lead to an
insecure behavior in which data that was supposed to be in the userinfo
subcomponent is misinterpreted to be part of the host subcomponent.
[bsc#1226419, CVE-2024-38428, properly-re-implement-userinfo-parsing.patch]
- krb5
-
- Fix vulnerabilities in GSS message token handling, add patch
0016-Fix-vulnerabilities-in-GSS-message-token-handling.patch
* CVE-2024-37370, bsc#1227186
* CVE-2024-37371, bsc#1227187
- cups
-
- cups-1.7.5-CVE-2024-35235.patch for CUPS 1.7.5 in SLE12
is derived from our cups-2.2.7-CVE-2024-35235.patch for SLE15
which was derived from the upstream patch for CUPS 2.5
to behave backward compatible for CUPS 1.7.5 in SLE12
to fix CVE-2024-35235
"cupsd Listen port arbitrary chmod 0140777"
without the more secure but backward-incompatible behaviour
of the upstream patch for CUPS 2.5
that ignores domain sockets specified in 'Listen' entries
in /etc/cups/cupsd.conf when cupsd is lauched via systemd
(in particular when launched on-demand by systemd)
https://github.com/OpenPrinting/cups/security/advisories/GHSA-vvwp-mv6j-hw6f
bsc#1225365
- python36
-
- Add CVE-2024-4032-private-IP-addrs.patch to fix bsc#1226448
(CVE-2024-4032) rearranging definition of private v global IP
addresses.
- Add CVE-2024-0397-memrace_ssl.SSLContext_cert_store.patch
fixing bsc#1226447 (CVE-2024-0397) by removing memory race
condition in ssl.SSLContext certificate store methods.
- python-azure-core
-
- Add patch to fix syntax error in python 3.4 (bsc#1225002)
+ az-core-syntx-tuple-bsc1225002.patch
- release-notes-sles
-
- 12.5.20240614 (tracked in bsc#933411)
- Added note about openSSH 8.4 (bsc#1222298)
- Added note about unsupported hibernate/suspend on Xen (bsc#1214405)
- Added note about chrony 4.1 (jsc#SLE-22248)
- Added note about adcli --dont-expire-password (jsc#SLE-21223)
- Added note about sudo -U -l restriction (jsc#SLE-22569)
- Added note about nodejs16 addition (jsc#SLE-21234)
- Added note about rsyslog 8.2106 (jsc#SLE-21522)
- Added note about tcl 8.6.12 (jsc#SLE-21015)
- Added note about sudo 1.8.27 update (jsc#SLE-17083)
- python-dnspython
-
- Update py3_fixes.patch to fix all python3 issues and make the code
compatible with python2 and python3.
- Add upstream patches to solve CVE-2023-29483:
- CVE-2023-29483-pre1.patch
- CVE-2023-29483.patch
(bsc#1222693, CVE-2023-29483, gh#rthalley/dnspython#1044)
- docker
-
[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2506>
- This update includes a fix for CVE-2024-41110. bsc#1228324
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
* 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and
<https://github.com/moby/buildkit/pull/5060>. bsc#1221916
+ 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
- Write volume options atomically so sudden system crashes won't result in
future Docker starts failing due to empty files. Backport of
<https://github.com/moby/moby/pull/48034>. bsc#1214855
+ 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
- zypper
-
- Show rpm install size before installing (bsc#1224771)
If filesystem snapshots are taken before the installation (e.g.
by snapper) no disk space is freed by removing old packages. In
this case the install size of all packages is a hint how much
additional disk space is needed by the new packages static
content.
- version 1.13.67
- clean: Do not report an error if no repos are defined at all
(bsc#1223971)
- version 1.13.66
- xfsprogs
-
- xfs_copy: bail out early when superblock cannot be verified
(bsc#1227150)
- add xfs_copy-bail-out-early-when-superblock-cannot-be-ve.patch
- libxml2
-
- Security fix (CVE-2024-34459, bsc#1224282) buffer over-read in
xmlHTMLPrintFileContext in xmllint.c
* Added libxml2-CVE-2024-34459.patch
- wicked
-
- Update to version 0.6.76
- compat-suse: warn user and create missing parent config of
infiniband children (gh#openSUSE/wicked#1027)
- client: fix origin in loaded xml-config with obsolete port
references but missing port interface config, causing a
no-carrier of master (bsc#1226125)
- ipv6: fix setup on ipv6.disable=1 kernel cmdline (bsc#1225976)
- wireless: add frequency-list in station mode (jsc#PED-8715)
- client: fix crash while hierarchy traversing due to loop in
e.g. systemd-nspawn containers (bsc#1226664)
- man: add supported bonding options to ifcfg-bonding(5) man page
(gh#openSUSE/wicked#1021)
- arputil: Document minimal interval for getopts (gh#openSUSE/wicked#1019)
- man: (re)generate man pages from md sources (gh#openSUSE/wicked#1018)
- client: warn on interface wait time reached (gh#openSUSE/wicked#1017)
- compat-suse: fix dummy type detection from ifname to not cause
conflicts with e.g. correct vlan config on dummy0.42 interfaces
(gh#openSUSE/wicked#1016)
- compat-suse: fix infiniband and infiniband child type detection
from ifname (gh#openSUSE/wicked#1015)
- Removed patches included in the source archive:
[- 0001-ifreload-pull-UP-again-on-master-lower-changes-bsc1224100.patch]
[- 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]
- arp: increase arp-send retry value to avoid address configuration
failure due to ENOBUF reported by kernel while duplicate address
detection with underlying bonding in 802.3ad mode reporting link
"up & running" too early (bsc#1218668, gh#openSUSE/wicked#1020,
gh#openSUSE/wicked#1022).
[+ 0002-increase-arp-retry-attempts-on-sending-bsc1218668.patch]
- gcc13
-
- Update to GCC 13.3 release
- Update to gcc-13 branch head, b7a2697733d19a093cbdd0e200, git8761
- Removed gcc13-pr111731.patch now included upstream
- Add gcc13-amdgcn-remove-fiji.patch removing Fiji support from
the GCN offload compiler as that is requiring Code Object version 3
which is no longer supported by llvm18.
- Add gcc13-pr101523.patch to avoid combine spending too much
compile-time and memory doing nothing on s390x. [boo#1188441]
- Make requirement to lld version specific to avoid requiring the
meta-package.
- Add gcc13-pr111731.patch to fix unwinding for JIT code.
[bsc#1221239]
- Revert libgccjit dependency change. [boo#1220724]
- Fix libgccjit-devel dependency, a newer shared library is OK.
- Fix libgccjit dependency, the corresponding compiler isn't required.
- Use %patch -P N instead of %patchN.
- Add gcc13-sanitizer-remove-crypt-interception.patch to remove
crypt and crypt_r interceptors. The crypt API change in SLE15 SP3
breaks them. [bsc#1219520]
- Update to gcc-13 branch head, 67ac78caf31f7cb3202177e642, git8285
- Add gcc13-pr88345-min-func-alignment.diff to add support for
- fmin-function-alignment. [bsc#1214934]
- Use %{_target_cpu} to determine host and build.
- Update to gcc-13 branch head, fc7d87e0ffadca49bec29b2107, git8250
* Includes fix for building TVM. [boo#1218492]
- Add cross-X-newlib-devel requires to newlib cross compilers.
[boo#1219031]
- Package m2rte.so plugin in the gcc13-m2 sub-package rather than
in gcc13-devel. [boo#1210959]
- Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs
are linked against libstdc++6.
- Update to gcc-13 branch head, 36ddb5230f56a30317630a928, git8205
- Update to gcc-13 branch head, 741743c028dc00f27b9c8b1d5, git8109
* Includes fix for building mariadb on i686. [bsc#1217667]
* Remove pr111411.patch contained in the update.
- Avoid update-alternatives dependency for accelerator crosses.
- Package tool links to llvm in cross-amdgcn-gcc13 rather than in
cross-amdgcn-newlib13-devel since that also has the dependence.
- Depend on llvmVER instead of llvm with VER equal to
%product_libs_llvm_ver where available and adjust tool discovery
accordingly. This should also properly trigger re-builds when
the patchlevel version of llvmVER changes, possibly changing
the binary names we link to. [bsc#1217450]
- python-azure-agent
-
- Keep the existing config file (bsc#1222620)
+ During separation of the config file into subpackages it was forgotten
that on update of the main package the previously provided config file
would be removed. SInce we do not know which flavor of our images the
package is being upgraded on, preserve the previously existing config
file. This will orphan the file if non of the -config-* packages gets
installed.
- Do not force wicked dependency for networking, allow NM in SLE Micro 5.5
and for ALP based products
- Change patch syntax in preparetion for RPM 4.20
- Recognise SLE-Micro as a SLE based distro
+ Add agent-micro-is-sles.patch
- Create sub-packages for the config (jsc#PED-7869)
+ Remove config manipulation from image building
+ Set up a config for SLE-Micro
+ Makes deafult upstream config available
- Update to 2.9.1.1 (bsc#1217301, bsc#1217302)
+ Update remove-mock.patch
+ Download certificates when goal state source is fast track #2761
+ Increase the max number of extension events by 20% #2785
+ Remove version suffix from extension slice #2782
+ Support int type for eventPid and eventTid fields #2786
+ Improve log for swap counter not found #2789
+ Remove cgroup files during deprovisioning #2790
+ Log VM architecture in heartbeat telemetry for arm64 adoption
monitoring #2818
+ Enforce memory usage for agent #2671
+ Use common download logic for agent downloads #2682
+ Implement Fedora distro #2642
+ Report message in handler heartbeat #2688
+ Remove dependency on pathlib from makepkg #2717
+ Do not fetch extensions goal state in log collector #2713
+ Update log collector unit file to remove memory limit #2757
+ Fix bug in get_dhcp_pid (CoreOS) #2784
+ Fetch full distro version for mariner #2773
From 2.9.04
+ Resource Governance on extensions (CPU monitoring and enforcing & Memory
monitoring) #2632 #2581 #2555
+ Agent resource governance #2597 #2591 #2546
+ monitor system-wide memory metrics (#2610)
+ Additional telemetry for goal state (#2675)
+ HostGAPlugin usage improvements #2662 #2673 #2655 #2651
+ Add logging statements for mrseq migration during update (#2667)
+ Logcollector memory usage #2658 #2637
+ Update Log Collector default in Comments and Readme (#2608)
+ Improve telemetry success and failure markers (#2605) #2604 #2599
+ Fix formatting of exceptions on Python 3.10
(traceback.format's etype argument) (#2663)
+ Fix UNKNOWN(Zombie) Process in unexpected processes check (#2644)
+ SUSE: Fix valid values for DHCLIENT_HOSTNAME_OPTION (#2643)
+ Debian - string conversion for systemd service (#2574)
+ Do not set a CPU quota on the agent for RHEL and Centos (#2685) #2689 #2693
+ support rhel distro (#2620) #2598
+ Added support for devuan linux distribution (#2553)
No incremental updates between 2.8.011 and 2.9.0.4
- Clean up conditions in spec file:
+ There is no maintained distro > 1315 (SLE12) AND < 1500
(SLE15). Only openSUSE 13.2 and 13.3 lived in that space, but
they are clearly not the target of this spec file.
+ if 0%{?Suse_version} && 0{?suse_version} > 1315: no need to
first validate suse_version being defined: whenever it
is > 1315, must be defined.
- Add patch remove-mock.patch:
* Use unittest.mock first, falling back to mock if required.
- Tighten Requires against python3-mock.
- libzypp
-
- Url: Hide known password entires when writing the query part
(bsc#1050625 bsc#1177583, CVE-2017-9271)
- version 16.22.13 (0)
- openldap2
-
- bsc#1217985 - Null pointer deref in referrals as part of
ldap_chain_response()
* 0229-ITS-9262-check-referral.patch
- bsc#1220787 - increase DH param minimums to 2048 bits
* 0228-bsc-1220787-increase-dh-param-minimums.patch
- _product:SLES-release
-
n/a
- kernel-azure
-
- ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
(CVE-2024-26641 bsc#1221654).
- commit d8b5654
- hsr: Fix uninit-value access in hsr_get_node() (bsc#1223021
CVE-2024-26863).
- net: hsr: fix placement of logical operator in a multi-line
statement (bsc#1223021).
- commit fee2391
- ip6_tunnel: fix NEXTHDR_FRAGMENT handling in
ip6_tnl_parse_tlv_enc_lim() (CVE-2024-26633 bsc#1221647).
- commit ac59795
- net: sock: preserve kabi for sock (bsc#1221010 CVE-2021-47103).
- commit 00f2734
- inet: fully convert sk->sk_rx_dst to RCU rules (bsc#1221010
CVE-2021-47103).
- commit 955aaf2
- Bluetooth: l2cap: fix null-ptr-deref in l2cap_chan_timeout
(bsc#1224177 CVE-2024-27399).
- commit d434878
- ACPI: processor_idle: Fix memory leak in
acpi_processor_power_exit() (bsc#1223043 CVE-2024-26894).
- commit 4961307
- scsi: bnx2fc: Remove spin_lock_bh while releasing resources
after upload (bsc#1224767 CVE-2024-36919).
- scsi: lpfc: Move NPIV's transport unregistration to after
resource clean up (bsc#1225898 CVE-2024-36592).
- commit b870cb7
- selinux: fix double free of cond_list on error paths
(bsc#1226699 CVE-2022-48740).
- commit 238a8df
- fs/9p: fix uninitialized values during inode evict (bsc#1225815
CVE-2024-36923).
- commit 7737b69
- btrfs: fix crash on racing fsync and size-extending write into
prealloc (bsc#1227101 CVE-2024-37354).
- btrfs: add helper to truncate inode items when logging inode
(bsc#1227101 CVE-2024-37354).
- btrfs: don't set the full sync flag when truncation does not
touch extents (bsc#1227101 CVE-2024-37354).
- btrfs: fix misleading and incomplete comment of btrfs_truncate()
(bsc#1227101 CVE-2024-37354).
- btrfs: make btrfs_truncate_inode_items take btrfs_inode
(bsc#1227101 CVE-2024-37354).
- commit 25e24a4
- blacklist.conf: kABI
- commit 2c68edf
- usb: typec: tcpm: Skip hard reset when in error recovery
(git-fixes).
- commit 74f41bf
- blacklist.conf: false positive
- commit b55e7fd
- bpf, scripts: Correct GPL license name (git-fixes).
- commit d41908e
- Update
patches.suse/0006-dm-btree-remove-fix-use-after-free-in-rebalance_chil.patch
(git-fixes CVE-2021-47600 bsc#1226575).
- Update
patches.suse/PCI-pciehp-Fix-infinite-loop-in-IRQ-handler-upon-pow.patch
(git-fixes CVE-2021-47617 bsc#1226614).
- Update
patches.suse/USB-core-Fix-hang-in-usb_kill_urb-by-adding-memory-b.patch
(git-fixes CVE-2022-48760 bsc#1226712).
- Update
patches.suse/audit-improve-robustness-of-the-audit-queue-handling.patch
(bsc#1204514 CVE-2021-47603 bsc#1226577).
- Update
patches.suse/drm-vmwgfx-Fix-stale-file-descriptors-on-failed-user.patch
(CVE-2022-22942 bsc#1195065 CVE-2022-48771 bsc#1226732).
- Update patches.suse/igbvf-fix-double-free-in-igbvf_probe.patch
(git-fixes CVE-2021-47589 bsc#1226557).
- Update
patches.suse/isdn-cpai-check-ctr-cnr-to-avoid-array-index-out-of-bound.patch
(bsc#1191958 CVE-2021-43389 CVE-2021-4439 bsc#1226670).
- Update
patches.suse/net-ieee802154-ca8210-Stop-leaking-skb-s.patch
(git-fixes CVE-2022-48722 bsc#1226619).
- Update
patches.suse/netfilter-complete-validation-of-user-input.patch
(git-fixes CVE-2024-35896 bsc#1224662 CVE-2024-35962
bsc#1224583).
- Update patches.suse/phylib-fix-potential-use-after-free.patch
(bsc#1119113 FATE#326472 CVE-2022-48754 bsc#1226692).
- Update
patches.suse/ring-buffer-Fix-a-race-between-readers-and-resize-checks.patch
(bsc#1222893 CVE-2024-38601 bsc#1226876).
- Update
patches.suse/scsi-bnx2fc-Flush-destroy_work-queue-before-calling-bnx2fc_interface_put
(git-fixes CVE-2022-48758 bsc#1226708).
- Update patches.suse/scsi-bnx2fc-Make-bnx2fc_recv_frame-mp-safe
(git-fixes CVE-2022-48715 bsc#1226621).
- Update
patches.suse/scsi-libfc-Fix-potential-NULL-pointer-dereference-in-fc_lport_ptp_setup.patch
(git-fixes CVE-2023-52809 bsc#1225556).
- Update
patches.suse/scsi-qla2xxx-Fix-off-by-one-in-qla_edif_app_getstats.patch
(git-fixes CVE-2024-36025 bsc#1225704).
- Update
patches.suse/scsi-scsi_debug-Sanity-check-block-descriptor-length-in-resp_mode_select
(git-fixes CVE-2021-47576 bsc#1226537).
- Update
patches.suse/scsi-target-core-Add-TMF-to-tmr_list-handling.patch
(bsc#1223018 CVE-26845 CVE-2024-26845).
- Update
patches.suse/tipc-improve-size-validations-for-received-domain-re.patch
(bsc#1195254 CVE-2022-0435 CVE-2022-48711 bsc#1226672).
- commit c2edf0b
- tcp: do not accept ACK of bytes we never sent (CVE-2023-52881
bsc#1225611).
- commit d93d95b
- usb: port: Don't try to peer unused USB ports based on location
(git-fixes).
- commit c96b5c5
- blacklist.conf: logging only
- commit b17cfa5
- x86/tsc: Trust initial offset in architectural TSC-adjust MSRs
(bsc#1222015 bsc#1226962).
- commit c9f769c
- iommu/vt-d: Allocate local memory for page request queue
(git-fixes).
- commit 541ce64
- iommu/amd: Fix sysfs leak in iommu init (git-fixes).
- commit cdae1dd
- KVM: x86: Handle SRCU initialization failure during page track
init (CVE-2021-47407, bsc#1225306).
- commit 61b3e37
- xen/events: close evtchn after mapping cleanup (CVE-2024-26687,
bsc#1222435).
- commit c56fe01
- media: lgdt3306a: Add a check against null-pointer-def
(CVE-2022-48772 bsc#1226976).
- commit 79e986b
- fpga: manager: add owner module and take its refcount
(CVE-2024-37021 bsc#1226950).
- commit 580ed12
- fpga: region: add owner module and take its refcount
(CVE-2024-35247 bsc#1226948).
- commit 75fbd8f
- fpga: bridge: add owner module and take its refcount
(CVE-2024-36479 bsc#1226949).
- commit 410068f
- enic: Validate length of nl attributes in enic_set_vf_port
(CVE-2024-38659 bsc#1226883).
- net: fec: remove .ndo_poll_controller to avoid deadlocks
(CVE-2024-38553 bsc#1226744).
- net/mlx5e: Fix netif state handling (CVE-2024-38608
bsc#1226746).
- eth: sungem: remove .ndo_poll_controller to avoid deadlocks
(CVE-2024-38597 bsc#1226749).
- net: amd-xgbe: Fix skb data length underflow (CVE-2022-48743
bsc#1226705).
- net: systemport: Add global locking for descriptor lifecycle
(CVE-2021-47587 bsc#1226567).
- commit 6fa5a1e
- usb: xhci-plat: fix crash when suspend if remote wake enable
(CVE-2022-48761 bsc#1226701).
- commit 6918857
- virtio-blk: fix implicit overflow on virtio_max_dma_size
(bsc#1225573 CVE-2023-52762).
- commit 630807b
- btrfs: fix use-after-free after failure to create a snapshot
(bsc#1226718 CVE-2022-48733).
- commit bc8f6e2
- vfio/platform: Create persistent IRQ handlers (bsc#1222809
CVE-2024-26813).
- commit a912042
- Update to fix a compiling error,
patches.suse/raid1-fix-use-after-free-for-original-bio-in-raid1_-fcf3.patch.
- commit 4738bf0
- s390/ap: Fix crash in AP internal function modify_bitmap()
(CVE-2024-38661 bsc#1226996 git-fixes).
- commit 642fe77
- block: fix overflow in blk_ioctl_discard() (bsc#1225770
CVE-2024-36917).
- commit fb1867c
- epoll: be better about file lifetimes (bsc#1226610
CVE-2024-38580).
- commit da86de7
- KVM: allow KVM_BUG/KVM_BUG_ON to handle 64-bit cond (git-fixes).
- commit 63ce06d
- drm/nouveau: fix off by one in BIOS boundary checking (bsc#1226716 CVE-2022-48732)
- commit bed5212
- Update references tag
patches.suse/Bluetooth-Disconnect-if-E0-is-used-for-Level-4.patch
(bsc#1171988 CVE-2020-10135 bsc#1218148 CVE-2023-24023).
- commit b41c397
- mm: Avoid overflows in dirty throttling logic (bsc#1222364
CVE-2024-26720).
- commit 6f98632
- media: stk1160: fix bounds checking in stk1160_copy_video()
(CVE-2024-38621 bsc#1226895).
- commit 617f122
- dma-buf/sw-sync: don't enable IRQ from sync_print_obj()
(CVE-2024-38780 bsc#1226886).
- commit 0a1e3b6
- nvmet: fix ns enable/disable possible hang (git-fixes).
- commit 128ca3f
- ecryptfs: Fix buffer size for tag 66 packet (bsc#1226634, CVE-2024-38578).
- commit 41891c0
- stm class: Fix a double free in stm_register_device()
(CVE-2024-38627 bsc#1226857).
- commit b4ea481
- blacklist.conf: kABI
- commit 516146e
- crypto: bcm - Fix pointer arithmetic (bsc#1226637
CVE-2024-38579).
- commit be1545d
- drm/amd/display: Fix potential index out of bounds in color (bsc#1226767 CVE-2024-38552)
- commit fdaaa54
- drm/mediatek: Add 0 size check to mtk_drm_gem_obj (bsc#1226735 CVE-2024-38549)
- commit b67d29d
- drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable (bsc#1226698 CVE-2022-48756)
- commit bd95a05
- net: usb: rtl8150 fix unintiatilzed variables in
rtl8150_get_link_ksettings (git-fixes).
- commit 996e5c4
- RDMA/hns: Fix UAF for cq async event (bsc#1226595 CVE-2024-38545)
- commit 68cd4b9
- RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt (bsc#1226597 CVE-2024-38544)
- commit da8c605
- RDMA/mlx5: Add check for srq max_sge attribute (git-fixes)
- commit 6ee55be
- drm: vc4: Fix possible null pointer dereference (CVE-2024-38546
bsc#1226593).
- commit f5c6e94
- wifi: carl9170: add a proper sanity check for endpoints
(CVE-2024-38567 bsc#1226769).
- rpmsg: char: Fix race between the release of rpmsg_ctrldev
and cdev (CVE-2022-48759 bsc#1226711).
- commit 1d933f6
- wifi: ar5523: enable proper endpoint verification
(CVE-2024-38565 bsc#1226747).
- commit 7f113b6
- mac80211: track only QoS data frames for admission control
(CVE-2021-47602 bsc#1226554).
- commit 6d84852
- ALSA: timer: Set lower bound of start tick time (CVE-2024-38618
bsc#1226754).
- commit ea3c02c
- blacklist.conf: Add 7af443ee16976 sched/core: Require cpu_active() in select_task_rq(), for user tasks
- commit 35a10db
- bsc#1225894: Fix build warning
Fix the following build warning.
* unused-variable (i) in ../drivers/gpu/drm/amd/amdkfd/kfd_device.c in kgd2kfd_resume
../drivers/gpu/drm/amd/amdkfd/kfd_device.c: In function 'kgd2kfd_resume':
../drivers/gpu/drm/amd/amdkfd/kfd_device.c:621:11: warning: unused variable 'i' [-Wunused-variable]
- commit e16e5ba
- bsc#1225894: Fix patch references
- commit 7b4670a
- net/mlx5: Properly link new fs rules into the tree (bsc#1224588
CVE-2024-35960).
- commit 14f14ea
- net/mlx5e: fix a double-free in arfs_create_groups (bsc#1224605
CVE-2024-35835).
- commit 2cc5781
- firmware: arm_scpi: Fix string overflow in SCPI genpd driver (bsc#1226562 CVE-2021-47609)
- commit 4642449
- Fix compilation
- commit 3f5119e
- net: ena: Fix incorrect descriptor free behavior (bsc#1224677
CVE-2024-35958).
- commit 8f4768d
- bonding: stop the device in bond_setup_by_slave() (bsc#1224946
CVE-2023-52784).
- commit da74b6f
- blacklist.conf: bsc#1225555 CVE-2023-52808
patches code not present
- commit 35c5de8
- blacklist.conf: bsc#1223013 CVVE-2024-26482
does not apply
- commit c785e5a
- blacklist.conf: bsc#1222879 CVE-2021-47193
breaks kABI
- commit 5ac2f95
- blacklist.conf: bsc#1225559 CVE-2023-5281
Does not apply cleanly at all, and addresses
a corner case that it knows is rare.
- commit 66930cf
- scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc()
(bsc#1224651 CVE-2024-35930).
- scsi: target: core: Add TMF to tmr_list handling (bsc#1223018
CVE-26845).
- scsi: scsi_debug: Fix out-of-bound read in resp_readcap16()
(bsc#122286 CVE-2021-47191).
- commit 3100b52
- usb: fix various gadget panics on 10gbps cabling (CVE-2021-47267
bsc#1224993).
- commit 3336e4a
- amd/amdkfd: sync all devices to wait all processes being evicted (bsc#1225872 CVE-2024-36949)
- commit aa91737
- drm/amdkfd: Rework kfd_locked handling (bsc#1225872)
- commit 030a69d
- drm/vmwgfx: Fix invalid reads in fence signaled events (bsc#1225872 CVE-2024-36960)
- commit fe8da4d
- nfsd: optimise recalculate_deny_mode() for a common case
(bsc#1217912).
- commit 90c611c
- NFSv4: Always clear the pNFS layout when handling ESTALE
(bsc#1221791).
- NFSv4: nfs_set_open_stateid must not trigger state recovery
for closed state (bsc#1221791).
- PNFS for stateid errors retry against MDS first (bsc#1221791).
- commit fcd364d
- block: prevent division by zero in blk_rq_stat_sum()
(bsc#1224661 CVE-2024-35925).
- commit 7fd346a
- ext4: fix corruption during on-line resize (bsc#1224735
CVE-2024-35807).
- commit 8431549
- fat: fix uninitialized field in nostale filehandles (git-fixes
CVE-2024-26973 bsc#1223641).
- commit 8b4f3fd
- ext4: avoid online resizing failures due to oversized flex bg
(bsc#1222080 CVE-2023-52622).
- commit a81bee5
- nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
(CVE-2021-47518 bsc#1225372).
- commit d0fabf7
- net_sched: fix NULL deref in fifo_set_limit()
(CVE-2021-47418 bsc#1225337).
- commit 54048d4
- net: validate lwtstate->data before returning from skb_tunnel_info()
(CVE-2021-47309 bsc#1224967).
- commit 2b76537
- net: fix uninit-value in caif_seqpkt_sendmsg
(CVE-2021-47297 bsc#1224976).
- commit 39164d4
- net/sched: act_skbmod: Skip non-Ethernet packets
(CVE-2021-47293 bsc#1224978).
- commit aedefe0
- netrom: Decrease sock refcount when sock timers expire
(CVE-2021-47294 bsc#1224977).
- commit 44bce11
- ipv6: Fix infinite recursion in fib6_dump_done() (CVE-2024-35886
bsc#1224670).
- commit 5d20998
- tty: n_gsm: fix possible out-of-bounds in gsm0_receive()
(CVE-2024-36016 bsc#1225642).
- commit f5c4f31
- net: macb: fix use after free on rmmod (CVE-2021-47372
bsc#1225184).
- commit 5bb5ee7
- btrfs: use correct compare function of dirty_metadata_bytes (git-fixes)
- commit d51a7ff
- Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() (git-fixes)
- commit 4b455f0
- btrfs: fix describe_relocation when printing unknown flags (git-fixes)
- commit a147519
- btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups (git-fixes)
- commit 0487247
- btrfs: fix crash when trying to resume balance without the resume flag (git-fixes)
- commit f0fa7bc
- Btrfs: clean up resources during umount after trans is aborted (git-fixes)
- commit c78d131
- Btrfs: bail out on error during replay_dir_deletes (git-fixes)
- commit 7a8f6ce
- Btrfs: fix NULL pointer dereference in log_dir_items (git-fixes)
- commit 02cab92
- Btrfs: send, fix issuing write op when processing hole in no data mode (git-fixes)
- Refresh
patches.suse/btrfs-send-fix-incorrect-file-layout-after-hole-punching-beyond-eof.patch.
- commit f710800
- Btrfs: fix unexpected EEXIST from btrfs_get_extent (git-fixes)
- commit 82c1e6b
- btrfs: tree-check: reduce stack consumption in check_dir_item (git-fixes)
- commit 36aca35
- btrfs: fix false EIO for missing device (git-fixes)
- Refresh
patches.suse/btrfs-ensure-that-a-dup-or-raid1-block-group-has-exactly-two-stripes.patch
- commit 01544ea
- USB: serial: option: add Quectel EG912Y module support
(git-fixes).
- commit a8d3e25
- blacklist.conf: pure cleanup
- commit c59c78d
- USB: serial: option: add Quectel RM500Q R13 firmware support
(git-fixes).
- commit b3dedc2
- USB: serial: option: add Foxconn T99W265 with new baseline
(git-fixes).
- commit 51f747d
- net: usb: smsc95xx: fix changing LED_SEL bit value updated
from EEPROM (git-fixes).
- commit d6ed297
- ocfs2: fix sparse warnings (bsc#1219224).
- ocfs2: speed up chain-list searching (bsc#1219224).
- ocfs2: adjust enabling place for la window (bsc#1219224).
- ocfs2: improve write IO performance when fragmentation is high
(bsc#1219224).
- commit d862a97
- smb: client: fix use-after-free bug in
cifs_debug_data_proc_show() (bsc#1225487, CVE-2023-52752).
- commit b2bff17
- blkcg: Fix multiple bugs in blkcg_activate_policy()
(CVE-2021-47379 bsc#1225203).
- blkcg: blkcg_activate_policy() should initialize ancestors first
(CVE-2021-47379 bsc#1225203).
- commit 5e6941f
- blacklist.conf: bsc#1225047 CVE-2021-47328: breaks kABI
Also, does not apply.
- commit 55744fb
- blk-cgroup: fix UAF by grabbing blkcg lock before destroying
blkg pd (CVE-2021-47379 bsc#1225203).
- commit 26f8206
- blacklist.conf: Blacklist 618f003199c61
- commit f552be9
- atl1c: Work around the DMA RX overflow issue (CVE-2023-52834
bsc#1225599).
- commit c880bf0
- btrfs: lock the inode in shared mode before starting fiemap
(bsc#1225484 CVE-2023-52737).
- commit e4a79d3
- ext4: correct offset of gdb backup in non meta_bg group to
update_backups (bsc#1224735 CVE-2024-35807).
- commit 57ba8ce
- raid1: fix use-after-free for original bio in raid1_write_request()
(bsc#1221097, bsc#1224572, CVE-2024-35979).
- commit daf8372
- fs/9p: only translate RWX permissions for plain 9P2000
(bsc#1225866 CVE-2024-36964).
- commit 7cf061b
- media: imon: fix access to invalid resource for the second
interface (CVE-2023-52754 bsc#1225490).
- commit 0f818a4
- firewire: ohci: mask bus reset interrupts between ISR and
bottom half (CVE-2024-36950 bsc#1225895).
- commit 342de59
- pinctrl: core: delete incorrect free in pinctrl_enable()
(CVE-2024-36940 bsc#1225840).
- commit 6103cd4
- staging: rtl8192e: Fix use after free in
_rtl92e_pci_disconnect() (CVE-2021-47571 bsc#1225518).
- commit 9243acc
- media: gspca: cpia1: shift-out-of-bounds in set_flicker
(CVE-2023-52764 bsc#1225571).
- wifi: mac80211: don't return unset power in
ieee80211_get_tx_power() (CVE-2023-52832 bsc#1225577).
- commit 74cf739
- Bluetooth: qca: add missing firmware sanity checks
(CVE-2024-36880 bsc#1225722).
- commit 1f313de
- drm/msm: Fix null pointer dereference on pointer edp (bsc#1225261 CVE-2021-47445)
- commit 7365fdb
- rpm/kernel-obs-build.spec.in: Add iso9660 (bsc#1226212)
Some builds don't just create an iso9660 image, but also mount it during
build.
- commit aaee141
- llc: verify mac len before reading mac header
(CVE-2023-52843 bsc#1224951).
- commit 048fdd1
- drm/sched: Avoid data corruptions (bsc#1225140 CVE-2021-47354)
- commit 735d57e
- nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies
(CVE-2024-36915 bsc#1225758).
- commit d2aa3fc
- rpm/kernel-obs-build.spec.in: Add networking modules for docker
(bsc#1226211)
docker needs more networking modules, even legacy iptable_nat and _filter.
- commit 415e132
- Bluetooth: Add more enc key size check (bsc#1218148
CVE-2023-24023).
- commit 8b7d4c7
- rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation
(CVE-2024-36017 bsc#1225681).
- commit eee2828
- netfilter: complete validation of user input
(git-fixes CVE-2024-35896 bsc#1224662).
- commit bd2bc6c
- tcp: fix page frag corruption on page fault
(CVE-2021-47544 bsc#1225463).
- commit 0c69f93
- netfilter: validate user input for expected length
(CVE-2024-35896 bsc#1224662).
- commit d09d89a
- Bluetooth: Normalize HCI_OP_READ_ENC_KEY_SIZE cmdcmplt
(bsc#1218148 CVE-2023-24023).
- commit be61b35
- arm64: asm-bug: Add .align 2 to the end of __BUG_ENTRY
(git-fixes).
- commit a33c0aa
- fbmon: prevent division by zero in fb_videomode_from_videomode() (bsc#1224660 CVE-2024-35922)
- commit 9990cdc
- bna: ensure the copied buf is NUL terminated (CVE-2024-36934
bsc#1225760).
- commit 5e5c793
- tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
(CVE-2023-52845 bsc#1225585).
- commit 28beea5
- blacklist.conf: Add 1971d13ffa84a "af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc()."
- commit 9ab8e4f
- HID: i2c-hid: remove I2C_HID_READ_PENDING flag to prevent
lock-up (bsc#1224552 CVE-2024-35997).
- commit 31522d3
- wifi: nl80211: reject iftype change with mesh ID change
(CVE-2024-27410 bsc#1224432).
- commit 18882c6
- fix compat handling of FICLONERANGE, FIDEDUPERANGE and
FS_IOC_FIEMAP (bsc#1225848).
- blacklist.conf:
- fs: make fiemap work from compat_ioctl (bsc#1225848).
- commit e6c580c
- perf/core: Bail out early if the request AUX area is out of
bound (bsc#1225602 CVE-2023-52835).
- commit 0b197bf
- powerpc/imc-pmu: Add a null pointer check in
update_events_in_group() (bsc#1224504 CVE-2023-52675).
- commit 5ed0541
- blacklist.conf: CVE-2024-35956 bsc#1224674: not applicable bsc#1225945
Quoting bsc#1225945#c11:
"So the upstream 6.5 kernel commit (1b53e51a4a8f ("btrfs: don't commit
transaction for every subvol create")
) was never backported to SLE, so that fix eb96e221937a ("btrfs: fix
unwritten extent buffer after snapshotting a new subvolume") was never
backported."
- commit 13b6119
- usb: gadget: f_fs: Fix race between aio_cancel() and AIO
request complete (CVE-2024-36894 bsc#1225749).
- commit 66229f2
- proc/vmcore: fix clearing user buffer by properly using
clear_user() (CVE-2021-47566 bsc#1225514).
- commit 4f35255
- usb: dwc2: fix possible NULL pointer dereference caused by
driver concurrency (CVE-2023-52855 bsc#1225583).
- commit 304ea43
- Refresh patches.kabi/net-preserve-kabi-for-sk_buff.patch.
- commit fa7929b
- net: preserve kabi for sk_buff (CVE-2024-26921 bsc#1223138).
- commit 726f363
- inet: inet_defrag: prevent sk release while still in use
(CVE-2024-26921 bsc#1223138).
- commit 7846939
- xhci: Fix commad ring abort, write all 64 bits to CRCR register
(CVE-2021-47434 bsc#1225232).
- commit d92fac3
- xhci: Fix command ring pointer corruption while aborting a
command (CVE-2021-47434 bsc#1225232).
- blacklist.conf: taken so that the correct fix applies
- commit ea90837
- xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
(bsc#1224575 CVE-2024-35976).
- commit 641c7c4
- usb: fix various gadgets null ptr deref on 10gbps cabling
(CVE-2021-47270 bsc#1224997).
- commit 00c58e2
- usb: udc: remove warning when queue disabled ep (CVE-2024-35822
bsc#1224739).
- commit dcaf30a
- blacklist.conf: add cleanup fix that breaks kABI
- commit cae1961
- bpf, skmsg: Fix NULL pointer dereference in
sk_psock_skb_ingress_enqueue (bsc#1225761 CVE-2024-36938).
- commit 24fab08
- drm/client: Fully protect modes with dev->mode_config.mutex (CVE-2024-35950 bsc#1224703).
- commit f0cb811
- smb: client: fix potential deadlock when releasing mids
(bsc#1225548, CVE-2023-52757).
- commit 00dc86e
- smb: client: fix potential UAF in is_valid_oplock_break()
(bsc#1224763, CVE-2024-35863).
- commit be79366
- smb: client: fix potential UAF in cifs_stats_proc_write()
(bsc#1224678, CVE-2024-35868).
- commit 7c5946d
- smb: client: fix potential UAF in cifs_stats_proc_show()
(bsc#1224664, CVE-2024-35867).
- commit adb391f
- smb: client: fix potential UAF in cifs_debug_files_proc_show()
(bsc#1223532, CVE-2024-26928).
- commit 92bb153
- smb: client: fix UAF in smb2_reconnect_server() (bsc#1224672,
CVE-2024-35870).
- commit 4eabe16
- smb: client: fix potential UAF in smb2_is_valid_lease_break()
(bsc#1224765, CVE-2024-35864).
- commit 688ad5f
- smb: client: fix potential UAF in smb2_is_network_name_deleted()
(bsc#1224764, CVE-2024-35862).
- commit 6bbd54b
- smb3: fix lock ordering potential deadlock in
cifs_sync_mid_result (bsc#1224549, CVE-2024-35998).
- commit fbe7cb6
- smb: client: fix potential UAF in smb2_is_valid_oplock_break()
(bsc#1224668, CVE-2024-35865).
- commit 77a46ab
- nvme-tcp: fix UAF when detecting digest errors (CVE-2022-48686 bsc#1223948).
Update blacklist.conf: remove entry
- commit f159215
- nvme-loop: fix memory leak in nvme_loop_create_ctrl() (CVE-2021-47074 bsc#1220854).
Update blacklist.conf: remove entry
- commit 5f6a5df
- nvme-rdma: destroy cm id before destroy qp to avoid use after
free (CVE-2021-47378 bsc#1225201).
- commit 599a36a
- nvmet: fix a use-after-free (CVE-2022-48697 bsc#1223922).
Update blacklist.conf: drop entry from it
- commit 5e496a4
- nvme-fc: do not wait in vain when unloading module
(CVE-2024-26846 bsc#1223023).
- commit 365a6dd
- blacklist.conf: add d380ce70058a4ccddc3e5f5c2063165dc07672c6
netrom: Fix data-races around sysctl_net_busy_read
(CVE-2024-27419 bsc#1224759)
- commit 9b21914
- net/tls: Fix flipped sign in tls_err_abort() calls
(CVE-2021-47496 bsc#1225354)
- commit af28ae7
- Update
patches.suse/0004-dm-fix-mempool-NULL-pointer-race-when-completing-IO.patch
(git-fixes bsc#1225247 CVE-2021-47435).
- Update
patches.suse/0022-dm-btree-remove-assign-new_root-only-when-removal-su.patch
(git fixes bsc#1225155 CVE-2021-47343).
- Update
patches.suse/0066-virtio-blk-Fix-memory-leak-among-suspend-resume-procedure.patch
(git-fixes bsc#1225054 CVE-2021-47319).
- Update
patches.suse/HID-betop-fix-slab-out-of-bounds-Write-in-betop_prob.patch
(git-fixes bsc#1207186 bsc#1225303 CVE-2021-47404).
- Update
patches.suse/IB-hfi1-Fix-leak-of-rcvhdrtail_dummy_kvaddr.patch
(git-fixes bsc#1225438 CVE-2021-47523).
- Update
patches.suse/IB-mlx5-Fix-initializing-CQ-fragments-buffer.patch
(git-fixes bsc#1224954 CVE-2021-47261).
- Update
patches.suse/IB-qib-Protect-from-buffer-overflow-in-struct-qib_us.patch
(git-fixes bsc#1224904 CVE-2021-47485).
- Update
patches.suse/RDMA-cma-Ensure-rdma_addr_cancel-happens-before-issu.patch
(git-fixes bsc#1225318 CVE-2021-47391).
- Update
patches.suse/RDMA-cma-Fix-rdma_resolve_route-memory-leak.patch
(git-fixes bsc#1225157 CVE-2021-47345).
- Update
patches.suse/SUNRPC-Fix-RPC-client-cleaned-up-the-freed-pipefs-de.patch
(git-fixes bsc#1225008 CVE-2023-52803).
- Update
patches.suse/blktrace-Fix-uaf-in-blk_trace-access-after-removing-.patch
(bsc#1191452 bsc#1225193 CVE-2021-47375).
- Update patches.suse/can-peak_pci-peak_pci_remove-fix-UAF.patch
(git-fixes bsc#1225256 CVE-2021-47456).
- Update
patches.suse/cifs-Fix-use-after-free-in-rdata-read_into_pages-.patch
(bsc#1190317 bsc#1225479 CVE-2023-52741).
- Update
patches.suse/cifs-prevent-NULL-deref-in-cifs_compose_mount_options-.patch
(bsc#1185902 bsc#1224961 CVE-2021-47307).
- Update
patches.suse/dma-buf-sync_file-Don-t-leak-fences-on-merge-failure.patch
(git-fixes bsc#1224968 CVE-2021-47305).
- Update
patches.suse/drm-Fix-use-after-free-read-in-drm_getunique.patch
(git-fixes bsc#1224982 CVE-2021-47280).
- Update
patches.suse/ftrace-Do-not-blindly-read-the-ip-address-in-ftrace_bug.patch
(git-fixes bsc#1224966 CVE-2021-47276).
- Update patches.suse/gfs2-ignore-negated-quota-changes.patch
(git-fixes bsc#1225560 CVE-2023-52759).
- Update
patches.suse/i40e-Fix-freeing-of-uninitialized-misc-IRQ-vector.patch
(bsc#1101816 FATE#325147 FATE#325149 bsc#1225367
CVE-2021-47424).
- Update
patches.suse/igb-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224916 CVE-2021-47301).
- Update
patches.suse/igc-Fix-use-after-free-error-during-reset.patch
(git-fixes bsc#1224917 CVE-2021-47302).
- Update
patches.suse/ipv4-ipv6-Fix-handling-of-transhdrlen-in-__ip-6-_app.patch
(git-fixes bsc#1220928 CVE-2023-52527).
- Update
patches.suse/isdn-mISDN-netjet-Fix-crash-in-nj_probe.patch
(git-fixes bsc#1224987 CVE-2021-47284).
- Update
patches.suse/isofs-Fix-out-of-bound-access-for-corrupted-isofs-im.patch
(bsc#1194591 bsc#1225198 CVE-2021-47478).
- Update
patches.suse/kprobes-Fix-possible-use-after-free-issue-on-kprobe-registration.patch
(git-fixes bsc#1224676 CVE-2024-35955).
- Update
patches.suse/l2tp-pass-correct-message-length-to-ip6_append_data.patch
(git-fixes bsc#1222667 CVE-2024-26752).
- Update
patches.suse/mISDN-fix-possible-use-after-free-in-HFC_cleanup.patch
(git-fixes bsc#1225143 CVE-2021-47356).
- Update
patches.suse/media-zr364xx-fix-memory-leak-in-zr364xx_start_readp.patch
(git-fixes bsc#1224922 CVE-2021-47344).
- Update
patches.suse/net-USB-Fix-wrong-direction-WARNING-in-plusb.c.patch
(git-fixes bsc#1225482 CVE-2023-52742).
- Update
patches.suse/net-hns3-do-not-allow-call-hns3_nic_net_open-repeate.patch
(git-fixes bsc#1225329 CVE-2021-47400).
- Update
patches.suse/net-mdiobus-Fix-memory-leak-in-__mdiobus_register.patch
(git-fixes bsc#1225189 CVE-2021-47472).
- Update
patches.suse/net-mlx4_en-Fix-an-use-after-free-bug-in-mlx4_en_try.patch
(git-fixes bsc#1225453 CVE-2021-47541).
- Update
patches.suse/net-nfc-rawsock.c-fix-a-permission-check-bug.patch
(git-fixes bsc#1224981 CVE-2021-47285).
- Update patches.suse/net-qcom-emac-fix-UAF-in-emac_remove.patch
(git-fixes bsc#1225010 CVE-2021-47311).
- Update patches.suse/net-ti-fix-UAF-in-tlan_remove_one.patch
(git-fixes bsc#1224959 CVE-2021-47310).
- Update
patches.suse/net-usb-kalmia-Don-t-pass-act_len-in-usb_bulk_msg-er.patch
(git-fixes bsc#1225549 CVE-2023-52703).
- Update
patches.suse/nfs-fix-acl-memory-leak-of-posix_acl_create.patch
(git-fixes bsc#1225058 CVE-2021-47320).
- Update
patches.suse/nfsd-fix-use-after-free-due-to-delegation-race.patch
(git-fixes bsc#1225404 CVE-2021-47506).
- Update
patches.suse/ocfs2-fix-data-corruption-after-conversion-from-inli.patch
(bsc#1190795 bsc#1225251 CVE-2021-47460).
- Update
patches.suse/ocfs2-mount-fails-with-buffer-overflow-in-strlen.patch
(bsc#1197760 bsc#1225252 CVE-2021-47458).
- Update patches.suse/phy-mdio-fix-memory-leak.patch (git-fixes
bsc#1225336 CVE-2021-47416).
- Update
patches.suse/ppdev-Add-an-error-check-in-register_device.patch
(git-fixes bsc#1225640 CVE-2024-36015).
- Update
patches.suse/s390-dasd-protect-device-queue-against-concurrent-access.patch
(git-fixes bsc#1217519 bsc#1225572 CVE-2023-52774).
- Update
patches.suse/s390-qeth-fix-NULL-deref-in-qeth_clear_working_pool_list
(git-fixes bsc#1225164 CVE-2021-47369).
- Update
patches.suse/s390-qeth-fix-deadlock-during-failing-recovery
(bsc#1206213 LTC#200742 bsc#1225207 CVE-2021-47382).
- Update
patches.suse/scsi-core-Fix-bad-pointer-dereference-when-ehandler-kthread-is-invalid
(git-fixes bsc#1224926 CVE-2021-47337).
- Update
patches.suse/scsi-core-Put-LLD-module-refcnt-after-SCSI-device-is-released
(git-fixes bsc#1225322 CVE-2021-47480).
- Update
patches.suse/scsi-libfc-Fix-array-index-out-of-bound-exception.patch
(bsc#1188616 bsc#1224963 CVE-2021-47308).
- Update
patches.suse/scsi-mpt3sas-Fix-kernel-panic-during-drive-powercycle-test
(git-fixes bsc#1225384 CVE-2021-47565).
- Update
patches.suse/scsi-qla2xxx-Fix-a-memory-leak-in-an-error-path-of-qla2x00_process_els
(git-fixes bsc#1225192 CVE-2021-47473).
- Update
patches.suse/tipc-fix-a-possible-memleak-in-tipc_buf_append.patch
(bsc#1221977 CVE-2021-47162 bsc#1225764 CVE-2024-36954).
- Update
patches.suse/tracing-Correct-the-length-check-which-causes-memory-corruption.patch
(git-fixes bsc#1224990 CVE-2021-47274).
- Update
patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch
(git-fixes CVE-2024-26920).
- Update
patches.suse/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
(bsc#1222619 CVE-2023-52880).
- Update
patches.suse/tty-serial-8250-serial_cs-Fix-a-memory-leak-in-error.patch
(git-fixes bsc#1225084 CVE-2021-47330).
- Update
patches.suse/udf-Fix-NULL-pointer-dereference-in-udf_symlink-func.patch
(bsc#1206646 bsc#1225128 CVE-2021-47353).
- Update
patches.suse/usb-config-fix-iteration-issue-in-usb_get_bos_descri.patch
(git-fixes bsc#1225092 CVE-2023-52781).
- Update
patches.suse/usb-dwc2-check-return-value-after-calling-platform_g.patch
(git-fixes bsc#1225330 CVE-2021-47409).
- Update
patches.suse/usb-dwc3-ep0-fix-NULL-pointer-exception.patch
(git-fixes bsc#1224996 CVE-2021-47269).
- Update patches.suse/usb-musb-dsps-Fix-the-probe-error-path.patch
(git-fixes bsc#1225244 CVE-2021-47436).
- Update patches.suse/usbnet-sanity-check-for-maxpacket.patch
(git-fixes bsc#1225351 CVE-2021-47495).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-by-calling-del_.patch
(git-fixes bsc#1225060 CVE-2021-47321).
- Update
patches.suse/watchdog-Fix-possible-use-after-free-in-wdt_startup.patch
(git-fixes bsc#1225030 CVE-2021-47324).
- Update
patches.suse/watchdog-sc520_wdt-Fix-possible-use-after-free-in-wd.patch
(git-fixes bsc#1225026 CVE-2021-47323).
- Update
patches.suse/wl1251-Fix-possible-buffer-overflow-in-wl1251_cmd_sc.patch
(git-fixes bsc#1225177 CVE-2021-47347).
- commit 8975a47
- powerpc/pseries/lparcfg: drop error message from guest name
lookup (bsc#1187716 ltc#193451 git-fixes).
- commit 62b0891
- blacklist.conf: PPC fsl_msi is not used
- commit bbad33b
- netfilter: nft_compat: explicitly reject ERROR and standard
target (git-fixes).
- commit 46fdab6
- netfilter: x_tables: set module owner for icmp(6) matches
(git-fixes).
- commit 8835e2a
- netfilter: nf_queue: augment nfqa_cfg_policy (git-fixes).
- commit d5734cd
- rds: avoid unenecessary cong_update in loop transport
(git-fixes).
- commit 758da4a
- cls_rsvp: check user supplied offsets (CVE-2023-42755
bsc#1215702).
- commit b722f7c
- l2tp: pass correct message length to ip6_append_data
(git-fixes).
- commit 5edafdb
- net: 9p: avoid freeing uninit memory in p9pdu_vreadf
(git-fixes).
- commit fdb6a12
- wifi: cfg80211: avoid leaking stack data into trace (git-fixes).
- commit 58724e2
- ipv4, ipv6: Fix handling of transhdrlen in
__ip{,6}_append_data() (git-fixes).
- commit 7f0cb3d
- rxrpc: Fix a memory leak in rxkad_verify_response() (git-fixes).
- commit 301026e
- wifi: radiotap: fix kernel-doc notation warnings (git-fixes).
- commit a96badd
- net: tcp: fix unexcepted socket die when snd_wnd is 0
(git-fixes).
- commit 66b602a
- tcp: tcp_make_synack() can be called from process context
(git-fixes).
- commit 1171bb0
- net/smc: fix fallback failed while sendmsg with fastopen
(git-fixes).
- commit 85612f4
- nfc: change order inside nfc_se_io error path (git-fixes).
- commit 92d40f5
- ila: do not generate empty messages in
ila_xlat_nl_cmd_get_mapping() (git-fixes).
- commit bd4b08a
- rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp
(git-fixes).
- commit 30e8bf8
- rxrpc: Work around usercopy check (git-fixes).
- commit f1a8d7a
- rxrpc: Don't put crypto buffers on the stack (git-fixes).
- commit d4118f5
- rxrpc: Provide a different lockdep key for call->user_mutex
for kernel calls (git-fixes).
- commit 256d44f
- rxrpc: The mutex lock returned by rxrpc_accept_call() needs
releasing (git-fixes).
- commit 56d0a26
- net: atlantic: eliminate double free in error handling logic
(CVE-2023-52664 bsc#1224747).
- ipvlan: add ipvlan_route_v6_outbound() helper (CVE-2023-52796
bsc#1224930).
- net/mlx5e: Fix page reclaim for dead peer hairpin
(CVE-2021-47246 bsc#1224831).
- commit e8481e2
- ceph: blocklist the kclient when receiving corrupted snap trace
(bsc#1225222 CVE-2023-52732).
- commit afa0bf6
- btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() (CVE-2024-35936 bsc#1224644)
- commit 7904756
- btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() (CVE-2024-35936 bsc#1224644)
- commit 64d6920
- ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array (bsc#1225506 CVE-2021-47548)
- commit e4002ca
- mmc: sdhci-msm: pervent access to suspended controller (bsc#1225708 CVE-2024-36029)
- commit 0915583
- llc: call sock_orphan() at release time
(CVE-2024-26625 bsc#1221086)
- commit 1715209
- blacklist.conf: not affected by CVE-2024-35984
- commit 19bc954
- virtio-net: Add validation for used length (CVE-2021-47352
bsc#1225124).
- commit 91c03a8
- calipso: fix memory leak in netlbl_calipso_add_pass()
(CVE-2023-52698 bsc#1224621)
- commit 008f52c
- blacklist.conf: Add c5b0a7eefc70 sched/fair: Remove sysctl_sched_migration_cost condition
- commit dbc3425
- ppdev: Add an error check in register_device (git-fixes).
- commit d524561
- drm/amdgpu: fix gart.bo pin_count leak (CVE-2021-47431 bsc#1225390).
- commit 1e38f4d
- btrfs: send: handle path ref underflow in header iterate_inode_ref() (CVE-2024-35935 bsc#1224645)
- commit 0b2d17e
- cifs: fix underflow in parse_server_interfaces() (bsc#1223084,
CVE-2024-26828).
- commit 7164147
- drm/nouveau/debugfs: fix file release memory leak (CVE-2021-47423 bsc#1225366).
- commit 5f7b5c9
- drm/radeon: fix a possible null pointer dereference (CVE-2022-48710 bsc#1225230).
- commit ee59a3e
- nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
(bsc#1225355 CVE-2021-47497).
- commit 30121bc
- drm/vc4: don't check if plane->state->fb == state->fb (CVE-2024-35932 bsc#1224650).
- commit 4fdcf5e
- iio: mma8452: Fix trigger reference couting (bsc#1225360
CVE-2021-47500).
- commit a0d87d5
- PCI/PM: Drain runtime-idle callbacks before driver removal
(CVE-2024-35809 bsc#1224738).
- commit 9f4d35b
- tty: Fix out-of-bound vmalloc access in imageblit
(CVE-2021-47383 bsc#1225208).
- commit a21c750
- ALSA: pcm: oss: Fix negative period/buffer sizes (CVE-2021-47511
bsc#1225411).
- commit 748d8c1
- ALSA: pcm: oss: Limit the period size to 16MB (CVE-2021-47509
bsc#1225409).
- commit 8f92260
- x86/mm/pat: fix VM_PAT handling in COW mappings (bsc#1224525
CVE-2024-35877).
- commit d228bf6
- batman-adv: Avoid infinite loop trying to resize local TT
(CVE-2024-35982 bsc#1224566)
- commit 4f15041
- ipv6: fix race condition between ipv6_get_ifaddr and ipv6_del_addr
(CVE-2024-35969 bsc#1224580)
- commit bcaf17a
- blacklist.conf: Add SPI fix commit to be ignored (CVE-2021-47469 bsc#1225347)
SLE12-SP5 has no devm spi controller allocation, hence it's superfluous
- commit 939a6a5
- kABI workaround for spi_controller (CVE-2021-47469 bsc#1225347).
- commit af00c9b
- spi: Fix deadlock when adding SPI controllers on SPI buses
(CVE-2021-47469 bsc#1225347).
- commit 575a8d4
- kvm: avoid speculation-based attacks from out-of-range memslot
accesses (bsc#1224960, CVE-2021-47277).
- commit 7198007
- KVM: SVM: Flush pages under kvm->lock to fix UAF in
svm_register_enc_region() (bsc#1224725, CVE-2024-35791).
- commit 818a70e
- ipack: ipoctal: fix stack information leak (CVE-2021-47401
bsc#1225242).
- commit 3e8997b
- drm/radeon: possible buffer overflow (CVE-2023-52867 bsc#1225009).
- commit 45094e6
- drm/panel: fix a possible null pointer dereference (CVE-2023-52821 bsc#1225022).
- commit 109e7f1
- RDMA: Verify port when creating flow rule (CVE-2021-47265 bsc#1224957)
- commit c0cbaec
- drm/amd/pm: Update intermediate power state for SI (CVE-2021-47362 bsc#1225153).
- commit 318c627
- mcb: fix error handling in mcb_alloc_bus() (CVE-2021-47361
bsc#1225151).
- commit 813b8ac
- platform/x86: wmi: Fix opening of char device (CVE-2023-52864
bsc#1225132).
- commit b207efb
- pinctrl: single: fix potential NULL dereference (CVE-2022-48708
bsc#1224942).
- commit feac349
- VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host()
(CVE-2024-35944 bsc#1224648).
- commit a03c425
- net: ipv4: fix memory leak in ip_mc_add1_src
(CVE-2021-47238 bsc#1224847)
- commit 4ce368a
- mmc: sdio: fix possible resource leaks in some error paths
(CVE-2023-52730 bsc#1224956).
- commit 8629def
- atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
(CVE-2021-47355 bsc#1225141).
- commit 111c5b1
- netfilter: synproxy: Fix out of bounds when parsing TCP options
(CVE-2021-47245 bsc#1224838)
- commit 3bf50df
- of: module: prevent NULL pointer dereference in vsnprintf()
(CVE-2024-35878 bsc#1224671).
- commit dcde1a4
- IB/hfi1: Restore allocated resources on failed copyout (CVE-2023-52747 bsc#1224931)
- commit 4ba08d9
- net: rds: fix memory leak in rds_recvmsg
(CVE-2021-47249 bsc#1224880)
- commit 79b2ee2
- sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
(CVE-2021-47397 bsc#1225082)
- commit 2340710
- net: ipv4: fix memory leak in netlbl_cipsov4_add_std
(CVE-2021-47250 bsc#1224827)
- commit ffd876f
- btrfs: fix information leak in btrfs_ioctl_logical_to_ino()
(CVE-2024-35849 bsc#1224733).
- commit 4e18545
- ring-buffer: Fix a race between readers and resize checks
(bsc#1222893).
- commit e55a48c
- ASoC: tracing: Export SND_SOC_DAPM_DIR_OUT to its value
(git-fixes).
- commit 56a4e35
- tracing: hide unused ftrace_event_id_fops (git-fixes).
- commit 6e3bbc9
- tracing: Fix blocked reader of snapshot buffer (git-fixes).
- commit 7cc9ae2
- ALSA: usb-audio: Stop parsing channels bits when all channels
are found (CVE-2024-27436 bsc#1224803).
- ALSA: seq: Fix race of snd_seq_timer_open() (CVE-2021-47281
bsc#1224983).
- commit 19aff08
- af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress (bsc#1223384).
- commit 8ee0966
- blacklist.conf: add not-needed or too intrusive tracing fixes
- commit ab535d8
- kprobes: Fix possible use-after-free issue on kprobe
registration (git-fixes).
- commit fd63e27
- tracing: Use .flush() call to wake up readers (git-fixes).
- commit 4442cfe
- tracing: Use strncpy instead of memcpy when copying comm in
trace.c (git-fixes).
- commit 77a5fe6
- ring-buffer: Clean ring_buffer_poll_wait() error return
(git-fixes).
- commit dec7c48
- wifi: mac80211: check/clear fast rx for non-4addr sta VLAN
changes (CVE-2024-35789 bsc#1224749).
- media: tc358743: register v4l2 async device only after
successful setup (CVE-2024-35830 bsc#1224680).
- misc/libmasm/module: Fix two use after free in ibmasm_init_one
(CVE-2021-47334 bsc#1225112).
- atm: iphase: fix possible use-after-free in ia_module_exit()
(CVE-2021-47357 bsc#1225144).
- commit 4495db1
- clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data
(CVE-2023-52875 bsc#1225096).
- commit eff8019
- clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data
(CVE-2023-52865 bsc#1225086).
- commit c2dc4d3
- ax25: fix use-after-free bugs caused by ax25_ds_del_timer
(CVE-2024-35887 bzg#1224663)
- commit 2bbaa4c
- regmap: Fix possible double-free in regcache_rbtree_exit()
(CVE-2021-47483 bsc#1224907).
- commit 1f96a36
- s390/pci: fix max size calculation in zpci_memcpy_toio()
(git-fixes bsc#1225062).
- commit 1d5a845
- s390/zcrypt: fix reference counting on zcrypt card objects
(git-fixes CVE-2024-26957 bsc#1223666).
- commit 1a50d91
- KVM: s390: Check kvm pointer when testing KVM_CAP_S390_HPAGE_1M
(git-fixes bsc#1225059).
- commit b5429fa
- Refresh
patches.suse/USB-core-Fix-deadlock-in-usb_deauthorize_interface.patch.
- Update
patches.suse/bpf-sockmap-Prevent-lock-inversion-deadlock-in-map-d.patch
(bsc#1209657 CVE-2023-0160 CVE-2024-35895 bsc#1224511).
- Update
patches.suse/nfsd-Fix-error-cleanup-path-in-nfsd_rename.patch
(bsc#1221044 CVE-2023-52591 CVE-2024-35914 bsc#1224482).
- Update
patches.suse/wifi-brcmfmac-Fix-use-after-free-bug-in-brcmf_cfg802.patch
(CVE-2023-47233 bsc#1216702 CVE-2024-35811 bsc#1224592).
- commit 9a84305
- Update
patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_eve.patch
(bsc#1065729 CVE-2023-52686 bsc#1224682).
- Update
patches.suse/powerpc-powernv-Add-a-null-pointer-check-in-opal_pow.patch
(bsc#1181674 ltc#189159 git-fixes CVE-2023-52696 bsc#1224601).
- Update
patches.suse/pstore-ram_core-fix-possible-overflow-in-persistent_ram_init_ecc.patch
(git-fixes CVE-2023-52685 bsc#1224728).
- commit 0720a5d
- Update
patches.suse/NFS-Fix-a-potential-NULL-dereference-in-nfs_get_clie.patch
(git-fixes CVE-2021-47260 bsc#1224834).
- Update
patches.suse/PCI-aardvark-Fix-kernel-panic-during-PIO-transfer.patch
(git-fixes CVE-2021-47229 bsc#1224854).
- Update
patches.suse/batman-adv-Avoid-WARN_ON-timing-related-checks.patch
(git-fixes CVE-2021-47252 bsc#1224882).
- Update
patches.suse/can-mcba_usb-fix-memory-leak-in-mcba_usb.patch
(git-fixes CVE-2021-47231 bsc#1224849).
- Update
patches.suse/gfs2-Fix-use-after-free-in-gfs2_glock_shrink_scan.patch
(git-fixes CVE-2021-47254 bsc#1224888).
- Update
patches.suse/media-ngene-Fix-out-of-bounds-bug-in-ngene_command_c.patch
(git-fixes CVE-2021-47288 bsc#1224889).
- Update
patches.suse/memory-fsl_ifc-fix-leak-of-IO-mapping-on-probe-failu.patch
(git-fixes CVE-2021-47315 bsc#1224892).
- Update
patches.suse/memory-fsl_ifc-fix-leak-of-private-memory-on-probe-f.patch
(git-fixes CVE-2021-47314 bsc#1224893).
- Update patches.suse/net-cdc_eem-fix-tx-fixup-skb-leak.patch
(git-fixes CVE-2021-47236 bsc#1224841).
- Update
patches.suse/net-ethernet-fix-potential-use-after-free-in-ec_bhf_.patch
(git-fixes CVE-2021-47235 bsc#1224844).
- Update
patches.suse/net-hamradio-fix-memory-leak-in-mkiss_close.patch
(git-fixes CVE-2021-47237 bsc#1224830).
- Update
patches.suse/net-usb-fix-possible-use-after-free-in-smsc75xx_bind.patch
(bsc#1221994 CVE-2021-47171 CVE-2021-47239 bsc#1224846).
- Update
patches.suse/scsi-core-Fix-error-handling-of-scsi_host_alloc
(git-fixes CVE-2021-47258 bsc#1224899).
- Update
patches.suse/udp-fix-race-between-close-and-udp_abort.patch
(git-fixes CVE-2021-47248 bsc#1224867).
- Update
patches.suse/usb-dwc3-core-fix-kernel-panic-when-do-reboot.patch
(git-fixes CVE-2021-47220 bsc#1224859).
- commit 7295d7f
- Update
patches.suse/gfs2-Fix-use-after-free-in-gfs2_glock_shrink_scan.patch
(git-fixes CVE-2021-47254).
- commit 38ebdb5
- blacklist.conf: pure cleanup
- commit 5f0720c
- blacklist.conf: we select the CONFIG whose absence triggers this in all
configs
- commit 2c2df2e
- assoc_array: Fix BUG_ON during garbage collect.
- commit 56fe1ad
- list: fix a data-race around ep->rdllist (git-fixes).
- commit f2db318
- lib/mpi: use kcalloc in mpi_resize (git-fixes).
- commit c463c57
- net: usb: ax88179_178a: stop lying about skb->truesize
(git-fixes).
- commit c4bb7b5
- drm/amd/pm: fix a double-free in si_dpm_init (CVE-2023-52691 bsc#1224607).
- commit 7a87ede
- mozilla-nss
-
- Added nss-fips-safe-memset.patch, fixing bsc#1222811.
- Removed some dead code from nss-fips-constructor-self-tests.patch.
- Rebased nss-fips-approved-crypto-non-ec.patch on above changes.
- Added nss-fips-aes-gcm-restrict.patch, fixing bsc#1222830.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222813,
bsc#1222814, bsc#1222821, bsc#1222822, bsc#1224118.
- Updated nss-fips-approved-crypto-non-ec.patch and
nss-fips-constructor-self-tests.patch, fixing bsc#1222807,
bsc#1222828, bsc#1222834.
- Updated nss-fips-approved-crypto-non-ec.patch, fixing bsc#1222804,
bsc#1222826, bsc#1222833, bsc#1224113, bsc#1224115, bsc#1224116.
- update to NSS 3.101.1
* bmo#1901932 - missing sqlite header.
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
- update to NSS 3.101
* bmo#1900413 - add diagnostic assertions for SFTKObject refcount.
* bmo#1899759 - freeing the slot in DeleteCertAndKey if authentication failed
* bmo#1899883 - fix formatting issues.
* bmo#1889671 - Add Firmaprofesional CA Root-A Web to NSS.
* bmo#1899593 - remove invalid acvp fuzz test vectors.
* bmo#1898830 - pad short P-384 and P-521 signatures gtests.
* bmo#1898627 - remove unused FreeBL ECC code.
* bmo#1898830 - pad short P-384 and P-521 signatures.
* bmo#1898825 - be less strict about ECDSA private key length.
* bmo#1854439 - Integrate HACL* P-521.
* bmo#1854438 - Integrate HACL* P-384.
* bmo#1898074 - memory leak in create_objects_from_handles.
* bmo#1898858 - ensure all input is consumed in a few places in mozilla::pkix
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1748105 - clean up escape handling
* bmo#1896353 - Use lib::pkix as default validator instead of the old-one
* bmo#1827444 - Need to add high level support for PQ signing.
* bmo#1548723 - Certificate Compression: changing the allocation/freeing of buffer + Improving the documentation
* bmo#1884444 - SMIME/CMS and PKCS #12 do not integrate with modern NSS policy
* bmo#1893404 - Allow for non-full length ecdsa signature when using softoken
* bmo#1830415 - Modification of .taskcluster.yml due to mozlint indent defects
* bmo#1793811 - Implement support for PBMAC1 in PKCS#12
* bmo#1897487 - disable VLA warnings for fuzz builds.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1893334 - add PK11_ReadDistrustAfterAttribute.
* bmo#215997 - Clang-formatting of SEC_GetMgfTypeByOidTag update
* bmo#1895012 - Set SEC_ERROR_LIBRARY_FAILURE on self-test failure
* bmo#1894572 - sftk_getParameters(): Fix fallback to default variable after error with configfile.
* bmo#1830415 - Switch to the mozillareleases/image_builder image
- Follow upstream changes in nss-fips-constructor-self-tests.patch (switch from ec_field_GFp to ec_field_plain)
- Remove part of nss-fips-zeroization.patch that got removed upstream
- update to NSS 3.100
- bmo#1893029 - merge pk11_kyberSlotList into pk11_ecSlotList for
faster Xyber operations.
- bmo#1893752 - remove ckcapi.
- bmo#1893162 - avoid a potential PK11GenericObject memory leak.
- bmo#671060 - Remove incomplete ESDH code.
- bmo#215997 - Decrypt RSA OAEP encrypted messages.
- bmo#1887996 - Fix certutil CRLDP URI code.
- bmo#1890069 - Don't set CKA_DERIVE for CKK_EC_EDWARDS private keys.
- bmo#676118 - Add ability to encrypt and decrypt CMS messages using ECDH.
- bmo#676100 - Correct Templates for key agreement in smime/cmsasn.c.
- bmo#1548723 - Moving the decodedCert allocation to NSS.
- bmo#1885404 - Allow developers to speed up repeated local execution
of NSS tests that depend on certificates.
- update to NSS 3.99
* Removing check for message len in ed25519 (bmo#1325335)
* add ed25519 to SECU_ecName2params. (bmo#1884276)
* add EdDSA wycheproof tests. (bmo#1325335)
* nss/lib layer code for EDDSA. (bmo#1325335)
* Adding EdDSA implementation. (bmo#1325335)
* Exporting Certificate Compression types (bmo#1881027)
* Updating ACVP docker to rust 1.74 (bmo#1880857)
* Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
* Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
- update to NSS 3.98
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA decryption
in TLS
* bmo#1879513 - Certificate Compression: enabling the check that
the compression was advertised
* bmo#1831552 - Move Windows workers to nss-1/b-win2022-alpha
* bmo#1879945 - Remove Email trust bit from OISTE WISeKey
Global Root GC CA
* bmo#1877344 - Replace `distutils.spawn.find_executable` with
`shutil.which` within `mach` in `nss`
* bmo#1548723 - Certificate Compression: Updating nss_bogo_shim to
support Certificate compression
* bmo#1548723 - TLS Certificate Compression (RFC 8879) Implementation
* bmo#1875356 - Add valgrind annotations to freebl kyber operations
for constant-time execution tests
* bmo#1870673 - Set nssckbi version number to 2.66
* bmo#1874017 - Add Telekom Security roots
* bmo#1873095 - Add D-Trust 2022 S/MIME roots
* bmo#1865450 - Remove expired Security Communication RootCA1 root
* bmo#1876179 - move keys to a slot that supports concatenation in
PK11_ConcatSymKeys
* bmo#1876800 - remove unmaintained tls-interop tests
* bmo#1874937 - bogo: add support for the -ipv6 and -shim-id shim
flags
* bmo#1874937 - bogo: add support for the -curves shim flag and
update Kyber expectations
* bmo#1874937 - bogo: adjust expectation for a key usage bit test
* bmo#1757758 - mozpkix: add option to ignore invalid subject
alternative names
* bmo#1841029 - Fix selfserv not stripping `publicname:` from -X value
* bmo#1876390 - take ownership of ecckilla shims
* bmo#1874458 - add valgrind annotations to freebl/ec.c
* bmo#864039 - PR_INADDR_ANY needs PR_htonl before assignment to inet.ip
* bmo#1875965 - Update zlib to 1.3.1
- Use %patch -P N instead of deprecated %patchN.
- update to NSS 3.97
* bmo#1875506 - make Xyber768d00 opt-in by policy
* bmo#1871631 - add libssl support for xyber768d00
* bmo#1871630 - add PK11_ConcatSymKeys
* bmo#1775046 - add Kyber and a PKCS#11 KEM interface to softoken
* bmo#1871152 - add a FreeBL API for Kyber
* bmo#1826451 - part 2: vendor github.com/pq-crystals/kyber/commit/e0d1c6ff
* bmo#1826451 - part 1: add a script for vendoring kyber from pq-crystals repo
* bmo#1835828 - Removing the calls to RSA Blind from loader.*
* bmo#1874111 - fix worker type for level3 mac tasks
* bmo#1835828 - RSA Blind implementation
* bmo#1869642 - Remove DSA selftests
* bmo#1873296 - read KWP testvectors from JSON
* bmo#1822450 - Backed out changeset dcb174139e4f
* bmo#1822450 - Fix CKM_PBE_SHA1_DES2_EDE_CBC derivation
* bmo#1871219 - Wrap CC shell commands in gyp expansions
- update to NSS 3.96.1
* bmo#1869408 - Use pypi dependencies for MacOS worker in ./build_gyp.sh
* bmo#1830978 - p7sign: add -a hash and -u certusage (also p7verify cleanups)
* bmo#1867408 - add a defensive check for large ssl_DefSend return values
* bmo#1869378 - Add dependency to the taskcluster script for Darwin
* bmo#1869378 - Upgrade version of the MacOS worker for the CI
- add nss-allow-slow-tests-s390x.patch: "certutil dump keys with
explicit default trust flags" test needs longer than the allowed
6 seconds on s390x
- update to NSS 3.95
* bmo#1842932 - Bump builtins version number.
* bmo#1851044 - Remove Email trust bit from Autoridad de Certificacion
Firmaprofesional CIF A62634068 root cert.
* bmo#1855318 - Remove 4 DigiCert (Symantec/Verisign) Root Certificates
* bmo#1851049 - Remove 3 TrustCor Root Certificates from NSS.
* bmo#1850982 - Remove Camerfirma root certificates from NSS.
* bmo#1842935 - Remove old Autoridad de Certificacion Firmaprofesional
Certificate.
* bmo#1860670 - Add four Commscope root certificates to NSS.
* bmo#1850598 - Add TrustAsia Global Root CA G3 and G4 root certificates.
* bmo#1863605 - Include P-384 and P-521 Scalar Validation from HACL*
* bmo#1861728 - Include P-256 Scalar Validation from HACL*.
* bmo#1861265 - After the HACL 256 ECC patch, NSS incorrectly encodes
256 ECC without DER wrapping at the softoken level
* bmo#1837987 - Add means to provide library parameters to C_Initialize
* bmo#1573097 - clang format
* bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
* bmo#1858241 - Typo in ssl3_AppendHandshakeNumber
* bmo#1858241 - Introducing input check of ssl3_AppendHandshakeNumber
* bmo#1573097 - Fix Invalid casts in instance.c
- update to NSS 3.94
* bmo#1853737 - Updated code and commit ID for HACL*
* bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
current NSS
* bmo#1827303 - Softoken C_ calls should use system FIPS setting
to select NSC_ or FC_ variants
* bmo#1774659 - NSS needs a database tool that can dump the low level
representation of the database
* bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
* bmo#1852179 - avoid implicit conversion for ByteString
* bmo#1818766 - update rust version for acvp docker
* bmo#1852011 - Moving the init function of the mpi_ints before
clean-up in ec.c
* bmo#1615555 - P-256 ECDH and ECDSA from HACL*
* bmo#1840510 - Add ACVP test vectors to the repository
* bmo#1849077 - Stop relying on std::basic_string<uint8_t>
* bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
- Update to NSS 3.93:
* bmo#1849471 - Update zlib in NSS to 1.3.
* bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
* bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
- update to NSS 3.92
* bmo#1822935 - Set nssckbi version number to 2.62
* bmo#1833270 - Add 4 Atos TrustedRoot Root CA certificates to NSS
* bmo#1839992 - Add 4 SSL.com Root CA certificates
* bmo#1840429 - Add Sectigo E46 and R46 Root CA certificates
* bmo#1840437 - Add LAWtrust Root CA2 (4096)
* bmo#1822936 - Remove E-Tugra Certification Authority root
* bmo#1827224 - Remove Camerfirma Chambers of Commerce Root.
* bmo#1840505 - Remove Hongkong Post Root CA 1
* bmo#1842928 - Remove E-Tugra Global Root CA ECC v3 and RSA v3
* bmo#1842937 - Avoid redefining BYTE_ORDER on hppa Linux
- update to NSS 3.91
* bmo#1837431 - Implementation of the HW support check for ADX instruction
* bmo#1836925 - Removing the support of Curve25519
* bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
* bmo#1839327 - Adding args to enable-legacy-db build
* bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
default trust flags"
* bmo#1837617 - Initialize flags in slot structures
* bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
* bmo#1829112 - Followup Fixes
* bmo#1784253 - avoid processing unexpected inputs by checking for
m_exptmod base sign
* bmo#1826652 - add a limit check on order_k to avoid infinite loop
* bmo#1834851 - Update HACL* to commit 5f6051d2
* bmo#1753026 - add SHA3 to cryptohi and softoken
* bmo#1753026 - HACL SHA3
* bmo#1836781 - Disabling ASM C25519 for A but X86_64
- removed upstreamed patch nss-fix-bmo1836925.patch
- update to NSS 3.90.3
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1748105 - clean up escape handling.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1836925 - Disable ASM support for Curve25519.
* bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64.
- remove upstreamed nss-fix-bmo1836925.patch
- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
when using FIPS-mode (bsc#1223724).
- Added "Provides: nss" so other RPMs that require 'nss' can
be installed (jira PED-6358).
- shadow
-
- bsc#916845 (CVE-2013-4235): Fix TOCTOU race condition
Add shadow-CVE-2013-4235.patch
- openssl-1_1
-
- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free
security vulnerability. Calling the function SSL_free_buffers()
potentially caused memory to be accessed that was previously
freed in some situations and a malicious attacker could attempt
to engineer a stituation where this occurs to facilitate a
denial-of-service attack. [CVE-2024-4741, bsc#1225551]
- util-linux
-
- fix Xen virtualization type misidentification bsc#1215918
lscpu-fix-parameter-order-for-ul_prefix_fopen.patch