- cloud-regionsrv-client
-
- Update -addon-azure to 1.0.2 (bsc#1196305)
+ The is-registered() function expects a string of the update server FQDN.
The regionsrv-enabler-azure passed an Object of type SMT. Fix the call
in regionsrv-enabler-azure.
- Update -plugin-azure to 2.0.0 (bsc#1196146)
+ Lower case the region hint to reduce issues with Azure region name
case inconsistencies
- Update to version 10.0.0 (bsc#1195414, bsc#1195564)
+ Refactor removes check_registration() function in utils implementation
+ Only start the registration service for PAYG images
- addon-azure sub-package to version 1.0.1
- Follow up changes to (jsc#PCT-130, bsc#1182026)
+ Fix executable name for AHB service/timer
+ Update manpage for BYOS instance registration
- coreutils
-
- Add coreutils-du-fts-xfs-noleaf.patch to remove problematic
special leaf optimization cases for XFS that can lead to du
crashes. (bsc#1190354)
- cyrus-sasl
-
- CVE-2022-24407: cyrus-sasl: SQL injection in sql_auxprop_store
in plugins/sql.c (bsc#1196036)
o add upstream patch:
0001-CVE-2022-24407-Escape-password-for-SQL-insert-update.patch
- expat
-
- Security fixes:
* (CVE-2022-25236, bsc#1196025) Expat before 2.4.5 allows
attackers to insert namespace-separator characters into
namespace URIs
- Added expat-CVE-2022-25236.patch
* (CVE-2022-25235, bsc#1196026) xmltok_impl.c in Expat before
2.4.5 does not check whether a UTF-8 character is valid in a
certain context.
- Added expat-CVE-2022-25235.patch
* (CVE-2022-25313, bsc#1196168) Stack exhaustion in
build_model() via uncontrolled recursion
- Added expat-CVE-2022-25313.patch
- The fix upstream introduced a regression that was later
amended in 2.4.6 version
+ Added expat-CVE-2022-25313-fix-regression.patch
* (CVE-2022-25314, bsc#1196169) Integer overflow in copyString
- Added expat-CVE-2022-25314-before.patch
- Added expat-CVE-2022-25314.patch
* (CVE-2022-25315, bsc#1196171) Integer overflow in storeRawNames
- Added expat-CVE-2022-25315.patch
- Security fix (CVE-2022-23852, bsc#1195054)
* Expat (aka libexpat) before 2.4.4 has a signed integer overflow
in XML_GetBuffer, for configurations with a nonzero
XML_CONTEXT_BYTES
* Add tests for CVE-2022-23852.
* Added expat-CVE-2022-23852.patch
- Security fix (CVE-2022-23990, bsc#1195217)
* Fix unsigned integer overflow in function doProlog triggered
by large content in element type declarations when there is
an element declaration handler present (from a prior call to
XML_SetElementDeclHandler).
* Add expat-CVE-2022-23990.patch
* Added expat-CVE-2022-22827.patch
- fence-agents
-
- Update to version 4.9.0+git.1624456340.8d746be9:
* fence_azure_arm: corrections to support Azure SDK >= 15 - including backward compatibility (#415)
(bsc#1185058)
* fence_gce: make serviceaccount work with new libraries
* fence_kubevirt: new fence agent
* fence_virt*: simple_auth: use %zu for sizeof to avoid failing verbose builds on some archs
* configure: dont fail when --with-agents contains virt
* fence_mpath: watchdog retries support
* fencing: add multi plug support for reboot-action
* fence_redfish: add missing diag logic
* fencing: fix issue with hardcoded help text length for metadata
* fence_lindypdu: update metadata
* fence_lindypdu: new fence agent
* fencing: add stonith_status_sleep parameter for sleep between status calls during a STONITH action
* fence_openstack: code formatting fixes per: https://github.com/ClusterLabs/fence-agents/pull/397#pullrequestreview-634281798
* Proper try-except for connection exception.
* Fix CI.
* Do not wrap as many values.
* Restore port metadata.
* Update xml metadata.
* Use standard logging.
* Revert change to __all__
* fence_virt: fix required=1 parameters that used to not be required and add deprecated=1 for old deprecated params
* Major rework of the original agent:
* fence_gce: default method moved back to powercycle (#389)
* fence_aws: add filter parameter to be able to limit which nodes are listed
* virt: fix a bunch of coverity scan errors in ip_lookup
* virt: make sure to provide an empty default to strncpy
* virt: make sure buffers are big enough for 0 byte end string
* virt: increase buffer size to avoid overruns
* virt: check return code in virt-sockets
* virt: fix error code checking
* virt: fix plugin (minor) memory leak and plug in load race
* virt: attempt to open file directly and avoid race condition
* virt: fix different coverity scan errors in common/tcp
* virt: cleanup deadcode in client/vsock
* virt: cleanup deadcode in client/tcp
* virt: fix potential buffer overrun
* virt: fix mcast coverity scan errors
* virt: drop pm-fence plugin
* build: tidy up module sources
* virt: drop libvirt-qmf plugin
* virt: drop null plugin
* build: enable fence_virtd cpg plugin by default
* virt: drop fence_virtd non-modular build
* virt: fix plugin installation regression on upgrades
* build: temporary disable -Wcast-align for some agents
* build: fix CFLAGS overrides when using clang
* fence_virt: metadata fixes, implement manpage generation and metadata/delay/rng checks
* virt: make sure variable is initialized
* Drop travis CI
* Revert "/virt: drop -Werror to avoid unnecessary failures"/
* zvm: reformat fence_zvm to avoid gcc warnings
* build: fix make maintainerclean
* build: remove unnecessary build snippets
* virt: drop -Werror to avoid unnecessary failures
* virt: disable -Wunused for yy generated files
* virt: disable fence-virt on bsd variants
* virt: merge spec files
* build: fix more gcc warnings
* build: remove unused / obsoleted options
* build: fix some annoying warnings at ./autogen.sh time
* virt: move all virt CFLAGS/LDFLAGS in the right location
* virt: fix unused gcc warnings and re-enable all build warnings
* virt: fix write-strings gcc warnings
* virt: fix pointer-arith gcc warnings
* virt: fix declaration-after-statement gcc warnings
* virt: fix build with -Wmissing-prototypes
* build: don´t override clean target
* virt: plug fence_virt into the build
* virt: allow fence_virt build to be optional
* virt: drop support for LSB init script
* virt: collect docs in one location
* virt: remove unnecessary files and move build macros in place
* Ignore fence-virt man pages
* Merge done
* Move fence_virt to the correct location
* Start merge
* spec: use python3 path for newer releases
* spec: undo autosetup change that breaks builds w/git commit hashes
* Ignore unknown options on stdin
* fence_gce: support google-auth and oauthlib and fallback to deprecated libs when not available
* spec: add aliyun subpackage and fence_mpath_check* to mpath subpackage
* fence_gce: Adds cloud-platform scope for bare metal API and optional proxy flags (#382)
* fence_virt: Fix minor typo in metadata
* fence_gce: update module reqs for SLES 15 (#383)
* Add fence_ipmilanplus as fence_ipmilan wrapper always enabling lanplus
* fence_redfish: Add diag action
* fence_vbox: updated metadata file
* fence_vbox: do not flood host account with vboxmanage calls
* fence_aws/fence_gce: allow building without cloud libs
* fence_gce: default to onoff
* fence_lpar: Make --managed a required option
* fence_zvmip: fix shell-timeout when using new disable-timeout parameter
* Adds service account authentication to GCE fence agent
* spec: dont build -all subpackage as noarch
* fence_mpath, fence_scsi: Improve logging for failed res/key get
* fence_mpath, fence_scsi: Capture stderr in run_cmd()
* build: depend on config changes to rebuild when running make after running ./configure
* fence_redfish: Fix typo in help.
* fence_aws: add support for IMDSv2
* fence_virt: add plug parameter that obsoletes old port parameter
* Try to detect directory for initscripts configuration
* Accept SIGTERM while waiting for initialization.
* Add man pages to fence_virtd service file.
* Fix spelling error in fence_virt.conf.5
* build: fix BRs for suse distros
* build: remove ExclusiveArch
* build: removed gcc-c++ BR
* build: add spec-file and rpm build targets
* build: cleanup/improvements to reworked build system
* [build] rework build system to use automake/libtool
* fence_virtd: Fix segfault in vl_get when no domains are found
* fence_virt: fix core dump
* build: harden and make it possible to build with -fPIE
* fence_virt: dont report success for incorrect parameters
* fence_virt: mcast: config: Warn when provided mcast addr is not used
* fence_virtd: Return control to main loop on select interruption
* fence-virtd: Add missing vsock makefile bits
* fence-virt: Add vsock support
* fence_virtd: Fix transposed arguments in startup message
* fence_virt: Rename challenge functions
* fence_virtd: Cleanup: remove unused configuration options
* fence_virt: Remove remaining references to checkpoints
* fence_virt: Remove remaining references to checkpoints
* fence-virt: Format string cleanup
* fence_virtd: Implment hostlist for the cpg backend
* fence_virt: Fix logic error in fence_xvm
* fence_virtd: Cleanup config module
* fence_virtd: cpg: Fail initialization if no hypervisor connections
* fence_virtd: Make the libvirt backend survive libvirtd restarts
* fence_virtd: Allow the cpg backend to survive libvirt failures
* fence_virtd: cpg: Fix typo
* fence-virtd: Add cpg-virt backend plugin
* fence_virtd: Remove checkpoint, replace it with a CPG only plugin
* fence-virt: Bump version
* fence_virtd: Add better debugging messages for the TCP listner
* fence_virtd: Fix potential unlocked pthread_cond_timedwait()
* fence-virtd: Cleanup small memory leak
* fence_virtd: Fix select logic in listener plugins
* Factor out common libvirt code so that it can be reused by multiple backends
* Document the fence_virtd -p command line flag
* fence_virtd: Log an error when startup fails
* Retry writes in the TCP, mcast, and serial listener plugins while sending a response to clients, if the write fails or is incomplete.
* Make the packet authentication code more resilient in the face of transient failures.
* Remove erroneous 'inline'
* Disable the libvirt-qmf backend by default
* Bump the versions of the libvirt and checkpoint plugins
* fence-virtd: Enable TCP listener plugin by default
* fence-virtd: Cleanup documentation of the TCP listener
* fence_xvm/fence_virt: Add support for the validate-all status op
* fence-virt: Add list-status command to man page and metadata
* fence-virt: Cleanup numeric argument parsing
* fence-virt: Log message to syslog in addition to stdout/stderr
* fence-virt: Permit explicitly setting delay to 0
* fence-virt: Add 'list-status' operation for compat with other agents
* Fix use of undefined #define
* Allow fence_virtd to run as non-root
* Remove delay from the status, monitor and list functions
* Resolves serveral problems in checkpoint plugin, making it functional.
* Current implementation of event listener in virt-serial does not support keepalive, it does not generate nor capable to answer to keepalive requests, which causes libvirt connection to disconnect every 30 seconds (interval*timeout in libvirtd.conf). Furthermore, it does not clean up filehandlers and leaves hanging sockets. Also, if other thread opens its own connection to libvirt (i.e. checkpoint.c), event function in virt-serial.c just updates event listener file handler with a wrong one, what causes checkpoint.c malfunctions, fence_virtd hangs and so on. This patch uses default event listener implementation from libvirt and resolves theese problems.
* daemon_init: Removed PID check and update
* fence_virtd: drop legacy SysVStartPriority from service unit
* fence-virt: client: Do not truncate VM domains in list output
* client: fix "/delay"/ parameter checking (copy-paste)
* fence-virt: Fix broken restrictions on the port ranges
* Clarify debug message
* fence-virtd: Use perror only if the last system call returns an error.
* fence-virtd: Fix printing wrong system call in perror
* fence-virtd: Allow multiple hypervisors for the libvirt backend
* fence-virt: Don't overrwrite saved errno
* fence-virt: Fix small memory leak in the config module
* fence-virt: Fix mismatched sizeof in memset call
* fence-virt: Send complete hostlist info
* fence-virt: Clarify the path option in serial mode
* Bump version
* fence-virt: Bump version
* fence_virtd: Fix broken systemd service file
* fence_virt/fence_xvm: Print status when invoked with -o status
* fence-virt: Fix for missed libvirtd events
* fence-virt: Fail properly if unable to bind the listener socket
* client: dump all arguments structure in debug mode
* Drop executable flag for man pages (finally)
* Honor implicit "/ip_family=auto"/ in fence_xvm w/IPv6 mult.addr.
* Fix using bad struct item for auth algorithm
* Drop executable flag for man pages
* use bswap_X() instead of b_swapX()
* fence_virtd: Fix memcpy size params in the TCP plugin
* Revert "/fence-virt: Fix possible descriptor leak"/
* fence_virtd: Return success if a domain exists but is already off.
* fence-virt: Add back missing tcp_listener.h file
* fence-virt: Fix a few fd leaks
* fence-virt: Fix free of uninitialized variable
* fence-virt: Fix possible null pointer dereference
* fence-virt: Fix memory leak
* fence-virt: Fix fd leak when finding local addresses
* fence-virt: Fix possible descriptor leak
* fence-virt: Fix possible fd leak
* fence-virt: Fix null pointer deref
* fence-virt: Explicitly set delay to 0
* fence-virt: Fix return with lock held
* fence_virt: Fix typo in fence_virt(8) man page
* fence_virt: Return failure for nonexistent domains
* Initial commit
* Improve fence_virt.conf man page description of 'hash'
* Add a delay (-w) option.
* Remove duplicated port struct entry
* Add a TCP listener plugin for use with viosproxy
* In serial mode, return failure if the other end closes the connection before we see SERIAL_MAGIC in the reply or timeout.
* Stop linking against unnecessary QPid libs.
* Update libvirt-qmf plugin and docs
* Fix crash when we fail to read key file.
* Fix erroneous man page XML
* Add 'interface' directive to example.conf
* Fix build
* Add old wait_for_backend directive handling & docs
* Return proper error if we can't set up our socket.
* Fix startup in systemd environments
* Add systemd unit file and generation
* Don't override user's pick for backend server module
* Use libvirt as default in shipped config
* Clean up compiler warnings
* Fix serial domain handling
* Fix monolithic build
* Clean up build and comments.
* Add missing pm_fence source code
* Disable CMAN / checkpoint build by default
* Rename libvirt-qpid -> libvirt-qmf
* Fix static analysis errors
* Reword assignment to appease static analyzers
* Handle return value from virDomainGetInfo
* Fix bad sizeof()
* Make listen() retry
* Add map_check on 'status' action
* Update README
* Don't reference out-of-scope temporary
* Ensure we don't try to strdup() or atoi() on NULL
* Add libvirt-qmf support to the libvirt-qpid plugin
* Convert libvirt-qpid plugin to QMFv2
* Fix incorrect return value on hash mismatch
* Fix error getting status from libvirt-qpid plugin
* Fix typo that broke multicast plugin
* Make fence-virt requests endian clean
* Update TODO
* Fix input parsing to allow domain again
* Provide 'domain' in metadata output for compatibility
* High: Fix UUID lookups in checkpoint backend
* Curtail 'list' operation requests
* Fix man page references: fence_virtd.conf -> fence_virt.conf
* Add 'list' operation for plugins; fix missing getopt line
* Fix build with newer versions of qpid
* Make configure.in actually disable plugins
* Fix metadata output
* Rename parameters to match other fencing agents
* Fix fence_xvm man page to point to the right location
* client: Clarify license in serial.c
* Return 2 for 'off' like other fencing agents
* Reset flags before returning from connect_nb
* Use nonblocking connect to vmchannel sockets
* More parity with other fencing agents' parameters
* Fix memory leaks found with valgrind
* Add basic daemon functions
* Fix bug in path pruning support for serial plugin
* Fix libvirt-qpid bugs found while testing
* Fix segfault caused by invalid map pointer assignment
* Fix another compiler warning
* Fix build warnings in client/serial.c
* Add 'monitor' as an alias for 'status'
* Add serial listener to configuration utility
* Make serial/vmchannel module enabled by default
* Add missing 'metadata' option to help text
* Add missing static_map.h
* Add metadata support to fence_xvm/fence_virt
* Allow IPs to be members of groups
* Allow use of static mappings w/ mcast listener
* Make 'path' be a directory
* Update TODO
* Remove useless debug printfs
* Enable VM Channel support in serial plugin
* Update TODO based on progress
* Pass source VM UUID (if known) to backend
* Mirror libvirt-qpid's settings in libvirt-qpid plugin
* libvirt-qpid: clean up global variable
* Enable a configurable host/port on libvirt-qpid plugin
* Minor config utility cleanups
* Man page cleanups
* Remove unnecessary name_mode from multicast plugin
* Add prototypes and clean up build warnings
* Use seqno in serial requests
* Minor debugging message cleanup
* Fix build error due to improper value
* Static map support and permissions reporting
* Sync up on SERIAL_MAGIC while waiting for a response
* Don't build serial vmchannel module by default
* Update TODO
* Initial checkin of serial server-side support
* Fix fence_virt.conf man page name
* Add Fedora init script
* Compiler warning cleanups in virt-serial.c
* Add wait-for-backend mode
* Fix up help text for clients
* Minor XML cleanups, add missing free() call
* add missing module_path to fence_virtd.conf.5
* Add capabilities to virt-serial
* Note that serial support is experimental
* Add a serial.so build target
* Add vmchannel serial event interface
* Split fence_virt vs. fence_xvm args
* Add static map functions.
* Fix build warning due to missing #include
* Fix multiple query code
* Better config query & multiple value/tag support
* Add simple configuration mode
* Add missing man pages
* More minor config cleanups
* Allow setting config values to NULL to clear them
* Clean up example config file
* Sort plugins by type when printing them
* Revert "/Sort plugins by type when printing them"/
* Sort plugins by type when printing them
* Clean up some configuration plugin information
* add empty line between names
* Make libvirt to automatically use uuid or names
* Improve error reporting
* Fix build for hostlist functionality
* Hostlist functionality for libvirt, libvirt-qpid
* Update TODO
* Work around broken nspr headers
* Fix installation target for man pages
* Fix default build script
* Add man page build infrastructure
* Initial commit of fence_virt & fence_xvm man pages
* Make fence_xvm compatibility mode enabled by default
* Fix libvirt / mcast support for name_mode
* Fix agent option parsing
* Fix dlsym mapping of C++ module
* Make uuids work with libvirt-qpid
* Fix uninitialized variable causing false returns
* Update monolithic build
* Fix linking problem
* Add 'help' to fence_virtd
* Fix libvirt-qpid build
* Make 'reboot' work
* Fix libvirt-qpid build
* Add libvirt-qpid build target
* Initial checking of libvirt-qpid plugin
* Fix build on i686
* Make symlink/compatibilty mode disabled by default
* Add simple tarball / release script
* Update TODO and requirements file
* Update TODO
* Use immediate resolution of symbols
* Example config tweaks
* Use sysconfdir for /etc/fence_virt.conf
* Fix package name and install locations
* Fix daemon return code
* Add 'maintainer-clean' target
* Fix build errors on Fedora
* Add missing header file
* Ignore automake error
* Add missing COPYING file; update TODO
* Make the build script actually build
* Make cluster mode plugin work
* Add basic cpg stuff for later
* Enable 'on' operation for libvirt backend
* Clean up modular build
* Minor build cleanups
* Yet more build fixes
* More build cleanups
* Build cleanups
* Initial port to autoconf
* Add checkpoint.c stub functions
* Add sequence numbers to requests for tracking
* Include missing include
* Call generic history functions
* Make history functions generic
* Make debugging work from modules again
* Revert "/Fix build issue breaking debug printing from modules"/
* Fix build issue breaking debug printing from modules
* Fix libvirt backend; VALIDATE was wrong
* Cleanups, add daemon support
* Add simple 'null' skeleton backend plugin
* Make all plugins dynamically loaded.
* Fix error message
* Remove dummy serial prototypes
* Remove modules in 'make clean'
* Make listeners plugins.
* Fix whitespace
* Move name_mode to fence_virtd block
* Add name_mode to example.conf
* Move VM naming scheme to top level of config
* Fix bad assignment due to wrong variable
* Fix use of wrong variable
* Revert "/Fix use of wrong variable"/
* Fix use of wrong variable
* Enable UUID use in libvirt.c
* Add missing log.c. Enable syslog wrapping
* Move options.c to client directory
* Fix context type names
* Minor cleanup
* Drop duplicate fencing requests
* Don't require specifying an interface in fence_virt.conf
* Fix empty node parsing
* Fix segfault
* Fix install targets
* Actually use the default port by default
* Don't overwrite config files
* Install modules, too.
* Fix config file name
* Add temporary 'make install' target
* Make a default configuration file
* Make mcast work with UUIDs
* Update TODO
* Remove useless prototype
* Update todo
* Add checkpoint.so to the build
* Fix missing carriage returns on debug prints
* Add architecture overview description
* Make serial_init match mcast_init.
* Make multicast use config file
* Integrate config file processing
* Create server-side plugin architecture
* Remove bad list_do/list_done macros
* Make libvirt a built-in plugin
* Update description text.
* Fix header in serial.c.
* serial: Make client work.
- remove patch contained by the update:
* 0001-fence_compute-Only-list-nova-compute-services-when-g.patch
* 0001-fence_gce-add-support-for-stackdriver-logging.patch
* 0001-fence_gce-filter-call-to-aggregatedList.patch
* 0001-fence_gce-fix-regression-missing-import-googleapicli.patch
* 0001-fence_gce-new-agent.patch
* 0001-fence_gce-Write-error-messages-to-log.patch
* 0001-fence_vmware_soap-fix-for-selfsigned-certificate.patch
* 0001-Zone-Project-parameters-are-mandatory.patch
* 0002-fence_compute-Don-t-list-hypervisors-but-nova-comput.patch
* 0002-fence_gce-fix-regression-missing-import-oauth2client.patch
* 0002-fence_gce-set-project-and-zone-as-not-required.patch
* 0003-fence_compute-Do-not-override-domain-if-it-is-alread.patch
* 0003-fence_gce-add-power-cycle-as-default-method.patch
* 0003-fence_gce-use-default-credentials-from-googleapiclie.patch
* 0004-fence_compute-Fix-handling-of-domain-None.patch
* 0004-fence_gce-add-missing-imports-to-retrieve-the-projec.patch
* 0005-fence_compute-Fix-fix_domain-to-not-return-too-early.patch
* 0005-fence_gce-s-loging-stackdriver-logging.patch
* 0006-fence_compute-Fix-fix_plug_name-when-looking-if-plug.patch
* 0006-fence_gce-use-root-logger-for-stackdriver.patch
* 0007-fence_compute-Remove-duplicate-check-for-binary-name.patch
* 0007-fence_gce-minor-changes-in-logging.patch
* 0008-fence_compute-fix-to-avoid-breaking-nova.patch
* 0009-Compute-Handle-differences-in-Nova-API-argument-pass.patch
* 0010-Compute-Split-out-evacation-functionality.patch
* 0011-evacuate-Handle-changes-to-the-nova-API.patch
* 0012-compute-Fix-unfencing-and-ensure-fencing-occurs-in-p.patch
* 0013-compute-update-metadata.patch
* 0014-evacuate-add-expected-metadata.patch
* 0015-fencing-Add-consistency-between-command-line-and-STD.patch
* 0016-fix-for-ignored-options.patch
* 0017-Maintain-ABI-compatibility-for-external-agents.patch
* 0018-fencing-include-timestamps-when-logging-to-STDERR-an.patch
* 0019-fencing-fix-help-for-quiet.patch
* 0020-compute-Add-support-for-keystone-v3-authentication.patch
* 0021-fence_compute-evacuate-update-metadata.patch
* 0022-Log-the-proper-nova_versions-variable.patch
* 0023-move-fence_evacuate-into-its-own-subdirectory.patch
* 0024-fence_compute-fence_evacuate-revert-to-old-parameter.patch
* 0100-Make-pywsman-dependency-optional.patch
- (jsc#SLE-18227) ECO: Update fence-agents
- (jsc#SLE-18200) Add upstream PR to aws-vpc-move-ip and apply required resource & fence agent patches
- (jsc#SLE-18202) Add upstream PR to aws-vpc-move-ip and apply required resource & fence agent patches
- Update all scripts to python3 (bsc#1065966)
Add patch:
* 0001-Use-Python-3-for-all-scripts-bsc-1065966.patch
- gnutls
-
- Security fix: [bsc#1196167, CVE-2021-4209]
* Null pointer dereference in MD_UPDATE
* Add gnutls-CVE-2021-4209.patch
- jasper
-
- bsc#1188437 CVE-2021-27845: Fix divide-by-zery in cp_create()
Add jasper-CVE-2021-27845.patch
- kernel-default
-
- Bluetooth: fix the erroneous flush_work() order (CVE-2021-3564
bsc#1186207).
- commit 6b62fb2
- moxart: fix potential use-after-free on remove path
(bsc1194516).
- commit 5c87126
- memstick: rtsx_usb_ms: fix UAF
- commit 9dca558
- phonet: refcount leak in pep_sock_accep (bsc#1193867,
CVE-2021-45095).
- commit f8aba64
- net: mana: Add RX fencing (bsc#1193507).
- net: mana: Fix spelling mistake "/calledd"/ -> "/called"/
(bsc#1193507).
- net: mana: Support hibernation and kexec (bsc#1193507).
- net: mana: Improve the HWC error handling (bsc#1193507).
- net: mana: Fix the netdev_err()'s vPort argument in
mana_init_port() (bsc#1193507).
- net: mana: Allow setting the number of queues while the NIC
is down (bsc#1193507).
- net: mana: Use kcalloc() instead of kzalloc() (bsc#1193507).
- hv_netvsc: Set needed_headroom according to VF (bsc#1193507).
- hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit()
(bsc#1193507).
- commit b86c625
- scsi: ufs: Correct the LUN used in eh_device_reset_handler()
callback (bsc#1193864 CVE-2021-39657).
- commit 5bf6fe1
- usb: gadget: configfs: Fix use-after-free issue with udc_name
(bsc#1193861 CVE-2021-39648).
- commit 57b5f12
- fget: clarify and improve __fget_files() implementation
(bsc#1193727).
- commit 696ea54
- drm/i915: Flush TLBs before releasing backing store
(CVE-2022-0330 bsc#1194880).
- commit 68b92fb
- ipv6: use prandom_u32() for ID generation (CVE-2021-45485
bsc#1194094).
- Refresh
patches.kabi/kabi-handle-addition-of-netns_ipv4-ip_id_key.patch.
- commit 7a68b0c
- cgroup: Use open-time credentials for process migraton perm
checks (bsc#1194302 CVE-2021-4197).
- commit eda1a06
- NFC: add NCI_UNREG flag to eliminate the race (CVE-2021-4202
bsc#1194529).
- NFC: reorder the logic in nfc_{un,}register_device
(CVE-2021-4202 bsc#1194529).
- NFC: reorganize the functions in nci_request (CVE-2021-4202
bsc#1194529).
- commit ce69894
- kprobes: Limit max data_size of the kretprobe instances
(bsc#1193669).
- commit c7e4a69
- xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like
fallocate (bsc#1194272 CVE-2021-4155).
- commit c94e1fd
- fget: check that the fd still exists after getting a ref to it
(bsc#1193727 CVE-2021-4083).
- commit e9025bf
- btrfs: unlock newly allocated extent buffer after error (bsc#1194001, CVE-2021-4149).
- commit 04a66fc
- inet: use bigger hash table for IP ID generation (CVE-2021-45486
bsc#1194087).
- commit b355639
- recordmcount.pl: fix typo in s390 mcount regex (bsc#1192267).
- commit e48d1db
- recordmcount.pl: look for jgnop instruction as well as bcrl
on s390 (bsc#1192267).
- Delete patches.suse/ftrace-recordmcount-binutils.patch.
- commit 6347684
- xen/netback: don't queue unlimited number of packages
(CVE-2021-28715 XSA-392 bsc#1193442).
- commit a531529
- xen/console: harden hvc_xen against event channel storms
(CVE-2021-28713 XSA-391 bsc#1193440).
- commit 58dceb5
- xen/netfront: harden netfront against event channel storms
(CVE-2021-28712 XSA-391 bsc#1193440).
- commit 8877609
- xen-netfront: do not use ~0U as error return value for
xennet_fill_frags() (git-fixes).
- commit 6d6d065
- xen-netfront: do not assume sk_buff_head list is empty in
error handling (git-fixes).
- commit 28eaccf
- xen/netfront: don't bug in case of too many frags (bnc#1012382).
- commit 9558b52
- xen/netfront: don't cache skb_shinfo() (bnc#1012382).
- commit 009fd8c
- xen/blkfront: harden blkfront against event channel storms
(CVE-2021-28711 XSA-391 bsc#1193440).
- commit 4e5bb56
- tty: hvc: replace BUG_ON() with negative return value
(git-fixes).
- commit c255786
- xen/netfront: don't trust the backend response data blindly
(git-fixes).
- commit b986b56
- xen/netfront: disentangle tx_skb_freelist (git-fixes).
- commit 6944250
- xen/netfront: don't read data from request on the ring page
(git-fixes).
- commit ab5b1b6
- xen/netfront: read response from backend only once (git-fixes).
- commit ef6e21b
- xen/blkfront: don't trust the backend response data blindly
(git-fixes).
- commit d0c7fcb
- xen/blkfront: don't take local copy of a request from the ring
page (git-fixes).
- commit 8786833
- xen/blkfront: read response from backend only once (git-fixes).
- commit 766a2af
- xen: sync include/xen/interface/io/ring.h with Xen's newest
version (git-fixes).
- commit 586947d
- Update
patches.suse/ring-buffer-Protect-ring_buffer_reset-from-reentrancy.patch
(CVE-2020-27825 bsc#1179960).
- commit 6d2a553
- bpf: fix truncated jump targets on heavy expansions (bsc#1193575
CVE-2018-25020).
- commit 64cd10a
- ring-buffer: Protect ring_buffer_reset() from reentrancy
(bsc#1179960).
- commit 7a1c06f
- kABI compatibility for struct l2tp_tunnel (bsc#1192032
CVE-2021-0935).
- commit 0642c93
- l2tp: fix races with ipv4-mapped ipv6 addresses (bsc#1192032
CVE-2021-0935).
- Refresh
patches.kabi/kabi-preserve-struct-l2tp_tunnel-layout-after-adding.patch.
- commit 9536429
- net/x25: prevent a couple of overflows (bsc#1178590
CVE-2020-35519 bsc#1183696).
- commit 8ed397f
- ixgbe: fix large MTU request from VF (bsc#1192877
CVE-2021-33098).
- commit 8a7b6d5
- mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
(CVE-2021-43976 bsc#1192847).
- commit 4d86fa1
- mac80211: drop robust management frames from unknown TA
(CVE-2019-0136 bsc#1193157).
- mac80211: handle deauthentication/disassociation from TDLS peer
(CVE-2019-0136 bsc#1193157).
- commit 159b426
- hugetlbfs: flush TLBs correctly after huge_pmd_unshare
(bsc#1192946 (CVE-2021-4002)).
- commit b430748
- constraints: Build aarch64 on recent ARMv8.1 builders.
Request asimdrdm feature which is available only on recent ARMv8.1 CPUs.
This should prevent scheduling the kernel on an older slower builder.
- commit 1742151
- Revert "/header.py: Reject Patch-mainline: No"/
Allow Patch-mainline: No on historical branch.
- commit 1d03b44
- net/x25: fix a race in x25_bind() (networking-stable-19_03_15).
- commit 14e51bf
- libqb
-
- Add libqb-fix-linker-hack.patch to fix incomplete check for
needing a work-around, which is wrong for newer binutils. (bsc#1192470)
Related to [bsc#1075418].
- log: callsite symbols of main object are also handled in initializer (bsc#1075418)
* bsc#1075418-libqb-log_register_one.patch
- IPC: server: avoid temporary channel priority loss, up to deadlock-worth (gh#ClusterLabs/libqb#352, rh#1718773, bsc#1188212)
* bsc#1188212-0001-IPC-server-avoid-temporary-channel-priority-loss-up-.patch
- nfs-utils
-
- Add 0200-mountd-Initialize-logging-early.patch
If an error or warning message is produced before
closeall() is called, mountd gets confused and doesn't work.
(bsc#1194661)
- 0191-mount-don-t-bind-a-socket-needlessly.patch
Don't bind() a non-priv socket immediately before connecting,
as this wastes port numbers.
(bsc#1187922)
- polkit
-
- CVE-2021-4115: fixed a denial of service via file descriptor leak (bsc#1195542)
added CVE-2021-4115.patch
- psmisc
-
* Determine the namespace of a process only once to speed
up the parsing of fdinfo (bsc#1194172).
- Change patch 0001-Use-mountinfo-to-be-able-to-use-the-mount-identity.patch
- samba
-
- CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit
module; (bsc#1194859); (bso#14914).
- supportutils-plugin-suse-public-cloud
-
- Update to version 1.0.6 (bsc#1195095, bsc#1195096)
+ Include cloud-init logs whenever they are present
+ Update the packages we track in AWS, Azure, and Google
+ Include the ecs logs for AWS ECS instances
- sysstat
-
- Fix possible segfault in read_task_stats() [bsc#1194679]
- Add sysstat-fix-segfault-in-read_task_stats.patch
- tcpdump
-
- Security fix: [bsc#1195825, CVE-2018-16301]
* Fix segfault when handling large files
* Add tcpdump-CVE-2018-16301.patch
- tiff
-
- security update: Fix buffer overwrite
* CVE-2019-17546[bsc#1154365]
+ tiff-CVE-2019-17546.patch
- security update: Fix heap based buffer overflow in pal2rgb
* CVE-2017-17095[bsc#1071031]
+ tiff-CVE-2017-17095.patch
- security update: Fix OOB in _TIFFmemcpy
* CVE-2022-22844[bsc#1194539]
+ tiff-CVE-2022-22844.patch
- security update: Fix memory allocation failure in tif_read.c
* CVE-2020-35521[bsc#1182808] CVE-2020-35522[bsc#1182809]
+ tiff-CVE-2020-35521,CVE-2020-35522.patch
- security update: Fix DOS via invertImage()
* CVE-2020-19131[bsc#1190312]
+ tiff-CVE-2020-19131.patch
- security update: Fix heap-based buffer overflow in TIFF2PDF tool
* CVE-2020-35524[bsc#1182812]
+ tiff-CVE-2020-35524.patch
- security update: Fix integer overflow in tif_getimage
* CVE-2020-35523 [bsc#1182811]
+ tiff-CVE-2020-35523.patch
- wicked
-
- fsm: fix device rename via yast (bsc#1194392)
Reset worker config instead to reject a NULL/empty config
xml node -- introduced in wicked 0.6.67 by commit c2a0385.
[+ 0001-fsm-fix-device-rename-via-yast-bsc-1194392.patch]
- version 0.6.68
- sysctl: process sysctl.d directories as in sysctl --system
- sysctl: fix sysctl values for loopback device (bsc#1181163, bsc#1178357)
- dhcp4: add option to set route pref-src to dhcp IP (bsc#1192353)
- cleanup: warnings, time calculations and dhcp fixes (bsc#1188019)
- wireless: reconnect on unexpected wpa_supplicant restart (bsc#1183495)
- tuntap: avoid sysfs attr read error (bsc#1192311)
- ifstatus: fix warning of unexpected interface flag combination (bsc#1192164)
- dbus: config files in /usr shouldn't be marked as config in spec
- version 0.6.67
- dbus: install bus config in /usr (bsc#1183407,jsc#SLE-9750)
- logging: log reaped sub-process command and as debug, not error
- ifstatus: Don't show link as "/up"/ without RUNNING flag set
- firewalld: Make the zone assignment permanent (boo#1189560)
- fsm: cleanup and improve ifconfig and ifpolicy access utils
- dbus: cleanup the dbus-service.h file and unused property makros
- cleanup: applied code-spell run typo corrections
- dracut: initial fixes and improved option handling (boo#1182227)
- version 0.6.66
- wireless: migrate to wpa-supplicant v1 DBus interface (bsc#1156920)
- support multiple networks configurations per interface
- show connection status and scan-results (bsc#1160654)
- corrected eap-tls,ttls cetificate handling and open vs. shared
wep,open,psk,eap-tls,ttls,peap parsing from ifcfg (bsc#1057592)
- cleanups and several other improvements, see changes
- updated man ifcfg-wireless manual pages
- nanny: fix identify node owner exit condition
- schema: several xml-schema and dbus/property improvements
- utils: format/parse bitmap to array and string alternatives
- client: expose ethtool --get-permanent-address option
- removed sle15-sp3 patches included in the master sources (bsc#1181812)
[- 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
[- 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- dhcp4: discover on reboot timeout after start-delay (bsc#1181812)
[+ 0001-dhcp4-discover-on-reboot-timeout-after-start-delay.1181812.patch]
- dhcp6: request nis options on sle15 by default (bsc#1181812)
[+ 0002-dhcp6-request-nis-options-on-sle15-by-default.1181812.patch]
- version 0.6.65
- ifconfig: differentiate if to re-trigger dad on address updates (bsc#1177215)
- client: parse sysctl files in the correct order (bsc#1181186)
- ifup: fix for set up with unenslave from unconfigured master (boo#954329)
- rpm: prepare for new builds using usrmerged rpm macro (boo#1029961)
- rpm: Let wicked-service also provide service(network)
- cleanup: remove obsolete use-nanny=false (gh#openSUSE/wicked#815)
- dbus: add variant container, generic object-path and uint32 array macros
- xen
-
- bsc#1194581 - VUL-0: CVE-2022-23034: xen: a PV guest could DoS
Xen while unmapping a grant (XSA-394)
xsa394.patch
- bsc#1194588 - VUL-0: CVE-2022-23035: xen: insufficient cleanup of
passed-through device IRQs (XSA-395)
xsa395.patch
- zsh
-
- Added CVE-2019-20044.patch: fixes insecure dropping of privileges when
unsetting PRIVILEGED option (CVE-2019-20044 bsc#1163882)
- Add CVE-2018-1100.patch: it fixes buffer overflow in utils.c:checkmailpath()
can lead to local arbitrary code execution (CVE-2018-1100 bsc#1089030)
- Added CVE-2021-45444.patch: fixes a vulnerability in prompt expansion which
could be exploited through e.g. VCS_Info to execute arbitrary shell
commands (CVE-2021-45444 bsc#1196435)